In order to secure your webserver traffic you need to enable SSL.
This allows the traffic to be encrypted between the server and the client.
This is done by installing an SSL certificate on the web server and configure the web server to serve its content over SSL.
For this guide I am using RHEL 5.3 64bit and Apache.
- Install mod_ssl and openssl-devel
- Generate a Private Key for the Web Server
- Generate a Certificate Signing Request
- Generating a Self Signed Certificate
- Installing the Private Key and Certificate into your Apache webserver
- Enable Virtual Hosts configuration files
- Configure the SSL Virtual Host configuration file
- Restart Apache
1. Install mod_ssl and openssl-devel
mod_ssl is an optional module that provides strong cryptographic functions to Apache. For more info, look here
[root@server]# yum install mod_ssl openssl-devel
Copy the mod_ssl.so file to the apache modules directory if not placed there by the installation.
[root@server modules]# cp /usr/lib64/httpd/modules/mod_ssl.so /usr/local/apache2/modules/mod_ssl.so
2. Generate a Private Key for the Web Server
The following commands creates a 1024 -bit RSA private key encrypted with triple DES, it will ask for a passphrase, I entered anything temporarily as I will remove it, because I don’t want to enter it every time Apache is restarted, but this means that you are removing the Triple DES encyrption, so make sure that the private key cannot be seen by anybody but you (root). Its a trade-off between security and convenience
[root@server ~]# mkdir /root/ssl[root@server ~]# cd /root/ssl/[root@server ssl]# openssl genrsa -des3 -out server.key 1024Generating RSA private key, 1024 bit long modulus………++++++……………….++++++e is 65537 (0x10001)Enter pass phrase for server.key: <secret>Verifying – Enter pass phrase for server.key: <secret>
Remove the passphrase from the private key (This is optional, I do it to prevent being prompted everytime Apache is restarted)
[root@server ssl]# cp server.key server.key.withpasswd
[root@server ssl]# openssl rsa -in server.key.withpasswd -out server.key
Enter pass phrase for server.key.withpasswd:
writing RSA key
3. Generate a Certificate Signing Request
The CSR is what you will send to a Certificate Authority, such as Verisign, Digicert, etc. They will verify the information and if valid they will send you a signed certificate to install in your webserver. (For a fee of course)
[root@server ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:NYC
Organization Name (eg, company) [My Company Ltd]: example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:server.example.org
Email Address []:admin@example.org
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4. Generating a Self Signed Certificate
For a production website, you should use the certificate that is signed from a trusted certificate authority. Otherwise clients will get a warning stating that they should not trust your website.
But for testing purposes or if you don’t feel like paying a Certificate Authority (CA) for a signed certificate, you can generate your own Self Signed Certificate, this will provide the same protection and encryption as a CA signed certificate, but because a CA didn’t sign it, clients will get a warning stating that they should not trust your website.
The following command will generate a Self Signed Certificate that is valid for 10968 days (3 years)
[root@server ssl]# openssl x509 -req -days 10968 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=New York/L=NYC/O=EXAMPLE/OU=IT/CN=server.cpg.org/emailAddress=admin@example.org
Getting Private key
5. Installing the Private Key and Certificate into your Apache webserver
Just copy the .crt and .key file to a location accessible to Apache.
The .crt file is either the CA signed certificate or self signed certificate.
[root@server ssl]# cp server.crt /usr/local/apache2/conf/
[root@server ssl]# cp server.key /usr/local/apache2/conf/
6. Enable Virtual Hosts configuration files
In the Apache main configuration file enable the inclusion of virtual hosts files if they are not enabled by default, you can include one file or a wildcard (e.g. conf/*.conf)
Include conf/extra/httpd-ssl.conf
7. Configure the SSL Virtual Host configuration file
[root@server extra]# cat /usr/local/apache2/conf/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache “shmcb:/usr/local/apache2/logs/ssl_scache(512000)”
SSLSessionCacheTimeout 300
SSLMutex “file:/usr/local/apache2/logs/ssl_mutex”
<VirtualHost _default_:443>
DocumentRoot “/usr/local/apache2/htdocs”
ServerName server.example.org:443
ServerAdmin admin@example.org
ErrorLog “/usr/local/apache2/logs/error_ssl_log”
TransferLog “/usr/local/apache2/logs/access_ssl_log”
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile “/usr/local/apache2/conf/server.crt”
SSLCertificateKeyFile “/usr/local/apache2/conf/server.key”
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory “/usr/local/apache2/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog “/usr/local/apache2/logs/ssl_request_log” \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
[root@server modules]# service httpd restart