apache http secure server configuration and server download

Apache is one of the most deployed web server on the internet. In this tutorial we will first set up Apache for a self-signed certificate and then a certificate signed by a trusted Certificate Authority (CA). The steps involved in employing SSL includes generating the keys, creating a certificate signing request (CSR), signing that CSR by CA resulting in signed certificate (public key) and configuring Apache to use the key and the certificate.

SSL relies on public and private keys. Private key needs to be secured and stored on the Apache server only while public key is distributed freely to anyone. That’s why it is called public key. These keys are used for encrypting and decrypting any data passing between client and server communicating through SSL (normally seen with https in the address bar of a browser). This kind of security is called asymmetric cryptography or Public Key infrastructure (PKI) because of the two different halves (public and private keys) that make the communication possible. Apache uses openssl to encrypt/decrypt communication with a client. Apache interfaces with openssl through mod_ssl module.

1. Install Apache (if not already installed) and mod_ssl

yum install httpd mod_ssl

2. Create private key

First we need private key. We will put our keys and certificate in /etc/httpd/conf/ssl, so

mkdir /etc/httpd/conf/ssl

cd /etc/httpd/conf/ssl

The following will create RSA key of 1024 bit and will be saved in a file linuxgravity.com.key in the current directory.

openssl genrsa -out linuxgravity.com.key 1024

Generating RSA private key, 1024 bit long modulus 
…………………………………++++++ 
……..++++++ 
e is 65537 (0×10001)

]]>

3. Create CSR from the private key

Now we will create a CSR from the key we just created in step 2. This CSR has to be signed by CA which can either be one set up locally on the server or a third party like Verisign or Thwate. Local CA will not be trusted by clients as it will not be known to them but third part CA will be trusted by all clients browsers.

During CSR generation, couple of questions are asked which are X.25 attributes. Pay special attention to Common Name which MUST be the fully qualified domain name of the web server eghttp://www.linuxgravity.com.

openssl req -new -key linuxgravity.com.key -out linuxgravity.com.csr

You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter ‘.’, the field will be left blank. 
—– 
Country Name (2 letter code) [GB]:CA
State or Province Name (full name) [Berkshire]:Quebec
Locality Name (eg, city) [Newbury]:Montreal
Organization Name (eg, company) [My Company Ltd]:Linuxgravity Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:www.linuxgravity.com
Email Address []:admin@linuxgravity.com

Please enter the following ‘extra’ attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:

4. Self-sign the CSR

Now we need to sign the CSR we created in step 3 above by local CA resulting in a certificate or public key. This certificate will be presented to browsers when they request SSL connection. Since they do not have information about our local CA, they will generate an error that the certificate is untrusted. If we accept the untrusted certificate, data moving between client and server will be encrypted. We will generate a certificate that will be good for 365 days, will be signed with our previously created private key and will be saved as linuxgravity.com.crt

openssl x509 -req -days 365 -in linuxgravity.com.csr -signkey linuxgravity.com.key -out linuxgravity.com.crt

Signature ok 
subject=/C=CA/ST=Quebec/L=Montreal/O=Linuxgravity Inc./OU=IT/CN=www.linuxgravity.com/emailAddress=admin@linuxgravity.com 
Getting Private key

At this time if you do ls -l /etc/httpd/conf/ssl/, you will see three files:

ls -l /etc/httpd/conf/ssl/ 
total 12 
-rw-r–r– 1 root root 1005 Aug 18 17:29 linuxgravity.com.crt 
-rw-r–r– 1 root root 729 Aug 17 22:49 linuxgravity.com.csr 
-rw-r–r– 1 root root 887 Aug 17 22:44 linuxgravity.com.key

If you are confused about which file is which, the final extensions may help you recognize them.

5. Change the location of private key and self-signed certificate in /etc/httpd/conf.d/ssl.conf

Add the following to the end of httpd.conf file or inside directives in virtual host configuration file:

SSLCertificateFile /etc/httpd/conf/ssl/linuxgravity.com.crt