Setup SSL on Apache
The self-signed certificate is a certificate that you can create yourself that will provide SSL encryption but without the verification of your website from an outside source. The outside verification does cost money. In other words, you can get the protection you need, encryption by doing it yourself. One thing to note, if you are taking people’s credit card information then you will need to get a signed certificate as a warning appears when you are using self-signed certificates.
When to use self-signed certificates.
You can use self-signed certificates whenever you are using the encryption for your own company or when you have the opportunity to explain to users why the certificate is self-signed. You cannot use a self-signed certificate when you are working with the public as you will lose credibility with the public if you do.
Intro to SSL
SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing.
SSL is a protocol that uses TCP/IP on behalf of the higher-level protocols like HTTP. This protocol allows a SSL-enabled server to authenticate itself to a SSL-enabled client. In order to use SSL the client must request a connection on port 443 instead of the typical port 80 used by a web browser.
What the Process of SSL Provides
1. SSL Provides – Authentication – the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs.
2. SSL Provides Verification of the User – the user is verified in the process in the same way as the server and using the same methods as the server verification.
3. SSL Provides Encryption - the entire communication between the client and the server is encrypted.
SSL Communication
At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser.
In order to use SSL a key must be generated that will allow encrypted communication. Both ends of the encrypted communication must be able to understand the algorithm that is used to create the encryption.
Unsigned or Self-Signed SSL Certificate
You can run SSL without a signed certificate. However, each time a user tries to use your certificate they will be notified that the certificate is not authentic and that there may be a problem. This certainly does not install confidence in your customer.
Creating an SSL Certificate
When SSL is used with the Apache via the mod_ssl module, it will create an encrypted RSA file which has two components a private file which is kept secure on the server and a public file which is placed in the Certificate file and is thus used by users when they connect to the server. Users will be able to communicate secure then using the encryption that results in this kind of communication.
In order to create a real certificate a Certificate Signing Request (CSR) must be created that contains the public key with identification of who owns the server. The CSR must be sent to a Certifying Authority (CA) who will then convert the certificate into a real Certificate which can be placed on the server with the signature of the signing authority.
Assuming you have apache and openssl installed, you would like to generate and setup an SSL certificate for a domain and generate a CSR.
Generating RSA & CSR (Signing Request)
[root@yourbox root]#
[root@yourbox root]# cd /etc/httpd/conf/ssl.key
OPTION 1: Generating a RSA private key without a passphrase (ME recommended)
[root@yourbox /etc/httpd/conf/ssl.key]# openssl genrsa -out MYdomain.com.key 1024
OPTION 2: Generating a RSA private key with a passphrase. You will be prompted to enter a passphrase right after you hit enter.
[root@yourbox /etc/httpd/conf/ssl.key]# openssl genrsa -des3 -out MYdomain.com.key 1024
You should NOT generate the RSA private key with a passphrase if you have scripts that restart apache automatically. If you have, then apache just sit there and wait for the script to input the passphrase which is a mess!
There is a method that you can disable the passphrase to prompt when you restart apache which I’ll show you later~
Next generate the CSR using the RSA Private Key
[root@yourbox /etc/httpd/conf/ssl.csr]# openssl req -new -key MYdomain.com.key -out MYdomain.com.csr
[root@yourbox /etc/httpd/conf/ssl.csr]# mv MYdomain.com.csr ../ssl.csr
You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.
Do not enter these characters ‘< > ~ ! @ # $ % ^ * / ( ) ?.,&’ because they will not be accepted.
Common Name: the domain for the web server (e.g. MYdomain.com)
Organization: the name of your organization (e.g. YUPAPA)
Organization Unit: the section of the organization (e.g. Sales)
City or Locality: the city where your organzation is located (e.g. Flanders)
State or Province: the state / province where your organzation is located (e.g New Jersey)
Country: the country where your organzation is located (e.g US)
You may be asked for emeow address and challenge challenge password. I just hit enter when I generate the csr~
Now you should have:
/etc/httpd/conf/ssl.key/MYdomain.com.key
/etc/httpd/conf/ssl.csr/MYdomain.com.csr
Make a backup copy of your private key! If you lose it, you have to purchase a new cert!
Now you should submit your csr and they will mail you the certificate.
Installing the Certificate for Apache
[root@yourbox root]# cd /etc/httpd/conf/ssl.crt
Copy the certificate that they mailed you to MYdomain.com.crt
Open your httpd.conf file and place the following to your virtualhost
<VirtualHost 123.456.789.123:443>
… some config like DocumentRoot , etc..
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/MYdomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/MYdomain.com.key
</VirtualHost>
Restart apache
OPTION 1 [root@yourbox /etc/httpd/conf/ssl.crt]# apachectl restart
OPTION 2 (using the sh script) [root@yourbox /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart
You may be asked to enter the passphrase IF you generated the RSA with a passphrase. If you do NOT want to be asked for a passphrase when restarting apache, re-generate your RSA key file.
[root@yourbox /etc/httpd/conf/ssl.crt]# cd ../ssl.key
[root@yourbox /etc/httpd/conf/ssl.key]# mv MYdomain.com.key MYdomain.com.key.has-passphrase
[root@yourbox /etc/httpd/conf/ssl.key]# openssl rsa -in MYdomain.com.key.has-passphrase -out MYdomain.com.key
And then restart apache again
[root@yourbox /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart
Now you should be able to access https://MYdomain.com ~ And Finally make sure those directories and files are only writable and readable by root!
Related Posts
