Generating and Implementing SSL on APACHE server

Generating and Implementing SSL on APACHE server

September 21st, 2011 // 1:32 pm @

One of the most popular advantages of Apache is SSL and the fact that it’s very important as a Network Engineer to ensure security of users data transition is unignorable, so let’s start.

In this tutorial I’ll go over the proccess of generating a .Key and the Certificate Request, How to implement the certificate, How to configure APACHE to use this certicaite.

NOTE1: This tutorial is meant to be performed on APACHE 2.2 on Windows oprating systems, however the installaton and setup process is pretty much same on most versions, but you may need to adjust some directives inside Apache to make your SSL Engine comply with your Apache server.

NOTE2: As some users may need, CSR and CRT files can be used inorder to secure the IOS Telnet connection for cisco devices and or any other purposes, and please be advice if you use this certificate to secure your website they will NOT be trusted by browsers (Green SSL), and visitors will be prompted. In order to solve that problem you will nee to have your .CSR to be signed by a Trusted Authority for a annual fee such as VeriSign, DigiCert, Go Daddy and etc…

NOTE3: Paths to Applications and most names are specific to my own server but are default by Apache default installtion system, so may have your aplications installed on different root or perhaps using differnt names such as Domains and File names

Ok, wo if you are ready lets go through our check list and make sure we have everything ready one more time:

  • APACHE web server 2.2
  • OpenSSL.exe (Check C:\Apache\bin for OpenSSL.exe)
  • openssl.cnf ( Check C:\Apache\conf for openssl.cnf)

If you are trying to have a SSL secured conenction you will need to have:

  • A Key
  • A .Pem – (Privacy Enhanced Mail)
  • A .CSR – (Certificate Signing Request)
  • And finally a .CRT or .CERT that is a Certificate of Authintication
  • You’ll need OpenSSL.cnf on your server in order to generate the .KEY request through Apache. 

Ok so lets get started, and just follow the steps, I’ll specify the variables and items that are changable so you can change them so it will meet your needs.

1- Go to Bin folder under Apache and double lunch OPENSSL.EXE, it should be same under linux

2- A command window will open and is ready to take the commands in BIN mode ( OpenSSL> ) Type the follwing

OpenSSL> genrsa -des3 -out arad-ssl.key 2048

This basically means Generate a .KEY file name “Arad-ssl” and it has to be 2048 bit in encryption lenght so you can change the encryption lenght to anything you want however I strongley recopmmmend 2048 as its the most secure but in a same time lighter than upper level in transitions and decryption process, specially if you not using a high-end processor on your server.

Your key will appear on the window and OpenSSL> will wait for your next command.

3- Thrid step is to verify your key, in order to do that, you need to perform a -noout command like this

OpenSSL>  rsa -noout -text -in arad-ssl.key

This set of command is asking OpenSSL to -Output as Text THE -inPut “FileName.Key” so basically says please take my .key file and show me how it looks alike, after running this command you will see your encryoted key on the screen that basically looks like nothing but bunch of of MAC addresses next to eachother maybe!! Here is a sample


00:c6:54:39:f5:c5:ae:5a:ef:f5:53:9c:13:c9:86:  
27:c5:19:9f:25:ab:a5:96:5a:2e:f3:c0:5b:b0:c5:  
02:a6:e0:53:a8:fa:34:e1:8f:55:b4:ee:57:e3:54:  
65:70:6a:f0:0c:4d:b1:ed:9f:31:38:51:3c:e1:99:  
fe:82:6c:0d:3d:a5:d3:6e:01:8c:89:cc:f1:97:c0:  
95:0e:80:1a:c7:0a:ac:56:15:27:cd:08:32:e0:2c:  
39:00:77:2f:d1:83:4f:2e:ff:ea:50:fb:26:6c:fd:  
dd:ea:38:3b:ec:c0:f7:d3:c6:c2:23:20:12:40:bf:  
1b:94:59:d8:d6:34:8d:7c:dd  publicExponent: 
65537 (0x10001)  privateExponent:  
23:5b:b8:c9:9c:68:ad:45:c2:93:19:6c:5d:ad:51:  
31:ce:83:95:0f:b9:01:c9:2a:3d:c2:b9:96:16:49:  
96:be:bf:ab:8c:90:08:f6:a8:ed:0c:e1:16:62:61:  
83:5d:4d:56:a4:33:68:8d:cd:14:a1:47:1d:61:7b:  
02:7d:89:0e:77:f9:0b:b9:89:02:a5:e1:0a:ba:66:  
f2:25:dc:06:7e:74:b2:c7:6a:be:1a:e1:6f:fb:b7:  
e2:2d:b5:f2:ca:a8:ec:27:9e:81:25:7e:8a:2d:6c:  
94:6f:f5:ca:f3:4e:bc:3d:1e:e9:5d:74:47:59:8c:  
f7:29:d8:8e:9c:d2:e0:01  prime1:  
00:f4:85:25:2e:6c:02:79:02:58:c9:ec:29:a8:11: 
33:9e:db:bf:84:0a:a2:8

 

4- This step is not nessecary but do it anyway, it’ll just generate a none-secure version of your Key with Passphrase

OpenSSL>  rsa -in arad-ssl.key -out unsecure-Ver-arad.key  
Enter pass phrase for arad-ssl.key:  
writing RSA key  
OpenSSL

So again you just intorducing the .KEY file to the SSL following by PassPhrase and it’ll decrypt it for you.

5- Here is the exciting part getting a .CSR file from your Key

OpenSSL>  req -new -key arad-ssl.key -out arad-ssl.csr

NOTE: This next method is my prefred one, This will generate your.KEY and .CSR at a same time and its much safer to do it this way (Avoid miss-leading the CSR to a wrong KEY) however it might take longer time to generate depending on your processor.

OpenSSL> req -new -newkey rsa:2048 -nodes -arad-ssl .key -out arad-ssl.csr

NOTE: This is VERY important to make sure APACHE knows where the openssl.cnf is located if no you will recieve an error message stating that ” Unable to load config info from /usr/local/ssl/openssl.cnf “. If that was the case add the following command to the end of your current command

OpenSSL> req -new -newkey rsa:2048 -nodes -arad-ssl .key -out arad-ssl.csr

6- Now you’ll be prompted to answer couple questions, they are don’t have to be 100% accurate but it’s nesseccary to provide true information,

NOTE: Please keep in mind that you HAVE to type a FQDN (Fully Qualified Domain Name) or URL as your CN (Common Name) answer and don’t use WWW or http, for example: aradgh.info or mail.aradgh.info . This is a FQDN.
NOTE2: If you are setting up a SSL for the domain and would like to use the same Cert for all the subdoains you have to create a WildCard Cert, in order to create Wildcard use *.Domainname.Com for example *.arad.gh.info . (*) is a wildcard and it menas every single Subdomain under Aradgh.info domain will use the same SSL Cert.
ATTENTION: Using Wildcard will decrease the security measure of your server, if someone, somehow steals your Cert they can duplicate and apply it to all thetransitions.

  • Common Name: The fully-qualified domain name, or URL, you’re securing.
    If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example*.coolexample.com.
  • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.
  • Organization Unit: If applicable, enter the DBA (doing business as) name.
  • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
  • State or Province: Name of the state or province where your organization is located. Do not abbreviate.
  • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
    NOTE: If you do not want to enter a password for this SSL, you can leave the Passphrase field blank. However, please understand there might be additional risks.

7- Now we have the .CSR and KEY files, from here we have choices: a- You need a Green HTTPS (Trusted) b- Red HTTPS (Untrusted)

  • 7.a – As I mentioned eariler in order to generate your Green HTTPS or trusted you have to pay the Signing fee to an internet authority company to sign that for you, they will need your CSR file after cretinng your account open your CSR with Notepad and copy the entire content and post it to their CSR request form and they will generate a CERT file that you’ll need it later.
  • 7.b – As for Untrusted certs its a bit cheaoer since its FREE and faster but well has some disadvantages, you will need to execute the following command
  • OpenSSL> x509 -req -days 60 -in arad-ssl.csr -signkey arad-ssl.key -out arad-ssl.crt
  • You are -reqUesting and 60 days valid cert by -inPuting the “arad-sl.csr” and using the “arad-ssl.key” as your KEY that will -outPut the arad-ssl.crt
  • NOTE: You can use the extenstion .CERT instead of .CRT

8 – We are almost done, if you navigate to C:\Apache\bin you should see your .KEY , .CSR and .CRT files now we need to configure Apache to start SSL Engine

  1. Create a folder under conf name it “ssl” (This is totally optional you can your open path and folder name but I recommend to use this to avoid confiusion) so in may case it’ll be C:\Apache\conf\ssl
  2. Go to C:\Apache\Bin and copy all the newley generated files (KEY, CSR and CRT or CERT) and paste them into step 1’s location
  3. Go to C:\Apache\conf and open httpd.conf
  4. Somwhere after </Directory> or maybe even to the vey bottom of the page add the following directives
    • SSLCertificateFile /path to certificate file/your issued certificate
    • SSLCertificateKeyFile /path to key file/your key file
    • SSLCertificateChainFile /path to intermediate certificate/null

Here is my configuration: (Names are replaced for security purposes, these certificates are not valid)

    • SSLCertificateFile conf/ssl/secure.aradgh.info.crt
    • SSLCertificateKeyFile conf/ssl/secure.aradgh.info.key
    • SSLCertificateChainFile conf/ssl/secure.aradgh.info.crt *

* ATTENTION * : If you are issueing your own certificate you don’t need the CertificateChainFile, CCF is a cert that will grant you a GREEN SSL (Trusted) and you only need that if you are using a paid SSL through internet Authority, they will give you a boundle incluing all these files

9- Verify the links one more time and save the HTTPD.CNF and restart the Apache service, Hopefully you will not see an error message and Apache will start succesfully however if you encountered an error message these are some common issues:

  1. SSL Directives are beetwen two open tags
  2. Path to SSL is invalid
  3. Key doesn’t match with the CERT

As always your best bet is to check C:\Apache\logs\error.log to make sure everything is running smooth

10- Once again open HTTPD.CONF and create a Vhost to test our SSL HandShake accurecy, following is a exapmle of my ReverseProxy server that recieves the request on port 443 and request the data from the internal server and wiseversa:

# Start listening

Listen 80
Listen 443

<VirtualHost *:443>
SSLEngine On

ProxyPreserveHost On
ProxyPass / http://192.168.10.18:81/
ProxyPassReverse / http://192.168.10.18:81/
ServerName webmail.aradgh.info
</VirtualHost>

NOTE: Please note the “SSLEngine On” at the beggining of my directive it’ll tell Apache to start the SSL Engine when you recieved the request on port 443, on any IP address (* is a Wildcard), and also you HAVE to add “Listen 443” at the beginning so when you restrat Apache it’ll start lising on port 443 for any incoming requiests. from here on its your choice what you are going to do with your SSL, but most common setting is vHost take a look at this tutorial its has some nice stuff in it you can use for virtual hosting.

 

I hope you find these proceedings useful and informative and thank you for reading this tutorial.
Regards,
Arad Gharagozli,

 


Category : Articles &Linux &Networks &Windows

3 Comments → “Generating and Implementing SSL on APACHE server”


  1. Bucky

    10 years ago

    When I add the 443 to my .conf, and then want to reset, the Apache crashes. I removed it then started and worked fine. Do you know what I am doing wrong?


  2. pantherz

    10 years ago

    can someone confirm the Gateway error solution. I can’t generate this for Ubuntu and keep getting ‘gateway overloaded’ error message


    • Arad Gharagozli

      10 years ago

      That’s because your buffer memory is exceeding the terminal’s allocated memory. Change the directive in httpd.conf to disable memory buffer


On LinkedIn

LinkedIn

.

"I have no special talent.
I am only passionately
curious.
"
Albert Einstein

Subscribe Now