Tuesday 12 April 2016

How to configure Self-Signed SSL Certificate in Apache HTTP Server



Apache HTTP Server HTTPS secure connection using Self-Signed SSL on Apache.


Install Prerequisites first:

You need to install mod_ssl apache module using the following command if it is already not installed on the server:

[root@linuxcnf ~]# yum install mod_ssl

Generate a self-signed certificate if already not exist on the server:

First, you need to generate a private key ca.key with 2048-bit encryption.

[root@linuxcnf ~]# openssl genrsa -out ca.key 2048

Then generate the certificate signing request cs.csr using the below command.

[root@linuxcnf ~]#openssl req -new -key ca.key -out ca.csr

You will be prompted for information about the certificate.

[root@linuxcnf ~]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
................................................+++
e is 65537 (0x10001)
[root@linuxcnf ~]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:TL
Locality Name (eg, city) [Default City]:Hyderabad
Organization Name (eg, company) [Default Company Ltd]:Linuxcnf
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.linuxcnf.com
Email Address []:admin@linuxcnf.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:admin
An optional company name []:
[root@linuxcnf ~]#

Finally, self-signed certificate ca.crt generated valid for 365 Days.

[root@linuxcnf ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

After creating the certificate, you need to copy all of the certificate files to the default directories.

 [root@linuxcnf ~]# cp –p ca.crt /etc/pki/tls/certs/
[root@linuxcnf ~]# cp –p ca.key /etc/pki/tls/private/
[root@linuxcnf ~]# cp –p ca.csr /etc/pki/tls/private/

Set up the certificates

Setting for apache config file to display generated certificate you can do this by editing the SSL config file:

[root@linuxcnf ~]# vi /etc/httpd/conf.d/ssl.conf

Find the section that begins with <VirtualHost _default_:443>. Uncomment the DocumentRoot and ServerName line and replace servername with your server's IP address.

DocumentRoot "/var/www/html"
ServerName 192.168.1.10:443

Next, find the SSLCertificateFile and SSLCertificateKeyFile lines and update them with the new location of the certificates

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

After making these changes, restart Apache service for the changes to take effect.

[root@linuxcnf ~]# service httpd reload

Self-Signed configuration is done!!!!

No comments:

Post a Comment