About Me

My photo
Kalyan Kumar Pasupuleti B-Tech(Information Technology). • RedHat Certified Engineer(RHCE) • Directory Services and Authentication Certificate of Expertise(LDAP) • Red Hat SELinux Policy Administration Certificate of Expertise(SELinux) • Network Services Security Certificate of Expertise (Network Services) • RedHat Certified Virtualization Administrator(RHCVA) • Red Hat Certified Security Specialist (RHCSS) Working as Cloud DevOps engineer

Thursday, January 24, 2013

How to generate SSL Certificate & How to configure Secure Apache


Configuring Self Signed Certificate

Install the below packages

# yum install openssl* -y
# yum install mod_ssl* -y

Now open SSL configuration file and update the below entries:

# vim /etc/pki/tls/openssl.cnf

dir  = /etc/pki/CA                       # Where everything is kept
certificate     = $dir/kalyan.crt     # The CA certificate
crl    = $dir/kalyan.crl                 # The current CRL
private_key     = $dir/private/kalyan.key  # The private key

Now under [ req_distinguished_name ] section modify below parameters as

countryName_default             = IN
stateOrProvinceName_default     = AP
localityName_default            = Hyd
0.organizationName_default      = Example
Now save and exit.

Now create the required directories as shown below:

cd /etc/pki/CA
mkdir {certs,crl,newcerts}
touch index.txt
echo "01" > serial

Be in /etc/pki/CA directory and run below commands:

# (umask 077; openssl genrsa -out private/kalyan.key -des3 2048)
Enter pass phrase for private/kalyan.key:redhat
Verifying - Enter pass phrase for private/kalyan.key:redhat

# openssl req -new -x509 -key private/kalyan.key -days 365 > kalyan.crt
Enter pass phrase for private/kalyan.key:redhat
Country Name (2 letter code) [IN]:IN
State or Province Name (full name) [AP]:AP
Locality Name (eg, city) [Hyd]:Hyd
Organization Name (eg, company) [Example]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:sample.kalyan.com
Email Address []:ikalyanp@gmail.com

Now verify the certificate & key files in the below locations:

ls /etc/pki/CA/kalyan.crt
ls /etc/pki/CA/private/kalyan.key

Now the SSL Self signed certificate was generated.

Configuring Secure Apache

Install the packages

# yum install httpd* -y

Restart the service : service httpd restart

Now host a sample site



# vim /etc/httpd/conf/httpd.conf

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName sample.kalyan.com
    ErrorLog logs/kalyan-error_log
    CustomLog logs/kalyan-access_log common
</VirtualHost>

Save and exit the file

Create a sample html web page in /var/www/html directory
# vim /var/www/html/index.html
This is sample site
Save and exit

Now it is the time to define the certificate and key files in the ssl.conf file

# vim /etc/httpd/conf.d/ssl.conf

line no 112
SSLCertificateFile /etc/pki/CA/kalyan.crt

line no 119
SSLCertificateKeyFile /etc/pki/CA/private/kalyan.key

save & exit 


Now restart the apache service
# /etc/init.d/httpd restart

Here you will be prompted for SSL key password. To avoid this follow the below procedure:
Take a backup of the key file 
cp /etc/pki/CA/private/kalyan.key   /etc/pki/CA/private/kalyan.key_bkp
# cd /etc/pki/CA/private/

Now remove the password for the key using below command, Otherwise while restarting httpd service you will be prompted to enter the SSL key password

#openssl rsa -in kalyan.key_bkp -out kalyan.key
Enter pass phrase for kalyan.key_bkp:redhat

Now restart the apache service and observer that you will not be prompted for password.
# /etc/init.d/httpd restart


If u want to redirect http request to https then do the following

# vim /etc/httpd/conf/httpd.conf

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName kalyan.com
    ErrorLog logs/kalyan-error_log
    CustomLog logs/kalyan-access_log common
Redirect / https://sample.kalyan.com
</VirtualHost>

save and exit 

Restart the service.
# service httpd restart

Now browse http://sample.kalyan.com & https://sample.kalyan.com


Happy Browsing ...... :)