HTTP: Configure SSL with Apache.

Last updated on (6,382 views) - CertDepot No Comments ↓
Share this link
Google+0
LinkedIn0

Install the Web Server package group:

# yum groupinstall -y "Web server"

Activate at boot time and start the service:

# chkconfig httpd on
# service httpd start

Add a new rule to the firewall:

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Save the firewall configuration:

# service iptables save

Let’s assume your server is called centos6.example.com.

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/centos6.example.com.crt -keyout /etc/pki/tls/private/centos6.example.com.key -days 365
Generating a 2048 bit RSA private key
.....................................................+++
..................................+++
writing new private key to '/etc/pki/tls/private/centos6.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos6.example.com
Email Address []:

Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:

SSLCertificateFile /etc/pki/tls/certs/centos6.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/centos6.example.com.key

In the same file, search for the ServerName string and replace as follows:

ServerName centos6.example.com:443

Check the validity of the configuration:

# httpd -t
Syntax OK

Or:

# apachectl configtest
Syntax OK

Restart the Apache webserver:

# apachectl restart

Check the virtual host configuration:

# httpd -D DUMP_VHOSTS
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443          centos6.example.com (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

Optionally, check the certificate:

# openssl s_client -connect localhost:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
   i:/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJANXz6Bli9NITMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQxHDAaBgNVBAMME2NlbnRvczYuZXhhbXBsZS5jb20wHhcNMTQw
ODI0MDkwMjEyWhcNMTUwODI0MDkwMjEyWjBgMQswCQYDVQQGEwJYWDEVMBMGA1UE
BwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRww
GgYDVQQDDBNjZW50b3M2LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAuZn9kIjLS26130eFlEJujsgLkIiOGGQYJEUu8dhGarRzScGn
Hd0Jn7TQyPihvqekY5OQmlYomoierxJ05rFQygEw6mY9tS+hG1kSJa88DvoA9f50
VENz6oafdtdwXfWZqY1PxHyoLjMZzj0KUw+mT8OCaChhDNbdpNeHhAhXgJtt4hAa
1XvOcbMVPxpJWmRqSrLkFEzLlnmgkeYo14d5TBtmTeVN2ko8MD/A4AO+pnrKPl9T
fN0URhQg/FTF5kiEd/NS47WfIPjK/1PzluWsMOxyvXFnlgs4HbCoaZof5iZBB8Nw
n+Tni0KsLNPu98CoxVQ6izZKIszLkb9M1sOqAQIDAQABo1AwTjAdBgNVHQ4EFgQU
A2ThSL7crEjAG12OTK2dLAwIMpUwHwYDVR0jBBgwFoAUA2ThSL7crEjAG12OTK2d
LAwIMpUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAkeBQ7CboLgC4
jyFyf+naGXY6urhDSHJtO2C5MdPSS+ep7m0kMg240t8NmJyvqIPyr1Vj5TzfeZCG
nFa7khjYV7PEA5fNmU3t16PxTvbf9TKnynhQ2A0yRA254LfSFng3pX+pIW0d4nYH
qWFO8Ahgm50Hi4c2dcrZmVY4Hi+97dzdZBrN+uhOeO34UyfRPUj2ewbxMR881K41
RY+stKeVB1xCpkk7WBlG+lzjTspxAnu5DeUeYxRwuLc5bwgrbcgtWMWxZg0GGWEJ
DxscHG3hLmVKeOQhvDCd0arjzgymuAYQ5u/J7HlS+A2wCG7RYTJO8mh9YG2ubqqx
b874rkAnbw==
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
issuer=/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
---
No client certificate CA names sent
---
SSL handshake has read 1796 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: F70A21C91678CB69510C8ED213E8C340021A3AD7343D16155D15E819476032CB
    Session-ID-ctx:
    Master-Key: 5CADEE0E5B2B4F9030B1A9E46FA2DD65AC70C530B754A4EF4384AA34B28E4E2617B1E47746ACA2D22B9DA7A8369509A7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b6 a4 65 fa 1c 14 4d 12-b7 70 6c 2b 53 52 f1 b6   ..e...M..pl+SR..
    0010 - 76 8d 20 86 bb 63 ac dc-46 60 18 07 ae 86 03 16   v. ..c..F`......
    0020 - 90 a2 d2 17 d5 f9 ff 5e-bc d2 c7 aa 0f 8f 40 8f   .......^......@.
    0030 - ee 4e 27 ff 1f c1 7c 04-26 ec cb db 6b e6 2f 53   .N'...|.&...k./S
    0040 - 13 05 04 c2 67 d6 63 c5-c3 8b b1 3e 99 65 c9 8a   ....g.c....>.e..
    0050 - 33 68 3c 83 a0 22 bc d2-5b 7e 8b e7 87 24 b7 77   3h<.."..[~...$.w
    0060 - 18 3f c4 51 0d 4e dd a7-f5 03 68 e8 51 de c2 a9   .?.Q.N....h.Q...
    0070 - ba e6 fe 15 1d 4b 93 d5-85 93 e3 ee 80 78 2b 40   .....K.......x+@
    0080 - 5f 30 02 69 cd 31 61 b6-7b 30 94 ae ca f7 78 62   _0.i.1a.{0....xb
    0090 - 87 50 83 ba cc c2 40 29-62 15 50 98 91 6e 25 c0   .P....@)b.P..n%.
    00a0 - 9d 55 39 b2 f8 59 67 47-ec ba ea ad 7a 63 75 d9   .U9..YgG....zcu.
    00b0 - d6 36 57 b4 80 8a 59 a2-67 d8 90 2c e2 3c dd 05   .6W...Y.g..,.<..

    Start Time: 1408871323
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify

Additional Resources

You can read this good article about the various formats of certificates.

(No Ratings Yet)
Loading...

Leave a Reply

Upcoming Events (Local Time)

There are no events.

Follow me on Twitter

Archives

xhampster
vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |