Monday, August 27, 2012

Securing Apache Web Server with Encryption


In this blog we are going to discuss about encrypting communications to web server using TLS/SSL.

Step 1:  Install mod_ssl and httpd

# yum -y install mod_ssl httpd
Step 2: Perform the things required for web server by editing the “/etc/httpd/conf/httpd.conf” and also the creation of web pages in the directories described in the configuration file.

Steps 3: Edit the ssl configuration file

# vim /etc/httpd/conf.d/ssl.conf
Check line number 88

SSLEngine on    ------>>> remove comments if exists
We are using the default certificate and it’s key

Line number 105 pointing to certificate file

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
line nu 112 pointing to certificate key file

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Thats all editing the ssl configuration file.

Step 4: Restart httpd service

# service httpd restart
Step 5: Check it out

Open Browser and type the URL in the address bar

http://server.example.com
Now an error message is displayed saying that “this page can only be viewed using the URL “https://server.example.com”. Type the URL

https://server.example.com
When Browser presents a warning,> click the “I understand the Risks” link > click the “Add Exceptions… ” button, > click “View…” when it becomes active. > click “Close”… > click “Confirm security exception”…

Above we used the default certificate / key pair. We too can use a custom self signed certificate using crypto-utils.

Install crypto-utils

# yum -y install crypto-utils
Generate self signed certificate/key pair using “genkey” tool

You should be root to generate a key.

First, use the “cd” command to change to the ”/etc/httpd/conf/” directory. Remove the fake key and certificate that were generated during the installation with the following commands:

# rm ssl.key/server.key rm ssl.crt/server.crt
# genkey www.example.com

 Click next >>

Click next >>

On generating your key, you will be prompted to send a Certificate Request (CSR) to a Certificate Authority (CA).

Click no >>

Click next >>

If you choose to encrypt, you should set a pass phrase to decrypt the key. And also selecting “encrypt the private key”, always you will be asked for the pass phrase whenever restarting the httpd service.


enter the pass phrase and click next >>

Click close.

Now configure the server to use the new certificate and key.

Check whether you have the new certificate and key.

# ls /etc/pki/tls/certs/
ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  make-dummy-cert  
Makefile  server.csr    server.crt    www.example.com.crt
# ls /etc/pki/tls/private/
server.key     www.example.com.key

Edit “/etc/httpd/conf.d/ssl.conf”. Change the SSLCertificateFile and SSLCertificateKey lines to be.

SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

Now restart the httpd service

# service httpd restart






0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.