Securing your web connections is essential when dealing with sensitive data, such as credit card transactions or passwords. By default, Apache will not encrypt any transmissions. This means all communications from your web server can be viewed by anyone monitoring the network using freely available tools. To secure your connections, you must enable SSL, which requires a PKI certificate. There are two ways to obtain a certificate. Depending on how your website is accessed – on the local LAN or over the WAN – you’ll need to decide which way is best for you. When connections are limited to the local LAN by a small amount of people, a self-signed certificate is sufficient. However, if your website is accessible over the Internet by large amounts of users, a certifcate from a public signing authority is strongly recommended. Self-signed certificate are not trusted since the only person who can prove their validity is the individual who generates it. Without validation from a well known Certificate Authority, a self-signed certificate will cause most browsers to display a strong warning, which must be acknowledge, before the user can land on your website. This is the reason why they should only be used in small local LANs. This tutoral will focus on using self-signed certificates.
SSL Enabling Apache
The default Apache installation does not contain any means of enabling SSL. So, before we can use the certificate we generate in this tutorial, we’ll need to prepare Apache. To enable SSL support, you do the following:
- Redhat CentOS
yum install mod_ssl -y
sudo ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
sudo ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
Generating a Self-signed Certificate
Generating self-signed certificates is an easy way to encrypt your data transmission; however, the certificates will be signed by you, an untrusted public identity. Every user who accesses your website will receive certificate trust errors. If your application is only going to be accessed by a small set of common users, you can have them install your certificate authority key.
- Private Key: These keys are the most important part of the a certificate tree. It is the highest level of trust in the tree, used to generate, encrypt and decrypt all public keys under its authority. It is very important that you secure this file. If this key is trusted as a signing authority by all of your users and someone where to get a hold of it, they’d be able to generate their own keys, that your users would trust, allowing them to do man-in-the-middle attacks to steal information. To generate a key you must specify an output file and an encryption level. In our example, our private key is going to be called private.key and it will have an encryption strength of 2048 bits.
openssl genrsa -out ca.key 2048
- Certificate Signing Request (CSR): The second step is to generate a certificate signing request. This is used with the key generated above to create a certificate.
openssl req -new -key ca.key -out ca.csr
- Generate Self Signed Key: Now we move onto the third and final step: generating our own certificate.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
- Copy the files to the correct locations: Now that our signing key, certificate request, and certificate have been generated, it’s time to move them to an appropriate place on our server. We’ll then point Apache to these locations for website’s SSL encrypted website.
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr
Apache has the required mod installed and our certificate has been generated. Since SSL works over port 443, by default, we need to create a virtual server to catch all HTTPS requests. Within the virtual server, we’ll define the required certificate options.
- Open the Apache configuration file where your web server is defined. By default, this will be in the following location:
Red Hat / CentOS /etc/httpd/conf/httpd.conf Debian / Ubuntu /etc/apache2/sites-enabled/000-default Suse / OpenSuse /etc
- If your server is hosting multiple websites, locate the section for it.
- Add the following lines, replacing the highlight options with the name and location of your certificates.
DocumentRoot /var/www/html ServerName www.serverlab.intra SSLEngine on ::HL::SSLCertificateFile /etc/ssl/crt/ca.crt ::HL::SSLCertificateKeyFile /etc/ssl/crt/ca.key ::HL::SSLCertificateChainFile /etc/ssl/crt/ca.csr
- Restart Apache to apply the new settings
service httpd restart