Pages

Thursday, 7 November 2013

Configuring CA and Apache with SSL

In this tutorial, I am Configuring Certificate Authority (CA) and then I have HTTPD Apache Web Server, I will generate Certificate Signing Request (CSR) from Apache Web Server and then send this CSR to CA server for Signing, and use that signing certificate for Apache Web Server. 

So I am having Two Machine in my LAB Environment. one is using for CA Server and second using for Apache web server.

server1.example.com = MY CA Server
client1.example.com = MY Apache Web Server

Step -1: Configuring Certificate Authority (CA) Server.
#yum install openssl

    # vim /etc/pki/tls/openssl.cnf

[ CA_default ]

dir                 = /etc/pki/CA
certs              = $dir/certs
crl_dir           = $dir/crl
database        = $dir/index.txt
certificate      = $dir/ca.crt
serial             = $dir/serial
crlnumber     = $dir/crlnumber
private_key   = $dir/private/ca.key

[ req_distinguished_name ]

countryName_default                  = IN
stateOrProvinceName_default     = Delhi
localityName_default        = New Delhi
0.organizationName_default        = Example, Inc.
organizationalUnitName_default  = Training

:wq (save and exit)

Step 2: Create requied files and directory, if not exists.

# cd /etc/pki/CA/
# ls -d certs crl newcerts private
# touch /etc/pki/CA/index.txt
# echo 01 > /etc/pki/CA/serial

Step 3: Now Generate the CA Server Key for CA server to Sign Certificates.

# openssl genrsa -des3 -out /etc/pki/CA/private/ca.key 2048
Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key: 123456

Step 4: Now Generate the CA Server Certificate and Sign it using your CA server key. 

# openssl req -new -x509 -key /etc/pki/CA/private/ca.key -days 365 -out ca.crt

Enter pass phrase for /etc/pki/CA/private/ca.key: 123456

Country Name (2 letter code) [IN]:
State or Province Name (full name) [Delhi]:
Locality Name (eg, city) [New Delhi]:
Organization Name (eg, company) [Example, Inc.]:
Organizational Unit Name (eg, section) [Training]:
Common Name (eg, your name or your server's hostname)[]:server1.example.com
Email Address []:

Step 5: Now Go to Apache Web Server Machine and Generate the Apache Server Key first. 

# openssl genrsa -out client1.example.com.key 1024

Step 6: Now Generate CSR Certificate and sign it using your Apache Server key.

# openssl req -new -key client1.example.com.key -out client1.example.com.csr

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:Example, Inc.
Organizational Unit Name (eg, section) []:Training
Common Name (eg, your name or your server's hostname) []:client1.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

NOTE: You have to fill up the above information according to your CA Server Certificate, otherwise CA Server will not sign your certificate. if you want to sign this CSR from CA any how, you have to use "policy_anything" policy on CA Server to sign that. 

Step 7: Now Send this CSR Certificate to CA Server using scp command or another way. 

#scp /root/client1.example.com.csr server1.example.com:/root/

Step 8: Now Go to the CA Server Machine and Sign this CSR using the following command: 

#openssl ca -in client1.example.com.csr -out client1.example.com.crt

NOTE: By default CA Server use policy "policy_match" to sign CSR certificate. if you have any problem or your certificate information is not correct according to your CA Server, use the "policy_anything" to sign this certificate, use the following command:

#openssl ca -policy policy_anything -in client1.example.com.csr -out client1.example.com.crt


Step 9: Now send back this signed certificate "client1.example.com.crt: to Apache Web Server Machine using scp command or other way:

#scp /root/client1.example.com.crt client1.example.com:/root/


Step 10: Now copy this signed certificate and key file in the following locations:

# cp client1.example.com.key /etc/pki/tls/private/

# cp client1.example.com.crt /etc/pki/tls/certs/

Step 11: Now Configure Apache Web Server to use the above key and signed certificate: 

# vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/client1.example.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/client1.example.com.key

:wq (save and exit )

Step 12: Now Create a index.html into /var/www/html/ directory and start httpd service.

#echo "Hello, Welcome to Apache SSL Web Site" >> /var/www/html/index.html
# service httpd restart
# chkconfig httpd on

NOTE: To use SSL Certificate on Apache Web Server, you must have "mod_ssl" package installed on your machine first. 

Step 13: Now Open your Web Browser and access your web site as the following: 

                        https://client1.exampel.com 

 If you have any problem to use the above steps, please Click Here watch my video as same. 

3 comments:

  1. Nice job suresh
    Would you please help me to connect two centos virtual machine in vmwear.
    How to set static ip?
    How to bridge?

    ReplyDelete
  2. Hello Suresh, I followed all the steps given above, I got error while performing the step-8.

    # openssl ca -policy policy_anything -in amsunx09.example.com.csr -out amsunx09.example.com.crt
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for /etc/pki/CA/private/ca.key:
    Error opening CA certificate /etc/pki/CA/ca.cert
    21389:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/ca.cert','r')
    21389:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
    unable to load certificate


    please advise me on this.

    Thanks:
    Jitendra K

    ReplyDelete
    Replies
    1. Hi Jetendra,

      Please check in "/etc/pki/CA/ca.cert" file is available or not, if not please follow the Step No. 4 Again carefully !!

      Delete