Configuring CA and Apache with SSL
In this tutorial, I am Configuring Certificate Authority (CA) and then I have HTTPD Apache Web Server, I will generate Certificate Signing Request (CSR) from Apache Web Server and then send this CSR to CA server for Signing, and use that signing certificate for Apache Web Server.
So I am having Two Machine in my LAB Environment. one is using for CA Server and second using for Apache web server.
server-1.ashu.com = MY CA Server
client-1.ashu.con = MY Apache Web Server
Step -1: Configuring Certificate Authority (CA) Server.
# yum install openssl
# vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
certificate = $dir/ca.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/ca.key
[ req_distinguished_name ]
countryName_default = IN
stateOrProvinceName_default = Delhi
localityName_default = New Delhi
0.organizationName_default = ashu, Inc.
organizationalUnitName_default = Training
:wq (save and exit)
Step 2: Create requied files and directory, if not exists.
# cd /etc/pki/CA/
# ls -d certs crl newcerts private
# touch /etc/pki/CA/index.txt
# echo 01 > /etc/pki/CA/serial
Step 3: Now Generate the CA Server Key for CA server to Sign Certificates.
# openssl genrsa -des3 -out /etc/pki/CA/private/ca.key 2048
Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Step 4: Now Generate the CA Server Certificate and Sign it using your CA server key.
# openssl req -new -x509 -key /etc/pki/CA/private/ca.key -days 365 -out ca.crt
Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Country Name (2 letter code) [IN]:
State or Province Name (full name) [Delhi]:
Locality Name (eg, city) [New Delhi]:
Organization Name (eg, company) [ashu, Inc.]:
Organizational Unit Name (eg, section) [Training]:
Common Name (eg, your name or your server's hostname)[]:server-1.ashu.com
Email Address []:
Step 5: Now Go to Apache Web Server Machine and Generate the Apache Server Key first.
# openssl genrsa -out client-1.ashu.com.key 1024
Step 6: Now Generate CSR Certificate and sign it using your Apache Server key.
# openssl req -new -key client-1.ashue.com.key -out client-1.ashu.com.csr
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:ashu, Inc.
Organizational Unit Name (eg, section) []:Training
Common Name (eg, your name or your server's hostname) []:client-1.ashu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
NOTE: You have to fill up the above information according to your CA Server Certificate, otherwise CA Server will not sign your certificate. if you want to sign this CSR from CA any how, you have to use "policy_anything" policy on CA Server to sign that.
Step 7: Now Send this CSR Certificate to CA Server using scp command or another way.
#scp /root/client1.example.com.csr server-1.ashu.com:/root/
Step 8: Now Go to the CA Server Machine and Sign this CSR using the following command:
#openssl ca -in client-1.ashu.com.csr -out client-1.ashu.com.crt
NOTE: By default CA Server use policy "policy_match" to sign CSR certificate. if you have any problem or your certificate information is not correct according to your CA Server, use the "policy_anything" to sign this certificate, use the following command:
#openssl ca -policy policy_anything -in client-1.ashu.com.csr -out client-1.ashu.com.crt
Step 9: Now send back this signed certificate "client1.example.com.crt: to Apache Web Server Machine using scp command or other way:
#scp /root/client-1.eashu.com.crt client-1.ashucom:/root/
Step 10: Now copy this signed certificate and key file in the following locations:
# cp client-1.ashu.com.key /etc/pki/tls/private/
# cp client-1.ashu.com.crt /etc/pki/tls/certs/
Step 11: Now Configure Apache Web Server to use the above key and signed certificate:
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/client-1.eashu.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/client-1.ashu.com.key
:wq (save and exit )
Step 12: Now Create a index.html into /var/www/html/ directory and start httpd service.
# echo "Hello, Welcome to Apache SSL Web Site" >> /var/www/html/index.html
# service httpd restart
# chkconfig httpd on
NOTE: To use SSL Certificate on Apache Web Server, you must have "mod_ssl" package installed on your machine first.
Step 13: Now Open your Web Browser and access your web site as the following:
https://client-1.ashu.com
So I am having Two Machine in my LAB Environment. one is using for CA Server and second using for Apache web server.
server-1.ashu.com = MY CA Server
client-1.ashu.con = MY Apache Web Server
Step -1: Configuring Certificate Authority (CA) Server.
# yum install openssl
# vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
certificate = $dir/ca.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/ca.key
[ req_distinguished_name ]
countryName_default = IN
stateOrProvinceName_default = Delhi
localityName_default = New Delhi
0.organizationName_default = ashu, Inc.
organizationalUnitName_default = Training
:wq (save and exit)
Step 2: Create requied files and directory, if not exists.
# cd /etc/pki/CA/
# ls -d certs crl newcerts private
# touch /etc/pki/CA/index.txt
# echo 01 > /etc/pki/CA/serial
Step 3: Now Generate the CA Server Key for CA server to Sign Certificates.
# openssl genrsa -des3 -out /etc/pki/CA/private/ca.key 2048
Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Step 4: Now Generate the CA Server Certificate and Sign it using your CA server key.
# openssl req -new -x509 -key /etc/pki/CA/private/ca.key -days 365 -out ca.crt
Enter pass phrase for /etc/pki/CA/private/ca.key: 123456
Country Name (2 letter code) [IN]:
State or Province Name (full name) [Delhi]:
Locality Name (eg, city) [New Delhi]:
Organization Name (eg, company) [ashu, Inc.]:
Organizational Unit Name (eg, section) [Training]:
Common Name (eg, your name or your server's hostname)[]:server-1.ashu.com
Email Address []:
Step 5: Now Go to Apache Web Server Machine and Generate the Apache Server Key first.
# openssl genrsa -out client-1.ashu.com.key 1024
Step 6: Now Generate CSR Certificate and sign it using your Apache Server key.
# openssl req -new -key client-1.ashue.com.key -out client-1.ashu.com.csr
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:ashu, Inc.
Organizational Unit Name (eg, section) []:Training
Common Name (eg, your name or your server's hostname) []:client-1.ashu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
NOTE: You have to fill up the above information according to your CA Server Certificate, otherwise CA Server will not sign your certificate. if you want to sign this CSR from CA any how, you have to use "policy_anything" policy on CA Server to sign that.
Step 7: Now Send this CSR Certificate to CA Server using scp command or another way.
#scp /root/client1.example.com.csr server-1.ashu.com:/root/
Step 8: Now Go to the CA Server Machine and Sign this CSR using the following command:
#openssl ca -in client-1.ashu.com.csr -out client-1.ashu.com.crt
NOTE: By default CA Server use policy "policy_match" to sign CSR certificate. if you have any problem or your certificate information is not correct according to your CA Server, use the "policy_anything" to sign this certificate, use the following command:
#openssl ca -policy policy_anything -in client-1.ashu.com.csr -out client-1.ashu.com.crt
Step 9: Now send back this signed certificate "client1.example.com.crt: to Apache Web Server Machine using scp command or other way:
#scp /root/client-1.eashu.com.crt client-1.ashucom:/root/
Step 10: Now copy this signed certificate and key file in the following locations:
# cp client-1.ashu.com.key /etc/pki/tls/private/
# cp client-1.ashu.com.crt /etc/pki/tls/certs/
Step 11: Now Configure Apache Web Server to use the above key and signed certificate:
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/client-1.eashu.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/client-1.ashu.com.key
:wq (save and exit )
Step 12: Now Create a index.html into /var/www/html/ directory and start httpd service.
# echo "Hello, Welcome to Apache SSL Web Site" >> /var/www/html/index.html
# service httpd restart
# chkconfig httpd on
NOTE: To use SSL Certificate on Apache Web Server, you must have "mod_ssl" package installed on your machine first.
Step 13: Now Open your Web Browser and access your web site as the following:
https://client-1.ashu.com
Watch video please Click Here
Posted by- SURESH CHANDRA
_____________________________________________________________________________________________
Click Back.. Click Home..