[go: up one dir, main page]
Scribd
Upload
28 views3 pages

Apache SSL Exercises

This document provides a step-by-step guide for generating and using an SSL certificate for Apache on a Linux system. It covers creating a local SSL certificate repository, generating a self-signed certificate, enabling SSL configuration in Apache, and verifying the SSL certificate. The instructions include specific commands and file modifications necessary to set up SSL for a default domain.

Uploaded by

mohannad al-gharabat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views3 pages

Apache SSL Exercises

This document provides a step-by-step guide for generating and using an SSL certificate for Apache on a Linux system. It covers creating a local SSL certificate repository, generating a self-signed certificate, enabling SSL configuration in Apache, and verifying the SSL certificate. The instructions include specific commands and file modifications necessary to set up SSL for a default domain.

Uploaded by

mohannad al-gharabat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Linux System Administration

Apache SSL Certificate Generation and Use

1. Create a local SSL Certificate repository


--------------------------------------------

Log in to your machine either as the root user, or once logged in


become the root
user, then do:

# mkdir /etc/ssl/localcerts

2. Generate a locally signed Digital Certficate for Apache


----------------------------------------------------------

We'll use openssl to generate a local server key, local server


certificate, a CSR
(Certificate Signing Request) and a server key that is unencrypted
(no passphrase)
to allow Apache to start without prompting for a passphrase.

Create our own self signed certificate:

# cd /etc/ssl/localcerts
# mkdir apache
# cd apache

Ubuntu uses a special wrapper program to create a self-signed


certificate. You can
create your own, manually generated certificates, but this method
works fine for what
we are doing. To generate your local certificate for apache do:

# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/


localcerts/apache/server.pem

When you are prompted to enter the host name to use in the SSL
certificate enter:

pcX.ws.nsrc.org

and tab to "<OK>" and press ENTER to continue.

Now you have a local certificate named server.pem in the directory /


etc/ssl/localcerts/apache.

3. Enable Apache SSL configuration for your default domain


----------------------------------------------------------

We need to update the /etc/apache2/sites-available/default-ssl


configuration file and enable
the site for our server. First we edit the file:

# cd /etc/apache2/sites-available
# vi default-ssl

Find the line that says:

DocumentRoot /var/www

and change this to:

DocumentRoot /var/www/pcX.ws.nsrc.org

Now find the lines that say:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-
snakeoil.key

And change them so that they say:

SSLCertificateFile /etc/ssl/localcerts/apache/server.pem
SSLCertificateFile /etc/ssl/localcerts/apache/server.pem

Now save the file and exit, then we'll enable the Apache SSL
configuration.

# a2ensite default-ssl

We'll also have to enable the ssl module within apache

# a2enmod ssl

Now we restart apache

# service apache2 restart

To verify that Apache will provide an encrypted connection to


pcX.ws.nsrc.org open a web browser
and go to:

https://pcX.ws.nsrc.org/

You should receive a warning that the certificate is not trusted.


Click "Continue" (this is different
in each web browser) to view your home page.

4. Manually verify SSL certificate use on your web server


---------------------------------------------------------

You can use the built-in OpenSSL command line tool to connect to
your web server and see information about
the SSL certificate in use. To do this do (as root or a regular
user):
# openssl s_client -connect pcX.ws.nsrc.org:443

And you will see information about the SSL Digital Certificate for
the site pcX.ws.nsrc.org. You should see
something like:

subject=/CN=pcX.ws.nsrc.org
issuer=/CN=pcX.ws.nsrc.org
---
No client certificate CA names sent
---
SSL handshake has read 1004 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
18541F63DDD15E050A3C72ED9415CC9A00B7DCD0DC472919AE4E4B67E4D88837
Session-ID-ctx:
Master-Key:
20BC655CCF5BC3D3BECD1D04333F928CB1A756871E5ACBD94455DD324E7E62BE29D1
1664AFDD61257DB71CBE1B4A7FEE
Key-Arg : None
Start Time: 1334826634
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed

Press CTRL-C to exit from the program.

As you can see reasonable ciphers are available to ensure encrypted


communication between the server and
a client connecting via https (SSL).

You might also like