Tuesday, June 11, 2013

Apache + SSL

Prerequisite: OpenSSL should be installed.
1) Enable SSL Module
root@otc-desktop:/etc/apache2# sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

2) Restart Web Server.
root@otc6:/# /etc/init.d/apache2 stop
Stopping web server apache2 [ OK ]
root@otc6:/# /etc/init.d/apache2 start
Starting web server apache2 [ OK ]

3)Generate a Self Signed Key
root@otc-desktop:/etc/apache2# openssl genrsa -des3 -out server.key 1024 
                                                      or  
                                                      openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: <keygiven>
Verifying - Enter pass phrase for server.key:<keygiven>
root@otc-desktop:/etc/apache2# openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:<keygiven>
writing RSA key
root@otc-desktop:/etc/apache2# openssl req -new -key server.key.insecure -out server.csr 
                                                      or 
                                                     openssl req -new -nodes -sha256 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@otc-desktop:/etc/apache2# openssl req -in arunachaltp.csr -noout -text
 
root@otc-desktop:/etc/apache2# openssl x509 -req -days 365 -in server.csr -signkey server.key.insecure -out server.crt
Signature ok
subject=/C=IN/ST=Tamilnadu/L=Chennai/O=NIC/OU=OTC/CN=localhost
Getting Private key
root@otc-desktop:/etc/apache2# cp server.crt /etc/ssl/certs
root@otc-desktop:/etc/apache2# cp server.key.insecure /etc/ssl/private

4) In /etc/apache2/sites-available/default, add the following lines below Document Root.
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key.insecure

In /etc/apache2/ports.conf, add the following lines if not available,
<IfModule mod_ssl.c>
Listen 443
</IfModule>
5) Restart Apache server.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)