October 20, 2017

How to Secure Apache With a Free SSL Certificate From StartSSL on CentOS

StartSSL Logo

Your own web server with an SSL certificate from an approved certificate authority so that the browser also does not cause any warning, that would be a good thing. But only the cost of a certificate from Verisign & Co let you forget those mind games quickly. The provider StartSSL does offer free SSL server certificates that are valid for one year after all. How great is that! In this tutorial we will show you the process of securing your Apache webserver with this free SSL certificate.

Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.

Getting the required software

The first thing we need is a working Apache webserver with SSL installed.

yum install mod_ssl openssl

Generate the keys and the CSR

Create the public and private keys.

openssl genrsa -out domain.com.key 2048

Create the certificate signing request.

openssl req -new -key domain.com.key -out domain.com.csr

Here is an example input:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Los Angeles
Locality Name (eg, city) [Default City]:Los Angeles
Organization Name (eg, company) [Default Company Ltd]:Company Inc.
Organizational Unit Name (eg, section) []:Secure Services Department
Common Name (eg, your name or your server's hostname) []:domain.com
Email Address []:info@domain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:Company Inc.

OK, now that we have the domain.com.key and domain.com.csr files in place we can start with the certificate creation process. Here is the conituous process is general. The CSR is sent to the certificate authority that creates a certificate. The certificate contains the public key, details of the holder and the issuer, and the digital signature of the issuer of all information contained and the key. Thus, the key is bound to an identity. The final certificate is stored on the server, which will be deliverd to a client on request. The next step will cover this process.

Generate a certificate

Make sure that you have created the following administration E-Mails for your domain. You need these E-Mails to verify the domain ownership.

postmaster@domain.com
hostmaster@domain.com
webmaster@domain.com

Now visit StartSSL and choose the Express Lane to create your free SSL certificate. Skip the step where StartSSL will ask you to create the pricate key and CSR as we have already created them on our server. Open the domain.com.csr file on your server with your favorite editor.

vi domain.com.csr

Copy and paste the complete CSR in the text field on StartSSL. After a verification process you can copy and save the certificate from StartSSL on your server. Open your editor again, paste the CRT and save it.

vi domain.com.crt

In summary now we have three files on our server. The KEY, CSR and the CRT file. Please copy these files to their respective directories.

cp domain.com.key /etc/pki/tls/private/
cp domain.com.csr /etc/pki/tls/private/
cp domain.com.crt /etc/pki/tls/certs/

For browser compatibility we need to save the intermediate certifikate (IM) from StartSSL on our server as well. Navigate to the certificates directory and download the IM file.

cd /etc/pki/tls/certs/
wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Now we have to tell Apache about the new certificate, key and IM file locations. Open the ssl.conf and edit the file paths.

vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem

Restart Apache to check that everything is in order.

/etc/init.d/httpd restart

Setting up the virtual hosts

As the last step we need to add new VirtualHosts for the SSL port.

vi /etc/httpd/conf.d/vhost.conf

Here in an example VirtualHost entry for your convenience:

NameVirtualHost *:443

<VirtualHost *:443>
     ServerAdmin webmaster@domain.com
     ServerName domain.com
     ServerAlias www.domain.com
     DocumentRoot /srv/www/domain.com/public_html/
     ErrorLog /srv/www/domain.com/logs/error.log
     CustomLog /srv/www/domain.com/logs/access.log combined
     SSLEngine on
     SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
     SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
     SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem
</VirtualHost>

Additional it is useful to adjust your .htaccess as well to handle the new SSL requests. To redirect all non-SSL requests to SSL use these lines:

RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://domain.com/$1 [R,L]

Do not forget to change your canonical redirect. Here is an www to non-www example:

RewriteCond %{HTTP_HOST} ^www.domain.com [NC]
RewriteRule ^(.*)$ https://domain.com/$1 [L,R=301]

Finally we can restart Apache for the last time.

/etc/init.d/httpd restart

Check your certificate on SSL Certificate Tester. Make sure to open the port 443 on your firewall.

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v

Comments

  1. Oscar Frank says:

    Instal Apache mod ssl
    # yum install mod_ssl

    Go to certs folder in centos 6
    # cd /etc/ssl/certs/

    Regenerate Private Key and CSR with the help of following OpenSSL command
    # openssl req -nodes -newkey rsa:2048 -keyout namhuy_net.key -out namhuy_net.csr

    Get the CA Root Certificate from Verisign, Thawte, Globalsign, Comodo. After you purchase a cert from those vendor, you will get an email w/ cert files. Upload those files to
    /etc/ssl/certs/

    Save the combined file as namhuy_net.pem. The .pem file is now ready to use.

    The SSL configuration file for Apache is where I ended up putting the configurations for my server.
    # nano /etc/httpd/conf.d/ssl.conf

    Edit lines

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/namhuy_net.crt
    SSLCertificateKeyFile /etc/ssl/certs/namhuy_net.key
    SSLCertificateChainFile /etc/ssl/certs/namhuy_net.pem

    Restart httpd service
    # service httpd restart

    Source: http://namhuy.net/760/how-to-install-an-ssl-certificate-on-centos-for-apache.html

  2. yum command not found

Speak Your Mind