Cyberithub

Openssl Tutorial: Generate and Install Certificate on Apache Server in 8 Easy Steps

Advertisements

In this Openssl tutorial session, I will take you through the steps to generate and install certificate on Apache Server in 8 Easy Steps. Openssl is an open source command line tool to generate, implement and manage SSL and TLS certificates. In this openssl tutorial session, we will keep your focus on SSL protocol implementation to enable secure communication between Server and Client Systems. Although TLS protocol is considered to be more secure than SSL due to its advance security features, you will still find a wide usage of SSL protocol in many Organizations.

In below Openssl tutorial section, we will go through an example in which we will generate a SSL Self Signed Certificate and will install in Apache Server to demonstrate the simple usage of SSL Features.

Advertisements

Openssl Tutorial: Generate and Install Certificate on Apache Server in 8 Easy Steps 1

Openssl Tutorial: Generate and Install Certificate

Also Read: 32 Best Journalctl command examples in Linux (RedHat/CentOS) Part - 1

Step 1: Prerequisites

Before proceeding with SSL Certificate generation and installation we need to install the required packages using yum install -y mod_ssl openssl command as shown below. Here we need mod_ssl apache modules and openssl tool to generate and install the certificate.

Advertisements
[root@localhost ~]# yum install -y mod_ssl openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.9 kB 00:00:00
* base: mirrors.piconets.webwerks.in
* epel: mirrors.piconets.webwerks.in
* extras: mirrors.piconets.webwerks.in
* updates: mirrors.piconets.webwerks.in
base | 3.6 kB 00:00:00
download.mono-project.com_repo_centos_ | 2.9 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
kubernetes/signature | 454 B 00:00:00
kubernetes/signature | 1.4 kB 00:00:00 !!!
nodesource | 2.5 kB 00:00:00
puppetlabs-pc1 | 2.5 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:01
(2/2): epel/x86_64/primary_db | 6.8 MB 00:00:04
Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-90.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-90.el7.centos base 112 k

Transaction Summary
========================================================================================================================================================================
Install 1 Package

Total download size: 112 k
Installed size: 224 k
Downloading packages:
mod_ssl-2.4.6-90.el7.centos.x86_64.rpm | 112 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:mod_ssl-2.4.6-90.el7.centos.x86_64 1/1
Verifying : 1:mod_ssl-2.4.6-90.el7.centos.x86_64 1/1

Installed:
mod_ssl.x86_64 1:2.4.6-90.el7.centos

Complete!

NOTE:

Please note that here I am using root user to run all the below commands.You can use any user with sudo access to run all these commands.For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to User.

Step 2: Create Certs Directory Structure

First you need to create a directory structure /etc/pki/tls/certs as shown below. Then we will put our key and certificate here and will point the Apache configuration to use the ssl certificate from this path.

Advertisements
[root@localhost ~]# mkdir /etc/pki/tls/certs –p

-p : no error if existing, make parent directories as needed

Step 3: Generate SSL Key

Now you need to generate a SSL Key of key length 2048 using openssl genrsa -out ca.key 2048 command as shown below. Here we are using RSA based algorithm to generate the key with a length of 2048 bits. This is usually the recommended way to generate the Key but you will always use other key generation algorithms as per your requirements. You can check more about this on 25+ Popular Examples of Openssl commands in Linux(RedHat/CentOS 7/8).

Advertisements
[root@localhost ~]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................................+++
..............+++
e is 65537 (0x10001)

genrsa : to generate RSA Private Key.

-out : output file

Step 4: Request a Certificate

Now we need to create a CSR request using openssl command as shown below. To create a CSR you need to provide private key as input. To know more about generating a certificate request you can check How to create a Self Signed Certificate using Openssl commands on Linux (RedHat/CentOS 7/8).

[root@localhost ~]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Arvin
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:PM
Common Name (eg, your name or your server's hostname) []:cyberithub.local
Email Address []:test@cyberithub.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Test@123$
An optional company name []:

-new : request a certificate based on key

req : PKCS#10 X.509 Certificate Signing Request (CSR) Management.

-key : Input Private Key

Step 5: Sign Certificate

Now we need to sign the certificate using CSR and Private Key using openssl command as shown below. Here we need to provide few parameters like no of days for certificate to be valid, input private key and output certificate name.

[root@localhost ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=California/L=Arvin/O=Default Company Ltd/OU=PM /CN=cyberithub.local/emailAddress=test@cyberithub.local
Getting Private key

x509 : X.509 Certificate Data Management.

-req : Request to sign a certificate

-days : No. of days Certificate will remain valid

-in : Input certificate signing request

-signkey : Sign certificate based on Private key

-out : Output Signed Certificate

Step 6: Copy All Certificate and Keys

After generating self signed ssl certificate you need to copy the certificate and key in a directory whose path can be configured in Apache Configuration file to use the Certificate for Secure Communication.

[root@localhost ~]# cp ca.crt /etc/pki/tls/certs/
[root@localhost ~]# cp ca.key /etc/pki/tls/certs/
[root@localhost ~]# cp ca.csr /etc/pki/tls/certs/

Step 7:  Apache SSL Configuration

Now we need to edit the Apache SSL Configuration file /etc/httpd/conf.d/ssl.conf and add the cert and key directory path in SSLCertificateFile and SSLCertificateKeyFile directive as shown below.

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf

DocumentRoot “/var/www/html”
ServerName example.com:443
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/certs/ca.crt

Step 8: Restart Apache Server

Now that Apache configuration is modified and saved you need to restart the httpd service to reflect the changes done using systemctl restart httpd command as shown below. You can also use traditional service httpd restart command to restart the service. Once it is restarted, you can now enter your URL in the browser and confirm that SSL traffic is enabled now.

[root@localhost ~]# systemctl restart httpd

 

Popular Recommendations:-

10 find exec multiple commands examples in Linux/Unix

7 Easy Steps to Change SSH Port in Linux(RedHat/CentOS 7)

Best Way to Disable SELinux on RedHat/CentOS 7

14 Useful APT CACHE Examples on Ubuntu 18.04

20 Useful APT GET Examples on Ubuntu 18.04

Openssl Tutorial: Man Page

Openssl Tutorial: Command Line Tool

Leave a Comment