Table of Contents
In this Openssl tutorial session, I will take you through the steps to generate and install certificate on Apache Server in 8 Easy Steps. Openssl is an open source command line tool to generate, implement and manage SSL and TLS certificates. In this openssl tutorial session, we will keep your focus on SSL protocol implementation to enable secure communication between Server and Client Systems. Although TLS protocol is considered to be more secure than SSL due to its advance security features, you will still find a wide usage of SSL protocol in many Organizations.
In below Openssl tutorial section, we will go through an example in which we will generate a SSL Self Signed Certificate and will install in Apache Server to demonstrate the simple usage of SSL Features.
Openssl Tutorial: Generate and Install Certificate
Step 1: Prerequisites
Before proceeding with SSL Certificate generation and installation we need to install the required packages using
yum install -y mod_ssl openssl command as shown below. Here we need
mod_ssl apache modules and
openssl tool to generate and install the certificate.
[root@localhost ~]# yum install -y mod_ssl openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 7.9 kB 00:00:00 * base: mirrors.piconets.webwerks.in * epel: mirrors.piconets.webwerks.in * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in base | 3.6 kB 00:00:00 download.mono-project.com_repo_centos_ | 2.9 kB 00:00:00 epel | 4.7 kB 00:00:00 extras | 2.9 kB 00:00:00 kubernetes/signature | 454 B 00:00:00 kubernetes/signature | 1.4 kB 00:00:00 !!! nodesource | 2.5 kB 00:00:00 puppetlabs-pc1 | 2.5 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:01 (2/2): epel/x86_64/primary_db | 6.8 MB 00:00:04 Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.4.6-90.el7.centos will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Installing: mod_ssl x86_64 1:2.4.6-90.el7.centos base 112 k Transaction Summary ======================================================================================================================================================================== Install 1 Package Total download size: 112 k Installed size: 224 k Downloading packages: mod_ssl-2.4.6-90.el7.centos.x86_64.rpm | 112 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 1:mod_ssl-2.4.6-90.el7.centos.x86_64 1/1 Verifying : 1:mod_ssl-2.4.6-90.el7.centos.x86_64 1/1 Installed: mod_ssl.x86_64 1:2.4.6-90.el7.centos Complete!
rootuser to run all the below commands.You can use any user with
sudoaccess to run all these commands.For more information Please check Step by Step: How to Add User to Sudoers to provide
sudoaccess to User.
Step 2: Create Certs Directory Structure
First you need to create a directory structure
/etc/pki/tls/certs as shown below. Then we will put our key and certificate here and will point the Apache configuration to use the ssl certificate from this path.
[root@localhost ~]# mkdir /etc/pki/tls/certs –p
-p : no error if existing, make parent directories as needed
Step 3: Generate SSL Key
Now you need to generate a SSL Key of key length 2048 using
openssl genrsa -out ca.key 2048 command as shown below. Here we are using RSA based algorithm to generate the key with a length of 2048 bits. This is usually the recommended way to generate the Key but you will always use other key generation algorithms as per your requirements. You can check more about this on 25+ Popular Examples of Openssl commands in Linux(RedHat/CentOS 7/8).
[root@localhost ~]# openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ..............................................................................................................+++ ..............+++ e is 65537 (0x10001)
genrsa : to generate RSA Private Key.
-out : output file
Step 4: Request a Certificate
Now we need to create a CSR request using openssl command as shown below. To create a CSR you need to provide private key as input. To know more about generating a certificate request you can check How to create a Self Signed Certificate using Openssl commands on Linux (RedHat/CentOS 7/8).
[root@localhost ~]# openssl req -new -key ca.key -out ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :California Locality Name (eg, city) [Default City]:Arvin Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) :PM Common Name (eg, your name or your server's hostname) :cyberithub.local Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :Test@123$ An optional company name :
-new : request a certificate based on key
req : PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-key : Input Private Key
Step 5: Sign Certificate
Now we need to sign the certificate using CSR and Private Key using openssl command as shown below. Here we need to provide few parameters like no of days for certificate to be valid, input private key and output certificate name.
[root@localhost ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Signature ok subject=/C=US/ST=California/L=Arvin/O=Default Company Ltd/OU=PM /CN=cyberithub.local/emailAddressemail@example.com Getting Private key
x509 : X.509 Certificate Data Management.
-req : Request to sign a certificate
-days : No. of days Certificate will remain valid
-in : Input certificate signing request
-signkey : Sign certificate based on Private key
-out : Output Signed Certificate
Step 6: Copy All Certificate and Keys
After generating self signed ssl certificate you need to copy the certificate and key in a directory whose path can be configured in Apache Configuration file to use the Certificate for Secure Communication.
[root@localhost ~]# cp ca.crt /etc/pki/tls/certs/ [root@localhost ~]# cp ca.key /etc/pki/tls/certs/ [root@localhost ~]# cp ca.csr /etc/pki/tls/certs/
Step 7: Apache SSL Configuration
Now we need to edit the Apache SSL Configuration file
/etc/httpd/conf.d/ssl.conf and add the cert and key directory path in
SSLCertificateKeyFile directive as shown below.
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf DocumentRoot “/var/www/html” ServerName example.com:443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/certs/ca.crt
Step 8: Restart Apache Server
Now that Apache configuration is modified and saved you need to restart the httpd service to reflect the changes done using
systemctl restart httpd command as shown below. You can also use traditional
service httpd restart command to restart the service. Once it is restarted, you can now enter your URL in the browser and confirm that SSL traffic is enabled now.
[root@localhost ~]# systemctl restart httpd