The Chapter 7, Hosting HTTP Content via Apache was all about Apache. There, we walked through how to get it running and configured in order to host a site on our network. But if we were to create a site that would potentially host personally identifiable information, we would want to make sure that we use proper security measures in order to protect that information. Using SSL certificates for our site allows it to be accessed over secure port 443, thus enhancing security. Utilizing SSL isn't the only measure we can make in order to increase security of our web server, but it's definitely a start.
There are two kinds of certificates we can use. We can create a self-signed certificate, or we can register a certificate with a Certificate Authority (CA). The latter is preferred, though if you are only creating a site for internal use, it may be too much overhead. The difference is a self-signed certificate isn't trusted by any browser, since it wouldn't have come from a known CA. When you visit a site with such a certificate, it will complain that the certificate of the site isn't valid. This isn't necessarily true, because a self-signed certificate can certainly be valid; it's just that the browser has no way of knowing for sure. Getting a certificate registered with a CA would alleviate this, but at a cost. Registered certificates can be expensive, depending on the scope. The choice is yours.
To begin, you would first choose a location on the filesystem of your webserver that will host the certificate files. There's no hard rule here, the only requirement is that Apache can access it (and preferably, no one else can!). Some good candidates include /etc/apache2/ssl in Debian and /etc/httpd/ssl in CentOS. I put mine in /etc/certs. Whichever path you choose, change into that directory and then we will continue.
If you've decided to create a self-signed certificate, you can do so with the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
As your certificate gets generated, you will be asked for some information pertaining to your organization, contact information, and domain. Here's an example of the questions you'll be asked and some example answers:
Country name: USState or Province Name: MichiganLocality Name (City): White LakeOrganization Name: My CompanyOrganizational Unit Name: IT DeptCommon Name (Fully Qualified Domain Name): myserver.mydomain.comEmail Address: [email protected]
This will create two files for you in your current working directory, server.key and server.crt. The filenames for those files is arbitrary, you can name them whatever you like. Now, we would need to make sure that our web server is able to find and use these files.
On Debian web servers, we can do this by editing /etc/apache2/sites-available/default-ssl.conf. In that file, there will be a section for us to add our directives that will enable our keys. Look for a section that has some comments regarding SSL. Within that section, add the following lines:
SSLCertificateFile /etc/certs/server.crt SSLCertificateKeyFile /etc/certs/server.key
In CentOS, we would add the same lines to the /etc/httpd/conf/httpd.conf file, but with the SSLEngine on directive as well. This should go in it's own VirtualHost directive, similar to the example that follows. Just be sure to change the paths to match how your web server has been set up:
<VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/certs/server.crt SSLCertificateKeyFile /etc/certs/server.key SSLCACertificateFile /etc/certs/ca.pem (Only include this line if the certificate is signed). DocumentRoot /var/www/ </VirtualHost>
Setting up a signed SSL certificate is similar, but the difference is in how you request it. The process entails creating a Certificate Request (CSR) that you will submit to your provider, which will in turn provide you with a signed certificate. The end result is the same—the files will end up in the same place. You'll just use the files given to you by your provider after submitting the CSR. Let's begin by creating a CSR, which we will use the openssl command to generate for us:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
You'll be asked the same question as before, but notice that we're telling openssl to give us a .csr, so we will have a server.csr file in our working directory we will use to request a key from our CA. After you receive the files from your certificate provider, you would just update Apache as we have done earlier.