The Chapter 7, Hosting HTTP Content via Apache was all about Apache. There, we walked through how to get it running and configured in order to host a site on our network. But if we were to create a site that would potentially host personally identifiable information, we would want to make sure that we use proper security measures in order to protect that information. Using SSL certificates for our site allows it to be accessed over secure port 443, thus enhancing security. Utilizing SSL isn't the only measure we can make in order to increase security of our web server, but it's definitely a start.
There are two kinds of certificates we can use. We can create a self-signed certificate, or we can register a certificate with a Certificate Authority (CA). The latter is preferred, though if you are only creating a site for internal use, it may be too much overhead. The difference is a self-signed certificate isn't trusted by any browser, since it wouldn't have come from a known CA. When you visit a site with such a certificate, it will complain that the certificate of the site isn't valid. This isn't necessarily true, because a self-signed certificate can certainly be valid; it's just that the browser has no way of knowing for sure. Getting a certificate registered with a CA would alleviate this, but at a cost. Registered certificates can be expensive, depending on the scope. The choice is yours.
To begin, you would first choose a location on the filesystem of your webserver that will host the certificate files. There's no hard rule here, the only requirement is that Apache can access it (and preferably, no one else can!). Some good candidates include /etc/apache2/ssl
in Debian and /etc/httpd/ssl
in CentOS. I put mine in /etc/certs
. Whichever path you choose, change into that directory and then we will continue.
If you've decided to create a self-signed certificate, you can do so with the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
As your certificate gets generated, you will be asked for some information pertaining to your organization, contact information, and domain. Here's an example of the questions you'll be asked and some example answers:
Country name: US
State or Province Name: Michigan
Locality Name (City): White Lake
Organization Name: My Company
Organizational Unit Name: IT Dept
Common Name (Fully Qualified Domain Name): myserver.mydomain.com
Email Address: [email protected]
This will create two files for you in your current working directory, server.key
and server.crt
. The filenames for those files is arbitrary, you can name them whatever you like. Now, we would need to make sure that our web server is able to find and use these files.
On Debian web servers, we can do this by editing /etc/apache2/sites-available/default-ssl.conf
. In that file, there will be a section for us to add our directives that will enable our keys. Look for a section that has some comments regarding SSL. Within that section, add the following lines:
SSLCertificateFile /etc/certs/server.crt SSLCertificateKeyFile /etc/certs/server.key
In CentOS, we would add the same lines to the /etc/httpd/conf/httpd.conf
file, but with the SSLEngine on
directive as well. This should go in it's own VirtualHost
directive, similar to the example that follows. Just be sure to change the paths to match how your web server has been set up:
<VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/certs/server.crt SSLCertificateKeyFile /etc/certs/server.key SSLCACertificateFile /etc/certs/ca.pem (Only include this line if the certificate is signed). DocumentRoot /var/www/ </VirtualHost>
Setting up a signed SSL certificate is similar, but the difference is in how you request it. The process entails creating a Certificate Request (CSR) that you will submit to your provider, which will in turn provide you with a signed certificate. The end result is the same—the files will end up in the same place. You'll just use the files given to you by your provider after submitting the CSR. Let's begin by creating a CSR, which we will use the openssl
command to generate for us:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
You'll be asked the same question as before, but notice that we're telling openssl
to give us a .csr
, so we will have a server.csr
file in our working directory we will use to request a key from our CA. After you receive the files from your certificate provider, you would just update Apache as we have done earlier.