How to #Secure Apache With a Free #SSL Certificate From StartSSL on #CentOS
StartSSL Logo
Your own web server with an SSL certificate from an approved certificate authority so that the browser also does not cause any warning, that would be a good thing. But only the cost of a certificate from Verisign & Co let you forget those mind games quickly. The provider StartSSL does offer free SSL server certificates that are valid for one year after all. How great is that! In this tutorial we will show you the process of securing your Apache webserver with this free SSL certificate.
Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.
Getting the required software
The first thing we need is a working Apache webserver with SSL installed.
yum install mod_ssl openssl
Generate the keys and the CSR
Create the public and private keys.
openssl genrsa -out r00tnetwork.org.key 2048
Create the certificate signing request.
openssl req -new -key r00tnetwork.org.key -out r00tnetwork.org.csr
Here is an example input:
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Los Angeles
Locality Name (eg, city) [Default City]:Los Angeles
Organization Name (eg, company) [Default Company Ltd]:Company Inc.
Organizational Unit Name (eg, section) []:Secure Services Department
Common Name (eg, your name or your server's hostname) []:r00tnetwork.org
Email Address []:info@r00tnetwork.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:Company Inc.
OK, now that we have the r00tnetwork.org.key and r00tnetwork.org.csr files in place we can start with the certificate creation process. Here is the conituous process is general. The CSR is sent to the certificate authority that creates a certificate. The certificate contains the public key, details of the holder and the issuer, and the digital signature of the issuer of all information contained and the key. Thus, the key is bound to an identity. The final certificate is stored on the server, which will be deliverd to a client on request. The next step will cover this process.
Generate a certificate
Make sure that you have created the following administration E-Mails for your domain. You need these E-Mails to verify the domain ownership.
postmaster@r00tnetwork.org
hostmaster@r00tnetwork.org
webmaster@r00tnetwork.org
Now visit StartSSL and choose the Express Lane to create your free SSL certificate. Skip the step where StartSSL will ask you to create the pricate key and CSR as we have already created them on our server. Open the r00tnetwork.org.csr file on your server with your favorite editor.
vi r00tnetwork.org.csr
Copy and paste the complete CSR in the text field on StartSSL. After a verification process you can copy and save the certificate from StartSSL on your server. Open your editor again, paste the CRT and save it.
vi r00tnetwork.org.crt
In summary now we have three files on our server. The KEY, CSR and the CRT file. Please copy these files to their respective directories.
cp r00tnetwork.org.key /etc/pki/tls/private/
cp r00tnetwork.org.csr /etc/pki/tls/private/
cp r00tnetwork.org.crt /etc/pki/tls/certs/
For browser compatibility we need to save the intermediate certifikate (IM) from StartSSL on our server as well. Navigate to the certificates directory and download the IM file.
cd /etc/pki/tls/certs/
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
Now we have to tell Apache about the new certificate, key and IM file locations. Open the ssl.conf and edit the file paths.
vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/r00tnetwork.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/r00tnetwork.org.key
SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem
Restart Apache to check that everything is in order.
/etc/init.d/httpd restart
Setting up the virtual hosts
As the last step we need to add new VirtualHosts for the SSL port.
vi /etc/httpd/conf.d/vhost.conf
Here in an example VirtualHost entry for your convenience:
NameVirtualHost *:443
ServerAdmin webmaster@r00tnetwork.org
ServerName r00tnetwork.org
ServerAlias www.r00tnetwork.org
DocumentRoot /srv/www/r00tnetwork.org/public_html/
ErrorLog /srv/www/r00tnetwork.org/logs/error.log
CustomLog /srv/www/r00tnetwork.org/logs/access.log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/r00tnetwork.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/r00tnetwork.org.key
SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pemAdditional it is useful to adjust your .htaccess as well to handle the new SSL requests. To redirect all non-SSL requests to SSL use these lines:
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://r00tnetwork.org/$1 [R,L]
Do not forget to change your canonical redirect. Here is an www to non-www example:
RewriteCond %{HTTP_HOST} ^www.r00tnetwork.org [NC]
RewriteRule ^(.*)$ https://r00tnetwork.org/$1 [L,R=301]
Finally we can restart Apache for the last time.
/etc/init.d/httpd restart
Check your certificate on SSL Certificate Tester. Make sure to open the port 443 on your firewall.
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v
