Setting up an Apache web server for secure communications isn’t as difficult as it seems. OES 2 comes preconfigured with SSL/TLS for eDirectory operations in the web based utilities, like iManager.

If you plan on using your web server for Internet or public use, you may want to purchase a signed certificate from one of the commercial root CA’s.

Procedure

We have to complete the following steps, in order.

  • Create a new Certificate of Authority (CA)
  • Create a new Key and Certificate for the Apache Server
  • Create a new Host Location for the Secure Site
  • Configure Apache for SSL

Create a new Certificate of Authority (CA)

Make a directory to perform the CA operations, temporarily.

mkdir /root/temp/ca
cd /root/temp/ca

Generate the CA using 2048 bit.

openssl genrsa -des3 -out newca.key 2048

Generating RSA private key, 2048 bit long modulus
.....+++
...................+++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Create the X.509 certificate and make it expire in 2 years.

openssl req -new -x509 -days 730 -key newca.key -out newca.crt

Enter pass phrase for newca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Independent
Common Name (eg, YOUR name) []:*.mydomain.com
Email Address []:webmaster@mydomain.com

Let’s view the certificate we just created:

openssl x509 -in newca.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8c:1c:d7:a8:44:d2:44:10
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
        Validity
            Not Before: Feb 24 22:29:39 2008 GMT
            Not After : Feb 21 22:29:39 2010 GMT
        Subject: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b7:bd:2e:ec:38:b9:42:cf:b4:d4:97:fd:b7:4a:
                    0e:a3:25:34:81:e4:ee:d1:a3:63:35:14:26:5e:28:
                    83:67:e9:25:db:2b:48:e4:bf:95:cd:13:c6:34:be:
                    5d:c5:52:3b:f1:63:26:a4:bd:c8:04:77:d1:ad:d2:
                    2f:df:85:2a:25:c5:8d:94:85:ac:60:26:9c:38:75:
                    f9:2c:6b:8a:49:aa:36:c6:3a:a7:a6:44:b6:26:f8:
                    5b:cc:a3:4c:cc:c9:29:28:9a:f7:3c:b4:6a:54:f4:
                    9e:0d:cf:a1:f4:b7:bb:a3:44:a9:20:36:0a:6c:23:
                    6a:17:f6:f8:f1:00:a9:1a:02:3b:04:fa:b6:0a:78:
                    8f:c2:12:f8:98:12:16:2d:09:15:56:ee:42:8d:3f:
                    29:b6:d5:5e:40:51:77:5c:6f:3e:41:9c:f3:68:31:
                    ed:ba:55:41:7d:23:37:72:69:b3:40:9c:04:1e:00:
                    f5:f0:e1:49:2a:25:a2:b2:46:3f:4e:c4:61:8e:65:
                    8c:ca:87:64:bf:84:81:b9:ab:bd:aa:98:94:f1:0d:
                    ee:1a:ac:c0:38:23:b4:06:73:f0:ad:69:da:3c:be:
                    fe:e5:17:fa:6c:bc:55:56:9e:5e:70:0f:b3:67:ac:
                    2f:99:d5:19:c0:65:33:ed:4f:bd:21:22:24:70:e4:
                    04:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A9:A0:AD:2B:A0:27:FD:DD:29:FF:43:1B:14:3D:80:17:62:34:B7:BC
            X509v3 Authority Key Identifier:
                keyid:A9:A0:AD:2B:A0:27:FD:DD:29:FF:43:1B:14:3D:80:17:62:34:B7:BC
                DirName:/C=US/ST=Texas/L=Dallas/O=My Company, Inc./OU=Independent/CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
                serial:8C:1C:D7:A8:44:D2:44:10

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        1e:b2:f8:7e:6c:34:b1:6b:cb:91:ec:ed:97:eb:ca:c7:9a:75:
        e4:59:80:06:9d:6b:00:74:17:e5:86:d5:a8:53:1d:85:03:90:
        1c:a0:ca:77:45:65:e6:e8:50:9c:c4:85:10:13:d0:30:6f:1d:
        fc:3f:c6:b4:41:be:69:a3:a0:b4:e1:67:b3:41:0c:97:1b:a9:
        87:73:f2:9b:e4:c6:d8:b8:e5:a8:b0:0d:4c:c8:d9:a1:d2:17:
        89:93:03:74:cb:b6:ad:ff:53:66:00:71:3b:92:b1:7d:28:ce:
        3b:ec:8e:70:42:43:49:14:7c:9d:4a:cf:87:53:2b:84:5d:33:
        79:70:ff:0e:34:26:ae:38:30:df:19:e8:b4:7c:52:33:bd:3c:
        a4:fd:c0:ad:78:75:26:76:ac:fe:be:ef:9c:ec:09:d8:ab:6f:
        25:fc:f2:35:f1:90:44:30:2f:0c:74:68:4b:1a:80:79:4f:f3:
        e3:7b:64:4e:a4:57:7d:2c:48:0f:0e:35:54:78:ad:eb:2e:3f:
        9d:e3:8b:21:07:75:93:86:dd:b2:c1:0a:e6:a4:42:93:9e:60:
        81:99:a9:34:87:1d:47:cc:56:49:e2:b8:05:65:c0:02:45:04:
        1a:bd:87:99:3e:c4:db:9f:37:0c:c7:61:83:f9:62:e2:18:45:
        c0:4e:e6:74

		

Copy the to a safe location for backup and security. Remember the pass phrase you used, because you’ll need it to sign additional certificates.

Create a new Key and Certificate for the Apache Server

When we create the certificate for the Apache server, we will create a signed certificate based on the CA we created earlier.

Create the server key using 1024 bit.

openssl genrsa -des3 -out ap2server.key 1024

Generating RSA private key, 1024 bit long modulus
.............................++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase for ap2server.key:
Verifying - Enter pass phrase for ap2server.key:

Create the Certificate Signed Request (CSR)

openssl req -new -key ap2server.key -out ap2server.csr

Enter pass phrase for ap2server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Independent
Common Name (eg, YOUR name) []:www.mydomain.com
Email Address []:webmaster@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note: the Common Name must be the actual FDN of the site.

Create the server signed certificate from the CA and the CSR

openssl x509 -req -in ap2server.csr -out ap2server.crt -sha1 -CA newca.crt -CAkey newca.key -CAcreateserial -days 730

Signature ok
subject=/C=US/ST=Texas/L=Dallas/O=My Company, Inc./OU=Independent/CN=www.mydomain.com/emailAddress=webmaster@mydomain.com
Getting CA Private Key
Enter pass phrase for newca.key:

Let’s look at the key.

openssl x509 -in ap2server.crt -text -noout

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b4:27:81:78:c5:9b:2a:46
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
        Validity
            Not Before: Feb 24 23:37:47 2008 GMT
            Not After : Feb 23 23:37:47 2010 GMT
        Subject: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=www.mydomain.com/emailAddress=webmaster@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c1:9c:72:73:c9:7b:ab:dc:39:3f:c2:83:e6:e2:
                    e3:49:db:a5:21:3b:7f:e4:72:ec:17:bb:bc:92:ce:
                    88:30:1a:57:81:11:a0:06:71:93:65:ea:59:5e:e9:
                    2a:09:83:83:12:15:ad:d4:d3:8e:bd:1f:d5:ee:31:
                    99:1c:85:c6:d7:c5:1a:5c:f2:e0:24:f8:a2:d4:b5:
                    2b:cb:b8:e8:52:60:18:59:94:e2:1b:cc:a0:b5:52:
                    1f:d2:0b:d2:88:77:ab:d0:76:c8:37:0c:01:87:c9:
                    06:31:fb:d6:6d:53:1e:b0:24:f9:5c:48:13:5b:1e:
                    11:c0:f3:74:96:35:b4:9e:8b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        37:a7:50:93:61:26:67:ea:90:cd:2b:ac:91:ef:19:13:1f:e3:
        f3:27:a9:46:c2:28:5e:3d:89:28:d9:de:03:6b:b4:d5:d0:dd:
        15:3c:d6:d0:c1:1f:6f:25:ea:f7:f3:d5:df:18:a8:f3:22:c5:
        8a:82:8f:be:a3:32:19:2e:d5:d7:28:ea:5f:56:b6:b4:68:1e:
        9a:90:01:72:83:58:2c:d2:2f:d8:28:1b:1f:e4:e1:64:3e:e4:
        1d:b8:67:6b:28:9e:57:23:5a:75:47:e9:f3:ad:f3:dd:6b:d7:
        43:66:a8:a0:97:a8:3e:d0:57:25:cb:84:14:72:33:b3:7b:0e:
        18:49:68:3a:a6:5b:10:fc:e4:fe:4c:25:72:05:1c:d0:fe:b9:
        e9:48:1e:48:1e:ad:1d:b8:a0:ea:35:c8:06:30:bc:cd:51:37:
        11:6b:f8:c6:45:47:26:89:ef:99:32:fb:d6:c3:1e:ee:5f:7a:
        4e:5a:6e:e4:4b:ed:9b:cc:8b:ed:5c:0c:2e:e2:ad:65:cd:7f:
        87:b2:c5:04:0b:aa:15:78:14:69:8e:2b:a5:ed:07:41:ab:f2:
        3a:c3:6e:53:94:dc:fd:2c:bf:7e:65:18:c8:18:81:81:c2:c0:
        7d:dc:94:4c:72:28:9a:ba:4f:ce:85:29:c0:bf:6f:ae:3b:8a:
        79:41:ad:be

		

That’s all for the server side. Copy the generated keys and certificates to the Apache directory hierarchy.

cp ap2server.crt /etc/apache2/ssl.crt/
cp ap2server.key /etc/apache2/ssl.key/
cp newca.crt /etc/apache2/ssl.crt/

Create a new Host Location for the Secure Site

We want to separate this site from other sites on this server, if applicable. We’ll use the a subdirectory off of the htdocs (default) to place our files.

Create the subdirectory.

mkdir /srv/www/htdocs/ssite
cd /srv/www/htdocs/ssite

Using your favorite editor, create an index.html for this site and place it in this directory.

<html>
<head>
</head>
<body>
<h1>We're encrypted!</h1>
</body>
<html>

Configure the Apache web server

We need to create a virtual host for this site. There is a template we can use that has all the settings we’ll need.

Copy the template to a new virtual host configuration file.

cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts/ssl-ssite.conf

Open that file with a text editor.

NameVirtualHost www.mydomain.com:443

<VirtualHost www.mydomain.com:443>

	ServerName www.mydomain.com
	ServerAdmin webmaster@mydomain.com
	DocumentRoot "/srv/www/htdocs/ssite"
	# Only allow "high" and "medium" security key lengths REMOVE the others.
	SSLCipherSuite HIGH:MEDIUM

	# Force SSLv3 and TLSv1 Only!
	SSLProtocol all -SSLv2

	#   Server Certificate:
	SSLCertificateFile /etc/apache2/ssl.crt/ap2server.crt

	#   Server Private Key:
	SSLCertificateKeyFile /etc/apache2/ssl.key/ap2server.key

	#   Server Certificate Chain:
	SSLCertificateChainFile /etc/apache2/ssl.crt/newca.crt

	#   Certificate Authority (CA):
	SSLCACertificateFile /etc/apache2/ssl.crt/newca.crt

	<Directory "/srv/www/htdocs/ssite">
        Options Indexes
        AllowOverride None
        Allow from from all
        Order allow,deny
	</Directory>

</VirtualHost>

Save the file.

Restart Apache

rcapache2 restart

Testing

Open a browser and enter the site URL www.mydomain.com

Accept the certificate for your new site.

As you can see from the image, the page is utilizing https instead of http.

Conclusion

I don’t claim to be any expert in SSL/TLS nor am I an encryption junkie. This article shows you that encryption for Apache on SLES 10 is not something that needs a degree at MIT. If you have more interests in SSL/TLS, I found a site that really explains how it works, with pictures! http://www.securityfocus.com/infocus/1818

Enjoy!

(Visited 1 times, 1 visits today)
Tags: , ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Monday, 3 March, 2008 at 5:56 pm
You can follow any responses to this entry via RSS.

Comments

  • ozgarcia says:

    I followed the instructions but the final part “Configure the Apache web server” does not seem to work, there are some obvious mistakes, but even correcting them it does not work :

    1.Copying the template to create the virtual host cp /etc/apache2/vhosts.d/vhost-template.ssl /etc/apache2/vhosts/ssl-ssite.conf . The source file does not exist, it probably be vhost-ssl.template and the target directories are wrong. cp /etc/apache2/vhosts.d/vhost-ssl.template be /etc/apache2/vhosts.d/ssl-ssite.conf

    2. It is not so clear what needs to be change/add in the ssl-ssite.conf file, furthermore in my template there is this comments:
    # NameVirtualHost statements should be added to /etc/apache2/listen.conf

    I have tried in both places but still no joy… this is one of the main setbacks of Suse and linux in general, there is not a clear cookbook but tons of documentation… more like looking for a niddle in a haystack.

  • mfaris01 says:

    Thanks for pointing these out.

    I have renamed the template file and reworked the the html code for the virtual host file to reflect what needs to be changed. In bold. I don’t always get an email that someone commented on an article, I just happened to check.

    Thanks again.
    Mike..

  • Leave a Reply

    Your email address will not be published. Required fields are marked *