Tutorial – Install SSL Certificate in Apache Virtual Host on CentOS 6

<time class="entry-date" datetime="2012-11-26T16:16:38+00:00">November 26, 2012</time>
Linux
apache, centos, linux, ssl certificate, virtual host
1 Comment

In this tutorial I’ll take you through installing a SSL certificate and intermediate certificate in an Apache virtual host running on CentOS 6.

You’ll need to generate your servers private key which is used to create your certificate signing request (CSR) and also matched to your public SSL certificate. The CSR contains the details about the domain name, your organisation and server details. The CSR is passed onto the company you wish to purchase your certificate from. They use your CSR to create the public SSL certificate that your users need to access your web services securely.

The public SSL certificate that you get created must then be copied onto your server. You’ll then configure Apache to load that SSL Certificate, along with an intermediate certificate if required, to provide secure access to your web services (typically a website).

[box type="info"] Just note that this document assumes CentOS 6 for all example code and references. Syntax, file locations and codes may vary based on your distribution.[/box]

Step 1: Setup Simple Directory Structure

I like to maintain a simple directory structure for my SSL certificates, you may skip this step however just make sure you substitute my directory paths with yours.

1 2	[root@server1 ~]# cd /etc/ssl/ [root@server1 ssl]# ln -s /etc/pki/tls/private/

Step 2: Generate Servers Private Key

You may already have a private key created for your server, however I’d suggest creating a new one. This due to the fact that most CSR’s require 2048bit encoding.

[root@server1 ~]# openssl genrsa -out /etc/ssl/private/server1.internaldomain.key 2048

Generating RSA private key, 2048 bit long modulus

..........+++

.......................................+++

e is 65537 (0x10001)

[box type="warning"] Note, you can set a pass phrase on your certificate to make it more secure, however the downside to doing this is that you will be prompted for the password everytime Apache starts up. Securing the key via file system permissions and general server security is my recommendation.[/box]
Check the file was generated where you wanted it

1 2	[root@server1 ~]# ll /etc/ssl/private/server1.internaldomain.key -rw-r--r-- 1 root root 1679 Nov 13 12:46 /etc/ssl/private/server1.internaldomain.com.key

Change the file permissions so that only the root user can read the file

[root@server1 ~]# chmod 600 /etc/ssl/private/server1.internaldomain.com.key

[root@server1 ~]# ll /etc/ssl/private/server1.internaldomain.com.key

-rw------- 1 root root 1679 Nov 13 12:46 /etc/ssl/private/server1.internaldomain.com.key

Step 3: Generate the CSR

Now we can generate our CSR, the entry fields are self explanatory.

root@server ~]# openssl req -new -key /etc/ssl/private/server1.internaldomain.key -out /root/website.com.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:AU

State or Province Name (full name) []:Queensland

Locality Name (eg, city) [Default City]:Brisbane

Organization Name (eg, company) [Default Company Ltd]:Website Company

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:website.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[box type="info"] If you are wanting to generate a wildcard certificate ie. secure all subdomains, then all you need to is enter *.website.com for the Common Name prompt[/box]
Lets have a look at what a CSR looks like.

[root@server1~]# cat website.com.csr

-----BEGIN CERTIFICATE REQUEST-----

asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfaslF1ZWuc2xhbmQx

ETAPBgNVBAcMCEJyaXNiYW5lMRUwEwYDVQQKDAxTdHJ1Z2dsZWRvcmsxCzAJBgNV

BAsMAklUMRkwFwYDVQQDDBBzdHJ1Z2dsZWRvcmsuY29tMIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMasdfasdfasdfasdfasdfasdjnvZAHb12Zzt0UhvN3ZNE3GUemAR

UoZj8FcLkufvAiCQ6OSCplLEPgBeGQdtLTmm3LRpORSrwyWFzrppG/Vwlxhu/L85

d1H/oasdfasdfasdfasdfasdfasdfasdfasdfasdmG2OV1UTWpLzVIMItJ/32Onh

vNcbsUTMBOZRLFLXhI//+5aX8tpY97pZs5K++K8XCO1HH7R4ZRtV7pbtLCpsxFn+

aSOsSpeFTOnGOC6ma6ufydPZ0U8uAL8O4klJ8NyQQtIjanRZDWULL4yEZZIsZMfD

ozeX4K/asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasQABoAAwDQYJKoZI

hvcNAQEFBQADggEBALQ3mnB8FzvjklM5W2pTsM+OyvG8oCafzRDofJ7QScz7icOj

ca3WMdjzjeH5+slNpJE3/asdfasdfasdfasdfasdfasOgN8xd2qK/rOrdLSSOdeU

zRxKQmGU1l7TtvmNXFqKro+9hFiGoD0HVcXBMsw2QjGCmwSf4jahzmo5z9Z7ZZfH

h/T3JXa+Basdfasdfasdfad7AwhuIR5P33efI8Kh2D70j9JcoNGoLeGYfJDJMNV0

MnGicBvkCiMw8V8EecSRFZuYh3K3lFr746joIcKWT3gFs9H6eLUsgU+gJsc0UPrb

acQ8WAyOQc9D+/asdfasdfasdfasdfasdf

-----END CERTIFICATE REQUEST-----

Step 4: Generate your Public SSL Certificate

This step will vary depending on the vendor you use. However you will be required to provide a copy of your CSR (as seen above). You’ll need to copy/paste all lines including the BEGIN/END certificate request lines into your vendors request system. I’d suggest reading their examples of this process.

Once you’ve successfully submitted your CSR, your vendor will then provide you a SSL certificate. It may be attached to an email as a .crt file, or could just be text in the body of an email. If they have provided you with just text, then copy/paste the text (including the BEGIN/END lines) into file on your server. If it’s a file then copy it onto your server.

I’d suggest naming and placing the SSL certificate file into

1	/etc/ssl/certs/website.com.crt

If you received instructions to install an intermediate certificate, then copy it as

1	/etc/ssl/certs/VENDOR_IntermediateCA.crt

Step 5: Configure Apache to use SSL

In this example I’ll show you how to install the SSL certificate into an virtual host. So firstly we need to make sure Apache is configured to support port 443 for name-based virtual hosting.

You’ll need to make sure that the line “NameVirtualHost *:443? exists in your Apache configuration file.

1 2	[root@server1 ~]# egrep "^NameVirtualHost \:443" /etc/httpd/conf/httpd.conf NameVirtualHost :443

If the above command doesn’t return any result, then you’ll need to add “NameVirtualHost *:443? into httpd.conf. Just search for NameVirtualHost and add it on the next line.

# Use name-based virtual hosting.

NameVirtualHost *:80

NameVirtualHost *:443

Now you’ll need to add a new entry that contains your virtual host configuration for SSL. I would suggest you simply copy/paste your existing VirtualHost configuration and simply modify the directive to be . Then within the context of your newly created directive add the additional SSL settings. See below for an example:

DocumentRoot /var/www/website

ServerName website.com

ServerAlias www.website.com

ErrorLog /var/log/httpd/website.com-error_log

CustomLog /var/log/httpd/website.com-access_log common

Options Indexes FollowSymLinks

AllowOverride all

Order allow,deny

allow from all

</Directory>

</VirtualHost>

DocumentRoot /var/www/website

ServerName website.com

ErrorLog /var/log/httpd/website.com-error_log

CustomLog /var/log/httpd/website.com-access_log common

Options Indexes FollowSymLinks

AllowOverride all

Order allow,deny

allow from all

</Directory>

SSLEngine on

SSLOptions +StrictRequire

SSLCertificateFile /etc/ssl/certs/website.com.crt

SSLCertificateKeyFile /etc/ssl/private/server1.internaldomain.key

SSLCertificateChainFile /etc/ssl/certs/VENDOR_IntermediateCA.crt

</VirtualHost>

…Restart Apache and you’re done!!

1	[root@server1 ~]# service httpd restart

[author] [author_image timthumb='on']http://mcdee.com.au/wp-content/uploads/2012/11/photo.jpg[/author_image] [author_info]Andrew McDonald is an IT Systems Admin and all round technology junkie. Absolutely a jack-of-all-trades and not one to shy away from a challenge.

Charset iso-8859-1

httpd.conf

AddDefaultCharset iso-8859-1

php.ini

default_charset = "iso-8859-1"

linfor

Search

Main Menu