HTTP: Configure SSL with Apache.

Share this link

Install the Web Server package group:

# yum groupinstall -y "Web server"

Activate at boot time and start the service:

# chkconfig httpd on
# service httpd start

Add a new rule to the firewall:

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Save the firewall configuration:

# service iptables save

Let’s assume your server is called centos6.example.com.

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/centos6.example.com.crt -keyout /etc/pki/tls/private/centos6.example.com.key -days 365
Generating a 2048 bit RSA private key
.....................................................+++
..................................+++
writing new private key to '/etc/pki/tls/private/centos6.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos6.example.com
Email Address []:

Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:

SSLCertificateFile /etc/pki/tls/certs/centos6.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/centos6.example.com.key

In the same file, search for the ServerName string and replace as follows:

ServerName centos6.example.com:443

Check the validity of the configuration:

# httpd -t
Syntax OK

Or:

# apachectl configtest
Syntax OK

Restart the Apache webserver:

# apachectl restart

Check the virtual host configuration:

# httpd -D DUMP_VHOSTS
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443          centos6.example.com (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

Optionally, check the certificate:

# openssl s_client -connect localhost:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
   i:/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJANXz6Bli9NITMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQxHDAaBgNVBAMME2NlbnRvczYuZXhhbXBsZS5jb20wHhcNMTQw
ODI0MDkwMjEyWhcNMTUwODI0MDkwMjEyWjBgMQswCQYDVQQGEwJYWDEVMBMGA1UE
BwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRww
GgYDVQQDDBNjZW50b3M2LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAuZn9kIjLS26130eFlEJujsgLkIiOGGQYJEUu8dhGarRzScGn
Hd0Jn7TQyPihvqekY5OQmlYomoierxJ05rFQygEw6mY9tS+hG1kSJa88DvoA9f50
VENz6oafdtdwXfWZqY1PxHyoLjMZzj0KUw+mT8OCaChhDNbdpNeHhAhXgJtt4hAa
1XvOcbMVPxpJWmRqSrLkFEzLlnmgkeYo14d5TBtmTeVN2ko8MD/A4AO+pnrKPl9T
fN0URhQg/FTF5kiEd/NS47WfIPjK/1PzluWsMOxyvXFnlgs4HbCoaZof5iZBB8Nw
n+Tni0KsLNPu98CoxVQ6izZKIszLkb9M1sOqAQIDAQABo1AwTjAdBgNVHQ4EFgQU
A2ThSL7crEjAG12OTK2dLAwIMpUwHwYDVR0jBBgwFoAUA2ThSL7crEjAG12OTK2d
LAwIMpUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAkeBQ7CboLgC4
jyFyf+naGXY6urhDSHJtO2C5MdPSS+ep7m0kMg240t8NmJyvqIPyr1Vj5TzfeZCG
nFa7khjYV7PEA5fNmU3t16PxTvbf9TKnynhQ2A0yRA254LfSFng3pX+pIW0d4nYH
qWFO8Ahgm50Hi4c2dcrZmVY4Hi+97dzdZBrN+uhOeO34UyfRPUj2ewbxMR881K41
RY+stKeVB1xCpkk7WBlG+lzjTspxAnu5DeUeYxRwuLc5bwgrbcgtWMWxZg0GGWEJ
DxscHG3hLmVKeOQhvDCd0arjzgymuAYQ5u/J7HlS+A2wCG7RYTJO8mh9YG2ubqqx
b874rkAnbw==
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
issuer=/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com
---
No client certificate CA names sent
---
SSL handshake has read 1796 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: F70A21C91678CB69510C8ED213E8C340021A3AD7343D16155D15E819476032CB
    Session-ID-ctx:
    Master-Key: 5CADEE0E5B2B4F9030B1A9E46FA2DD65AC70C530B754A4EF4384AA34B28E4E2617B1E47746ACA2D22B9DA7A8369509A7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b6 a4 65 fa 1c 14 4d 12-b7 70 6c 2b 53 52 f1 b6   ..e...M..pl+SR..
    0010 - 76 8d 20 86 bb 63 ac dc-46 60 18 07 ae 86 03 16   v. ..c..F`......
    0020 - 90 a2 d2 17 d5 f9 ff 5e-bc d2 c7 aa 0f 8f 40 8f   .......^......@.
    0030 - ee 4e 27 ff 1f c1 7c 04-26 ec cb db 6b e6 2f 53   .N'...|.&...k./S
    0040 - 13 05 04 c2 67 d6 63 c5-c3 8b b1 3e 99 65 c9 8a   ....g.c....>.e..
    0050 - 33 68 3c 83 a0 22 bc d2-5b 7e 8b e7 87 24 b7 77   3h<.."..[~...$.w
    0060 - 18 3f c4 51 0d 4e dd a7-f5 03 68 e8 51 de c2 a9   .?.Q.N....h.Q...
    0070 - ba e6 fe 15 1d 4b 93 d5-85 93 e3 ee 80 78 2b 40   .....K.......x+@
    0080 - 5f 30 02 69 cd 31 61 b6-7b 30 94 ae ca f7 78 62   _0.i.1a.{0....xb
    0090 - 87 50 83 ba cc c2 40 29-62 15 50 98 91 6e 25 c0   .P....@)b.P..n%.
    00a0 - 9d 55 39 b2 f8 59 67 47-ec ba ea ad 7a 63 75 d9   .U9..YgG....zcu.
    00b0 - d6 36 57 b4 80 8a 59 a2-67 d8 90 2c e2 3c dd 05   .6W...Y.g..,.<..

    Start Time: 1408871323
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz

RHCSA7: Task of the day

Allowed time: 8 minutes.
Find all files bigger than 100MB and write their names into the /root/results.txt file.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria and create a table named people with two columns respectively name varchar(20) and age int(10) unsigned.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments