RHEL7: Configure Apache TLS security.

Share this link

Note: This is an RHCE 7 exam objective.

Configuration Procedure

Install the Web Server package group:

# yum groupinstall -y "Web server"

Activate at boot time and start the service:

# systemctl enable httpd
# systemctl start httpd

Add the HTTPS service to the firewall configuration and reload it:

# firewall-cmd --permanent --add-service=https
# firewall-cmd --reload

Let’s assume your server is called instructor.example.com.

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/instructor.example.com.crt -keyout /etc/pki/tls/private/instructor.example.com.key -days 365
Generating a 2048 bit RSA private key
writing new private key to '/etc/pki/tls/private/instructor.example.com.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:

SSLCertificateFile /etc/pki/tls/certs/instructor.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/instructor.example.com.key

In the same file, search for the ServerName string and replace as follows:

ServerName instructor.example.com:443

Check the validity of the configuration:

# httpd -t
Syntax OK


# apachectl configtest
Syntax OK

Restart the Apache webserver:

# apachectl restart

Check the virtual host configuration:

# httpd -D DUMP_VHOSTS
VirtualHost configuration:
*:443                   is a NameVirtualHost
         default server instructor.example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost instructor.example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost instructor.example.com (/etc/httpd/conf.d/ssl.conf:56)

Optionally, check the certificate:

# openssl s_client -connect localhost:443 -state
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = instructor.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = instructor.example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
   i:/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
Server certificate
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
issuer=/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 1610 bytes and written 375 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 237566220198BE79A3B0EE9E9D12D3221676329C34F44BF577CC9D77BB6F0C99
    Master-Key: EFA5C1BC2D6C3EBC3928C2339338D31602E7908A70663C9D18AADB683BFC91BD
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ef 91 60 0f 59 6f 45 28-0b 1c ac ca f0 ab f7 76   ..`.YoE(.......v
    0010 - c8 fa 8e 79 b6 c8 47 6a-a3 cf 9c 8b 51 43 1c 8c   ...y..Gj....QC..
    0020 - 8b 23 83 0b e1 bc bf 33-65 d2 37 e5 84 15 39 b1   .#.....3e.7...9.
    0030 - 02 a3 4c 0d 65 f7 54 a4-20 1c b1 0a 82 c2 5e 84   ..L.e.T. .....^.
    0040 - 75 92 04 de 3e 09 60 71-6e 20 f9 8e fc 8e af 85   u...>.`qn ......
    0050 - 1d 7f eb 2d 41 ca f0 ff-96 1a 29 e3 ca 9d 7c b6   ...-A.....)...|.
    0060 - 04 84 57 1b ab 78 50 65-c8 ed 0d 7b 6f e3 2d 9c   ..W..xPe...{o.-.
    0070 - 05 d2 73 24 71 89 14 cc-35 59 f5 11 16 80 a3 0d   ..s$q...5Y......
    0080 - 43 b7 53 c3 97 22 25 64-40 eb 42 a0 d3 36 6e 32   C.S.."%d@.B..6n2
    0090 - 2b f6 61 35 76 96 cc 12-76 f3 93 d6 e8 16 54 19   +.a5v...v.....T.
    00a0 - 7d 9d a2 50 b1 d5 87 12-61 f7 d4 c1 46 19 23 f5   }..P....a...F.#.
    00b0 - 41 71 43 32 89 7f 9c 9f-b6 ab e3 71 14 d6 13 f4   AqC2.......q....

    Start Time: 1408555281
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
SSL3 alert write:warning:close notify

Note: According to Sander van Vugt, the elinks command doesn’t work well with TLS and shouldn’t be used in this specific context.

Additional Resources

You can read this interesting survey about the complexity of deploying HTTPS.
Daniel Aleksandersen wrote an article about Allowing OCSP stapling in Apache Web Server with SELinux policies.
The official RedHat knowledgebase provides an article about Securing Apache/mod_ssl with SSL/TLS on RHEL7.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.00 out of 5)
28 comments on “RHEL7: Configure Apache TLS security.
  1. jerky_rs says:

    A good reference for the openssl command described here is provided in /etc/pki/tls/certs/make-dummy-cert (by openssl package) that has the syntax necessary (replace the keyfile and certificate as necessary).

  2. jpondi says:


    Thanks for this tutorial.

    Can I run the /etc/pki/tls/certs/make-dummy-cert some_key_cert_file script to generate the key & cert? Is that acceptable?
    I will copy the portion on key and cert into two files.


    • CertDepot says:

      It’s not going to work because the certificate hostname will be localhost.localdomain.
      Except if nothing is said during the exam about the hostname to use, you won’t be able to use this command.

      • jeromeza says:

        You can always edit the file and replace localhost.localdomain with your server name to save time. I’d still recommend learning the commands, but any time is valuable and that saving could help.

  3. alamahant says:

    A note on elinks:Please dont rely on it to display your practice ssl-pages.It will flatly deny with ssl-error,not even offering the choice to accept the self-signed certificate.
    Use Firefox instead after maybe installing X Window
    Elinks appears to be a little stupid in this respect 🙂

  4. lucad2 says:

    is it ok using genkey from the package crypto-utils? it is very easier than openssl..

  5. jeromeza says:

    I’m assuming that because these are self generated, that cert warnings about the root cert not being trusted, are fine?

  6. Lisenet says:

    I wonder if you need to disable SSLv3 when configuring Apache on an RHCE exam even if you’re not explicitly asked for it.

    SSLv3 is dead, we all remember POODLE (CVE-2014-3566), don’t we?

    So if you leave the protocol enabled on the exam, I suspect that you are going to get some points deducted?

  7. dan says:

    If you don’t want to memorize the openssl command, mod_ssl actually generates a cert on install, and /etc/httpd/conf.d/ssl.conf points to these by default.

    If you installed mod_ssl before setting your hostname the cert will be created for localhost.localdomain though. Just rm /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key then yum reinstall mod_ssl and it will generate a new cert.

  8. bazouie says:

    Hi Guys,
    I have a question. I have seen many times in different article, even the article right in this page about “config Apache TLS”. They are all mentioned to put the certificate and key path into “/etc/httpd/conf.d/ssl.conf “. What if I put cert and key in my virtualhost file in “/etc/httpd/conf.d/test.conf “. and in this situation what should I put instead of “” ???

    Thank you,

    • Lisenet says:

      Putting into /etc/httpd/conf.d/ssl.conf uses the default HTTPS virtualhost. You can put certificate paths into your virtualhost if you wish. This is actually the right way of doing this when you have dozens of different HTTPS websites on one server.

  9. benny says:

    In the exam, do you think that they will provide the cert? or we got to memorize the openssl command?

  10. martingarvin says:

    During my LFCE exams I was provided with certificate and key from the remote URL.

    Am I supposed to download the certificate in my localhost and then add it to the vhost file or shall I use remote certificate and key URL?

  11. martingarvin says:

    How would I generate SSLCertificateChainFile for practice purpose? My friend Google isn’t helping. I tried Googling, couldn’t find any relevant answer. could someone please help.

    • Lisenet says:

      This is somewhat complicated since you basically need to run your own certificate authority (CA).

      It would likely take a blog post to explain it in detail, therefore I’ll stick to main bits instead and keep it short.

      You need to generate the root key and the root certificate (e.g. ca.key and ca.cert). This will be the identity of your CA.

      The general rule of thumb is that the root CA is never used to sign client certificates directly, but is used to create an intermediate CA, where the intermediate CA can then sign certificates on behalf of the root CA.

      Having said that, you need to generate the intermediate pair (e.g. intermediate.key and intermediate.cert). The root CA then signs the intermediate certificate.

      Once you have the root and the intermediate certificates, you can then create the certificate chain file (e.g. ca-chain.cert) which will be used for SSLCertificateChainFile. Note that the certificate chain file must include the intermediate certificate as well as the root certificate because no client application knows about your CA yet.

      You can alternatively install the root certificate on a client machine that needs to connect to your webserver, in which case the chain file only needs to contain the intermediate certificate.

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a new user account called "bob" with password "redhat" and set expiration in one week.

RHCE7: Task of the day

Allowed time: 8 minutes.
Set up an iScsi target based on a fileio backstore of 100MB called /opt/shareddata with CHAP authentication (username=usr/password=pwd), xfs filesystem and standard firewall configuration.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...