In this post, we will go thru step by step instructions for Apache Web server installation. After Apache Server Installation we will create an SSL certificate creation request to generate the certificates from Certificate Authority and then deploy the SSL certificates on Apache Web Server. We will also learn how to modify browser settings to make the certificate works in case the site is accessed from outside the corporate intranet where Root certificates are not installed on the machine.
Apache web server Installation
Step 1: Install Apache web server, Apache Manual and SSL Module.
# first login as root sudo su - #Linux will ask the password and then show that you are loggedin as root. # Install Apache Web Server , Apache Manual, SSL and Lynx browser packages yum -y install httpd httpd-manual mod_ssl lynx
Step 2: Let’s check if httpd (Apache web server service) is installed and enabled.
systemctl list-unit-files | grep httpd
In case Apache is not enabled use this command to enable it
chkconfig httpd on
Step 3: Browser the webpage from the lynx browser and see if Apache is displaying the default webpage: If the webpage is displaying it means that Apache is installed.
Also, these two commands can also help to find if Apache is installed successfully:
lsof -i | grep http
Step4: Open the firewall to allow port 80 so we can test the Apache server default webpage when we browse the localhost.
#To open up a new port (e.g., TCP/80) permanently, use these commands. #Please note that Without "--permanent" flag, the firewall rule would not persist across reboots. $ firewall-cmd --zone=public --add-port=80/tcp --permanent #Now reload the firewall to make the changes effective $ firewall-cmd --reload #Check the updated rules with: $ firewall-cmd --list-all #OPTIONAL sometimes linux policy is not permisive so you may have to make it permisive from enforcing. # To check the Linux Policy sestatus #If the current mode is enforcing then to make it permissive use this command setenforce 0
Step 5: Create SSL certificate request file (.CSR).
Please note that this file needs to send a request to the Enterprise certificate authority to generate the certificate. This file contains a piece of important information about your certificate. It is mandatory to create a SAN certificate so you do not get unnecessary warnings when you browse your site. Here is the Sample SAN file which you can use:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN ) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = put your site name here
Save this file as san.cnf and then run this command
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout sslprivate.key -config san.cnf
It will ask you to provide your country name state and other details and then create a CSR file with the name sslcert.csr. Please note down the key file and create these certificate requests and files in a directory( i.e. /etc/httpd/ssl/)
Step 6: Convert the.CER file into .CRT file once you receive the certificate in .CER format. Certificate Authority will issue a certificate in CER format. You need to convert it into CRT format because Apache needs this format. Perform these steps for the Intermediate CA root cert and Root cert received from your administrator.
openssl x509 -inform DER -in testcert.cer -out testcert.crt
Step 7: Perform configuration changes based on SSL certificates and create a Virtual host
Please make sure to copy the certificate .CRT file and key files to /etc/httpd/ssl/ . In case you have deployed it in a different location we will use the same path during our config.
Now edit the ssl.cnf file at this location /etc/httpd/ssl/ by removing the comments from the file. Make sure that these entries are uncommented.
Listen 443 NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "/var/www/html" # Please note that you you change document root path then you have to modify the same in the httpd.cnf file in the directory tag <Directory "/var/www/html"> ServerName FQDN_of_your_servername SSLEngine on SSLCertificateFile /etc/httpd/ssl/testcert.crt SSLCertificateKeyFile /etc/httpd/ssl/sslprivate.key SSLCertificateChainFile /etc/httpd/ssl/yourcomapnyrootcertificate.crt SSLVerifyClient None </VirtualHost>
Please note that your testcert.crt and yourcomapnyrootcertificate.crt were created in step 6.
Step 8: Restart the Apache server so these settings can take effect.
Service httpd restart # You can also use these commands by first stopping the server and then starting it again. Service httpd stop Service httpd start
If the server restarted successfully it means that the config worked file and there is no spelling mistake otherwise you may have to troubleshoot it by modifying the settings.
Step 9. Create a Test HTML page and browse the site with HTTPS.
Now create an HTML page and then copy it into /var/www/html (document root directory defined in httpd.cnf file. You can check the path in the config file) and browse it to test if your site is working fine with HTTPS URL. It should be https://localhost/