How to enable SSL (TLS) in Apache
Introduction
I tried to summarize how to enable SSL (TLS) using a self-signed certificate (* so-called oleore certificate) in Apache 2.4. Of course, this method cannot be used in a production environment, but I think it can be used when studying on a home server or in a development environment.
Environment used for testing
The hardware is not directly related to this procedure, but I have included it just in case.
- CPU
- Kabylake: Pentium G4560
- Motherboard: ASRock H110M-STX
- Memory: 8GB (4GB x 2)
- Storage: 256GB SSD (NVMe)
- OS
- CentOS 7.8(2003)
- Apache
- Apache-2.4.6
Prerequisite settings
- Apache is installed.
- Apache is ready to start.
- Be careful if you edit the configuration file (httpd.conf etc.) in advance.
- SELinux is stopped and disabled.
- This time, SELinux is stopped because it is for home use or development.
Steps to enable SSL (TLS)
1. Installation of software required for HTTPS communication
- OpenSSL is a library that implements SSL and TLS enables SSL (TLS) It is an indispensable module to make it.
- mod_ssl is a module provided by Apache to support SSL and TLS.
[root@akagi ~]# yum install openssl
[root@akagi ~]# yum install mod_ssl
2. Move to working folder
- Since the server certificate cannot be created normally with
/ rootetc., go to/ etc / pki / tls / certs. - There are some articles using
/ usr / local / ssl, but this folder did not exist when Apache 2.4 was installed with RPM.
[root@akagi ~]# cd /etc/pki/tls/certs/
3. Creating a private key
- Create a private key with the openssl command.
[root@akagi certs]# openssl genrsa > server.key
Generating RSA private key, 2048 bit long modulus
................................................+++
....+++
e is 65537 (0x10001)
4. Creating a public key
- Use the openssl command again, this time creating the public key.
- You will be asked for various information such as country name, prefecture name, city / town / village name, organization name (company name), department name, email address, etc., but this time it is an "Oreore certificate", so enter an appropriate value.
[root@akagi certs]# openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Chiyoda
Organization Name (eg, company) [Default Company Ltd]:XYZ Company
Organizational Unit Name (eg, section) []:Development Dept.
Common Name (eg, your name or your server's hostname) []:192.168.10.240
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5. Creating a server certificate (self-signed certificate)
- Use the openssl command to create more server certificates.
[root@akagi certs]# openssl x509 -req -signkey server.key < server.csr > server.crt
Signature ok
subject=/C=JP/ST=Tokyo/L=Chiyoda/O=XYZ Company/OU=Development Dept./CN=192.168.10.240/[email protected]
Getting Private key
6. Copy of private key
- After creating the server certificate with the public key, I copied the private key to
/ etc / pki / tls / private. - Depending on where the private key is located, Apache could not find the private key and failed to start.
[root@akagi certs]# cp -a server.key ../private/
7. Modify ssl.conf
- After copying
ssl.confand saving the originalssl.confbefore editing, the following 4 places have been modified. - For security reasons, the number of cases where TLS 1.2 or lower is NG is increasing, so we are trying to support TLS 1.2 or higher.
- Not what people who use my certificate say ...
★ Change server name
ServerName www.example.com:443
↓
ServerName 192.168.10.240:443
★TLS1.Supports 2 or more
SSLProtocol all -SSLv2 -SSLv3
↓
SSLProtocol +TLSv1.2
★ Certificate path
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
↓
SSLCertificateFile /etc/pki/tls/certs/server.crt
★ Private key path
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
↓
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
8. Restart Apache
- If Apache can restart successfully, SSL (TLS) should be enabled.
[root@akagi certs]# systemctl restart httpd
State after work
- You can connect to the server over HTTPS as shown in the screenshot below, but you will see an "unprotected communication" warning in your browser's address bar.
Reference URL
Recommended Posts