Apache SSL Administration Linux

Download PDF

Introduction

 

When ordering an SSL certificate a Certificate Signing Request (CSR) is required, this is generated from a private key.

 

If you with to create the private key yourself, you need to also create the CSR, follow Generating CSR for certificate ordering then Installation of SSL certificate and finally Configuration of SSL

 

This guide is created using OpenSSL 1.1.1f with Apache 2.4.41 using default settings.

This guide describes how you create, install and configure SSL in Apache on Linux.

The guide fits Ubuntu, Redhat and CentOS among others. There can be small differences in paths and commands depending on the Linux version.

 

  1. Run the following command to see your OpenSSL version:

 

openssl version

 

 

  1. Run the following command to see the apache2 version that is installed on the server:

 

apache2 -v

 

 

  1. You can generate an SSL configuration text on Mozilla SSL Configuration Generator which you then edit to fit your server.

You can select the following levels. We recommend that you select intermediate unless there is a specific reason to use a different level, and that you do not activate HSTS unless you know what you are doing.

(For an updated list of client support for the different levels, see https://wiki.mozilla.org/Security/Server_Side_TLS)

 

 

    • Modern: Provides higher security but lower compatibility as it requires the newest protocols, that only works in newer clients e.g. Android 10.

Recommended if all clients are know, e.g. a website that is only used internally.

 

    • Intermediate: A balance between middle-high security and high compatibility.

Generally recommended for servers where unknown clients connect, e.g. a webshop. It optimises the security while allowing somewhat older clients connect the website, e.g. Android 4.4.2.

 

    • Old: Low security, highest compatibility.

This level can only be recommended if security is not as important as compatibility, as it opens for phased out SSL standards that has known security holes, however it works with old clients, e.g. Android 2.3.

 

    • HTTP Strict Transport Security: (HSTS) is a header from the server that tells the klient that the DNS name may only be accessed through HTTPS from this point. The client will remember this for the max-age set,no matter if it has been removed again fro the server, so there is no way back if it fails.Follow a thorough guide and be conservative on the time, we recommend using 300 seconds (5 minute) for at least a week and then incrementally raise the time. Watch out for sub domains and preload unless everything on the domain is already running HTTPS.

 

    • OCSP Stapling: It is recommended to activate OCSP. It will enable the server to collect the certificate status regularly and provide it to the client so they don't have to look it up every time they connect.

 

 

Generating CSR for certificate ordering

 

In this example we have used a single DNS name that works with both standard and SAN certificates, for a wildcard the Common Name has to be changed to *.fairssl.dk.

 

To generate the CSR you need to gather the following information:

 

  • Common Name (CN): The primary full internet domain name. e.g.: www.fairssl.dk
  • Organization Name (O): The full organisation name, exactly as presented in CVR. e.g.: FairSSL A/S
  • Organizational Unit (OU): The department that is to use the certificate. May not be possible to conflate with another organisation. We recommend leaving it blank or using the organisation name. e.g.: FairSSL A/S
  • Locality (L): City name. e.g.: Ørum Djurs
  • State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
  • Country (C): ISO-standard two-letter country code, must be capital letters. e.g.: DK

 

We will be using OpenSSL for both the creating the private key and the CSR, OpenSSL is installed under /usr/local/ssl/bin if you have a standard installation.

 

Creating the private key

 

  1. Log in to the server with an administrator account.

 

  1. Run the following command to create and privat RSA 2048-bit key without a password:

 

sudo openssl genrsa -out /etc/ssl/private/www.fairssl.dk.key 2048

 

 

Run the following command if you want a password on the private key:

 

sudo openssl genrsa -des3 -out /etc/ssl/private/www.fairssl.dk.key 2048

 

You will get a prompt to type in the password you want for the key file.

 

 

  1. Run the following command to create a 2048-bitt Diffie-Helman parameter:

 

sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

 

 

We create the private key in /etc/ssl/private/ because it is a secure folder specifically made for this purpose.

 

Never send the private key to us through email.

The key file should be kept in a secure location, and should never leave the server. It is no possible to use smaller keys like RSA 1024-bit.

 

Creating the CSR

 

  1. Run the following command to create a CSR with the private key you made earlier:

 

sudo openssl req -new -key /etc/ssl/private/www.fairssl.dk.key -out /etc/ssl/private/www.fairssl.dk.csr

 

If you chose to secure the private key with a password, you will get a prompt to enter it here.

Enter the information you collected earlier and press [ENTER], remember to make Country Name a capitalised 2-letter ISO code. Don't enter anything in the last three fields:

 

Country Name: DK

State or Province Name: Norddjurs

Locality Name: Ørum Djurs

Organization Name: FairSSL A/S

Prganizational Unit Name: FairSSL A/S

Common Name: www.fairssl.dk

Email Address:

A Challenge Password:

An Optional Company Name:

 

 

  1. You can confirm that the CSR is created correctly with the following command:

 

sudo openssl req -noout -text -in /etc/ssl/private/www.fairssl.dk.csr

 

 

  1. Open the CSR file with a text editor (e.g. sudo nano /etc/ssl/private/www.fairssl.dk.csr) and copy the entire text, incl. all the dashes at the beginning and end.

During the certificate ordering process you paste the text into the CSR field.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

 

Installation of SSL certificate

 

If your server is already active and has sites set up, follow Server with existing sites.

 

If you have not set up any sites on your server yet, e.g. a fresh installation, follow Server without existing sites.

 

Server with existing sites

 

  1. Log in to the server with an administrator account.

 

  1. Create the following files where you put your private key (e.g. /etc/ssl/private):

www.fairssl.dk.pem: Copy the text with the your SSL certificate into the file, including all the dashes.

intermediate.pem: Copy the text from the intermediate certificate into the file, including all the dashes.

 

  1. If you have gotten the private key from somewhere else, e.g. our CSR service, move it into /etc/ssl/private/ using the following command:

 

sudo mv ./www.fairssl.dk.key /etc/ssl/private/www.fairssl.dk.key

 

  1. Change directory to /etc/apache2/sites-available

If it is a new website, copy the configuration file from an existing website (e.g.: sudo cp www.fairssl.net.conf www.fairssl.dk.conf)

Open the configuration file for the website in a text editor (e.g.: sudo nano www.fairssl.dk.conf)

Correct the following information so they fit your website (all comments has been removed from the image for clarity):

 

 

  1. If it is a website that is not already active, run the following command to activate it:

 

sudo a2ensite www.fairssl.dk.conf

 

 

If you run the command on a website that is already active, you will get a warning, but it will not otherwise create any issues.

 

  1. If you have multiple websites follow step 2-5 for each website.

Remember to change DocumentRoot, ServerName, SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile to fit the respective websites.

Make sure you only have a single default virtual host <VirtualHost _default_:443> all other need to have either an IP address or *, e.g.: <VirtualHost *:443>

 

  1. When you have bound the certificate to all the websites that needs it, you need to update the general SSL settings for the Apache server, follow Updating the general SSL settings.

 

Server without existing sites

 

  1. Log in to the server with an administrator account.

 

  1. Create the following files where you put your private key (e.g. /etc/ssl/private):

www.fairssl.dk.pem: Copy the text with the your SSL certificate into the file, including all the dashes.

intermediate.pem: Copy the text from the intermediate certificate into the file, including all the dashes.

 

  1. If you have gotten the private key from somewhere else, e.g. our CSR service, move it into /etc/ssl/private/ using the following command:

 

sudo mv ./www.fairssl.dk.key /etc/ssl/private/www.fairssl.dk.key

 

  1. Change directory to /etc/apache2/sites-available

Copy default-ssl.conf to a file with the same name as your website:

 

sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/www.fairssl.dk.conf

 

 

  1. Open the newfile in a texteditor. (e.g. sudo nano www.fairssl.dk.conf)

Correct the following information so they fit your website (all comments has been removed from the image for clarity):

 

    • DocumentRoot: The full path to the root of the website, it is important to not end with a slash.
    • ServerName: The addresses the website is to be reached through.
    • SSLCertificateFile: The full path to the server certificate.
    • SSLCertificateKeyFile: The full path to the private key.
    • SSLCertificateChainFile: The full path to the intermediate certificate.

 

 

If the server should answer on both http and https then copy <VirtualHost _default_:443> to <VirtualHost _default_:80> outside <IfModule mod_ssl.c> and delete all the lines containing SSL.

 

  1. Save the changes and run the following command to activate the website:

 

sudo a2ensite www.fairssl.dk.conf

 

 

  1. Deactivate the default place holder that is installed with the Apache server so you only have a single default website:

 

sudo a2dissite 000-default.conf

 

 

  1. If you have multiple websites follow step 2-6 for each website.

Remember to change DocumentRoot, ServerName, SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile to fit the respective websites.

Make sure you only have a single default virtual host <VirtualHost _default_:443> all other need to have either an IP address or *, e.g.: <VirtualHost *:443>

 

  1. When you have bound the certificate to all the websites that needs it, you need to update the general SSL settings for the Apache server, follow Updating the general SSL settings.

 

Updating the general SSL settings

 

The server's SSL settings are not automatically updated when the server gets updated, among other reasons because it can ruin the compatibility with older clients.

We recommend that you update the server's SSL settings each time you replace a certificate on it.

 

  1. Create a backup of ssl.conf to ssl.conf.bak

 

sudo cp /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-available/ssl.conf.bak

 

  1. open ssl.conf in a text editor (e.g.sudo nano ssl.conf).

Add the information you generated with the Mozilla generator in Introduction which is not already in the <VirtualHost>, e.g.:

(all comments has been removed from the image for clarity)

 

 

Some of the settings will most likely already be present, like Protocol and SSLChipherSuite, make sure they are only present once in the file.

 

  1. Save the changes and close the text editor.

 

  1. Run a configuration test to see if the syntax is correct in the changes you have made:

 

sudo apachectl configtest

 

 

  1. Reload the server with the following command to make make the changes take effect:

 

sudo systemctl reload apache2

 

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Intermediate certificates

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates