Install Ssl On Centos 64

5 days ago
Admin
3 minutes

Securing the Apache server is one of the most important tasks of the webmaster. In this example, we will show you how to use ssl keys with your Apache web server.

Create Certificates

Change to the following directory:

# cd /etc/pki/tls/cert

Run the following command to make server key file:

[root@unixmen-Centos64 certs]# make server.key

umask 77 ; 

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus

..................+++

..........................................+++

e is 65537 (0x10001)

Fill in pass phrase:

Verifying - Fill in pass phrase:

Remove passphrase from private key:

[root@unixmen-Centos64 certs]# openssl rsa -in server.key -out server.key

Fill in pass phrase for server.key:

writing RSA key

Generate CSR key file

[root@unixmen-Centos64 certs]# make server.csr 

umask 77 ; 

 /usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to Fill in information that will be incorporated

into your certificate request.

What you are about to Fill in is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you Fill in '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:NL

State or Province Name (full name) []:Amsterdam

Locality Name (eg, city) [Default City]:Amsterdam

Organization Name (eg, company) [Default Company Ltd]:Unixmen

Organizational Unit Name (eg, section) []:Unixmen

Common Name (eg, your name or your server's hostname) []:Centos6-Unixmen

Email Address []:webmaster@unixmen.com

Please Fill in the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@unixmen-Centos64 certs]#

Sign the key and make Expiration days:

[root@unixmen-Centos64 certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 10000

Signature ok

subject=/C=NL/ST=Amsterdam/L=Amsterdam/O=Unixmen/OU=Unixmen/CN=Centos6-Unixmen/emailAddress=webmaster@unixmen.com

Getting Private key

[root@unixmen-Centos64 certs]#

Configure SSL keys with Apache

# yum -y  install httpd mod_ssl

Configure ‘/etc/httpd/conf.d/ssl.conf’

Your ssl.conf should be like this:

[root@unixmen-Centos64 conf.d]# cat /etc/httpd/conf.d/ssl.conf | grep -v "#"

LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)

SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256

SSLRandomSeed connect builtin

SSLCryptoDevice builtin



DocumentRoot "/var/www/html"

ServerName 127.0.0.1:443

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/pki/tls/certs/server.crt

SSLCertificateKeyFile /etc/pki/tls/certs/server.key



 SSLOptions +StdEnvVars



<Directory "/var/www/cgi-bin">

 SSLOptions +StdEnvVars



SetEnvIf User-Agent ".*MSIE.*" 

 nokeepalive ssl-unclean-shutdown 

 downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log 

 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"



[root@unixmen-Centos64 conf.d]#

Restart Apache

Check if the ports 80 and 443 are listening:

[root@unixmen-Centos64 conf.d]# netstat -an | grep 443

tcp 0 0 :::443 :::* LISTEN 

[root@unixmen-Centos64 conf.d]# netstat -an | grep 80

tcp 0 0 :::80 :::* LISTEN 

unix 3 [ ] STREAM CONNECTED 12580 

[root@unixmen-Centos64 conf.d]#

Allow the ports 80 and 443 via iptables:

vi /etc/sysconfig/iptables

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

Reload  and  restart iptables

Restart ip tables:

service iptables restart

Open the browser and Check  https://IP-Address.