How to secure a website with self signed certificate?

Step1 : Check if the Apache package is installed or not. If it’s not installed install it.

#rpm -qa | grep httpd
#yum install httpd
#yum install openssl

Note : openssl package is required to generate SSL certificates.

Step2 : Create DNS CNAME entry for this virtual host as ssl.linuxnix.com which should point to our server name server.linuxnix.com

Step3 : Create a home directory for our virtual host and index.html file

#mkdir /websites/ssl

#vi /websites/ssl/index.html

Step4 : Create ssl self-signed certificate for your site.

What is self-signed certificate?
Ans : An self-signed certificate, created locally at the server where the web site with SSL services support are to be implemented, are locally generated certificates when web site or server owner either don’t plan on having certificate signed by a CA, or the certificate is for testing of new SSL implementation.

This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted because it’s not signed by any known trusted CA authority.

To generate a self-signed certificate we have to generate two things :
1. A private key which will be with server.
2. CSR (Certificate Signing Request) which is used to generate self-signed certificate.

Step4(a) : Generate a private key. Please keep this key in /etc/httpd/conf/sslcrt
#mkdir /etc/httpd/conf/sslcrt
#cd /etc/httpd/conf/sslcrt

Note : We can create this certificate /key in any location but /etc/httpd/conf/sslcrt is good to remember .
#openssl genrsa -des3 -out server.key 1024

Once we execute above command it will prompt for a new password as shown below

Generating RSA private key, 1024 bit long modulus

………………………………..++++++

…………….++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying – Enter pass phrase for server.key:

Just enter server key which is a password.  So remember this word.

Let me explain the command

openssl is the command to generate SSL certificate
genrsa is to indicate generate a RSA key called server.key with des3 encryption with 1024 key lenght.

To see the fils create just give ls to check.

#ls -lrt

Step 4(b) : Now Generate a CSR (Certificate Signing Request)

#openssl req -new -key server.key -out server.csr

When you execute this command you will be prompted for number of inputs as shown below.

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called as  Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:Andhra Pradesh

Locality Name (eg, city) [Newbury]:Hyderabad

Organization Name (eg, company) [My Company Ltd]:The Linux juggernaut Ltd.

Organizational Unit Name (eg, section) []:IT Support Group

Common Name (eg, your name or your server’s hostname) []:Surendra kumar Anne

Email Address []:surendra@linuxnix.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

These are self learn entries.  So you can give your own details. Just press enter at “A challenge password” and “An optional company name” Dont write anything for this two entries.

To see the files create just give ls to check.

#ls -lrt

Step4(c) : Remove Pass phrase from Key. Which is not at all required and when ever apache service is restarted your system will ask for this pass phrase. In order to eliminate some one to sit in front of the system to enter the pass-phrase after a reboot or restart service or a crash we have to remove the pass-phrase as shown below.

#cp server.key server.key.org
#openssl rsa -in server.key.org -out server.key

This will ask the pass-phrase for the last time. Just enter the pass-phrase which you given.

Step4(d) : Now it’s time to generate a self-signed certificate.

#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Once you execute above command you will get output as shown below

Signature ok

subject=/C=IN/ST=Andhra Pradesh/L=Hyderabad/O=The Linux juggernaut Ltd./OU=IT Support Group/CN=Surendra kumar Anne/emailAddress=surendra@linuxnix.com

Getting Private key

Step5:Configure virtual host now in our httpd.conf file which is located at /etc/httpd/conf/

Step5(a):Create index.html in /websites/auth/ folder and edit something in that file
#vi /websites/ssl/index.html

Save and exit the file

Step5(b) : Specify NameVirtualHost
NameVirtualHost server.linuxnix.com

Step5(c) : Specify ServerName as server.linuxnix.com in httpd.conf file
ServerName server.linuxnix.com

Step5(d) : Now create a virtual host entry.
<VirtualHost 192.168.0.1>
ServerName ssl.linuxnix.com
DocumentRoot /websites/ssl/
DirectoryIndex index.html
SSLEngine on

SSLProtocol all -SSLv2

SSLCertificateFile /etc/httpd/conf/sslcrt/server.crt

SSLCertificateKeyFile /etc/httpd/conf/sslcrt/server .key

</VirtualHost>

Let me explain each entry in this virtual host which are new.

SSLEngine on
We are mentioning to Apache to on the ssl engine for this virtual host.

SSLProtocol all -SSLv2
The ssl protocol used here is version 2(version 1 have many limitations)

SSLCertificateFile To specify the Certificate file
SSLCertificateKeyFile To specify the key file.

Save and exit the file

Step6 : Check for the syntax errors in the httpd.conf file before restarting the Apache service.
#httpd -t
or
#httpd -k graceful

Step7 : Now start the service and then add it to booting scripts so that it will start automatically at every boot of the system
#service httpd restart
#chkconfig httpd on

Step8 : Now try to access https://ssl.linuxnix.com you will be prompted to enter user-name and password.

Post Views: 6,561
The following two tabs change content below.
My Twitter profileMy Facebook profileMy Google+ profileMy YouTube channel

Surendra Anne

Mr Surendra Anne is from Vijayawada, Andhra Pradesh, India. He is a Linux/Open source supporter who believes in Hard work, A down to earth person, Likes to share knowledge with others, Loves dogs, Likes photography. He works as Devops Engineer with Taggle systems, an IOT automatic water metering company, Sydney . You can contact him at surendra (@) linuxnix dot com.