Install the Web Server package group:
# yum groupinstall -y "Web server"
Activate at boot time and start the service:
# chkconfig httpd on # service httpd start
Add a new rule to the firewall:
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
Save the firewall configuration:
# service iptables save
Let’s assume your server is called centos6.example.com.
Generate a X509 certificate valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/centos6.example.com.crt -keyout /etc/pki/tls/private/centos6.example.com.key -days 365 Generating a 2048 bit RSA private key .....................................................+++ ..................................+++ writing new private key to '/etc/pki/tls/private/centos6.example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:centos6.example.com Email Address []:
Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:
SSLCertificateFile /etc/pki/tls/certs/centos6.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/centos6.example.com.key
In the same file, search for the ServerName string and replace as follows:
ServerName centos6.example.com:443
Check the validity of the configuration:
# httpd -t Syntax OK
Or:
# apachectl configtest Syntax OK
Restart the Apache webserver:
# apachectl restart
Check the virtual host configuration:
# httpd -D DUMP_VHOSTS VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:443 centos6.example.com (/etc/httpd/conf.d/ssl.conf:74) Syntax OK
Optionally, check the certificate:
# openssl s_client -connect localhost:443 -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com i:/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDkzCCAnugAwIBAgIJANXz6Bli9NITMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg Q29tcGFueSBMdGQxHDAaBgNVBAMME2NlbnRvczYuZXhhbXBsZS5jb20wHhcNMTQw ODI0MDkwMjEyWhcNMTUwODI0MDkwMjEyWjBgMQswCQYDVQQGEwJYWDEVMBMGA1UE BwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRww GgYDVQQDDBNjZW50b3M2LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAuZn9kIjLS26130eFlEJujsgLkIiOGGQYJEUu8dhGarRzScGn Hd0Jn7TQyPihvqekY5OQmlYomoierxJ05rFQygEw6mY9tS+hG1kSJa88DvoA9f50 VENz6oafdtdwXfWZqY1PxHyoLjMZzj0KUw+mT8OCaChhDNbdpNeHhAhXgJtt4hAa 1XvOcbMVPxpJWmRqSrLkFEzLlnmgkeYo14d5TBtmTeVN2ko8MD/A4AO+pnrKPl9T fN0URhQg/FTF5kiEd/NS47WfIPjK/1PzluWsMOxyvXFnlgs4HbCoaZof5iZBB8Nw n+Tni0KsLNPu98CoxVQ6izZKIszLkb9M1sOqAQIDAQABo1AwTjAdBgNVHQ4EFgQU A2ThSL7crEjAG12OTK2dLAwIMpUwHwYDVR0jBBgwFoAUA2ThSL7crEjAG12OTK2d LAwIMpUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAkeBQ7CboLgC4 jyFyf+naGXY6urhDSHJtO2C5MdPSS+ep7m0kMg240t8NmJyvqIPyr1Vj5TzfeZCG nFa7khjYV7PEA5fNmU3t16PxTvbf9TKnynhQ2A0yRA254LfSFng3pX+pIW0d4nYH qWFO8Ahgm50Hi4c2dcrZmVY4Hi+97dzdZBrN+uhOeO34UyfRPUj2ewbxMR881K41 RY+stKeVB1xCpkk7WBlG+lzjTspxAnu5DeUeYxRwuLc5bwgrbcgtWMWxZg0GGWEJ DxscHG3hLmVKeOQhvDCd0arjzgymuAYQ5u/J7HlS+A2wCG7RYTJO8mh9YG2ubqqx b874rkAnbw== -----END CERTIFICATE----- subject=/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com issuer=/C=XX/L=Default City/O=Default Company Ltd/CN=centos6.example.com --- No client certificate CA names sent --- SSL handshake has read 1796 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: F70A21C91678CB69510C8ED213E8C340021A3AD7343D16155D15E819476032CB Session-ID-ctx: Master-Key: 5CADEE0E5B2B4F9030B1A9E46FA2DD65AC70C530B754A4EF4384AA34B28E4E2617B1E47746ACA2D22B9DA7A8369509A7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - b6 a4 65 fa 1c 14 4d 12-b7 70 6c 2b 53 52 f1 b6 ..e...M..pl+SR.. 0010 - 76 8d 20 86 bb 63 ac dc-46 60 18 07 ae 86 03 16 v. ..c..F`...... 0020 - 90 a2 d2 17 d5 f9 ff 5e-bc d2 c7 aa 0f 8f 40 8f .......^......@. 0030 - ee 4e 27 ff 1f c1 7c 04-26 ec cb db 6b e6 2f 53 .N'...|.&...k./S 0040 - 13 05 04 c2 67 d6 63 c5-c3 8b b1 3e 99 65 c9 8a ....g.c....>.e.. 0050 - 33 68 3c 83 a0 22 bc d2-5b 7e 8b e7 87 24 b7 77 3h<.."..[~...$.w 0060 - 18 3f c4 51 0d 4e dd a7-f5 03 68 e8 51 de c2 a9 .?.Q.N....h.Q... 0070 - ba e6 fe 15 1d 4b 93 d5-85 93 e3 ee 80 78 2b 40 .....K.......x+@ 0080 - 5f 30 02 69 cd 31 61 b6-7b 30 94 ae ca f7 78 62 _0.i.1a.{0....xb 0090 - 87 50 83 ba cc c2 40 29-62 15 50 98 91 6e 25 c0 .P....@)b.P..n%. 00a0 - 9d 55 39 b2 f8 59 67 47-ec ba ea ad 7a 63 75 d9 .U9..YgG....zcu. 00b0 - d6 36 57 b4 80 8a 59 a2-67 d8 90 2c e2 3c dd 05 .6W...Y.g..,.<.. Start Time: 1408871323 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify
Additional Resources
You can read this good article about the various formats of certificates.
Leave a Reply
You must be logged in to post a comment.