UNIX / Linux keyboard.

How to create and install keys and certificates for a secure Apache web server

Creating and Installing Keys and Certificates

You will be creating a private key to be used by the Apache server. You need to decide if you are willing to rely on Unix file system security to keep that file safe. I am going to do that in the following example, because the only way it could be violated would be either: I liberalize one specific file system permission while logged in as root, or someone breaks the root account. The first seems unlikely, and in the case of the second, I would have bigger things to worry about.

The alternative would require you to type a pass phrase every time you start the Apache web server process. Unattended reboots would be impossible.

1. Change to the SSL directory.
You can put this wherever you want, just make sure that you adjust details of other steps accordingly:

# cd /etc/ssl 

2. Create a key for the server.
The following makes a 4096-bit RSA private key:

# openssl genrsa -out server.key 4096 

3. Create a Certificate Signing Request (CSR).
The following creates a request for a one-year (365 days) certificate. Answer the X.509v3 questions appropriately:

# openssl req -new -x509 -days 365 -key server.key -out server.csr 

4. Make the files root-read-only:

# chmod 700 /etc/ssl
# chmod 600 server.* 

5. Verify things so far, if you want:

# openssl x509 -text -in server.csr -noout | less
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 12280785628550484366 (0xaa6e1d767879518e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=IN, L=West Lafayette, \
		O=Cromwell International, OU=Underground Lair, \
		CN=www.cromwell-intl.com/emailAddress=bob.cromwell@comcast.net
        Validity
            Not Before: Jan 29 22:54:31 2014 GMT
            Not After : Jan 29 22:54:31 2015 GMT
        Subject: C=US, ST=IN, L=West Lafayette, \
		O=Cromwell International, OU=Underground Lair, \
		CN=www.cromwell-intl.com/emailAddress=bob.cromwell@comcast.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b9:22:dc:5c:e0:34:88:45:23:79:bd:3c:20:fc:
                    96:ff:3a:22:40:68:77:2b:90:f3:df:1f:d7:37:ad:
                    bf:5f:82:63:44:67:e1:e0:fc:3f:bf:bd:d4:b7:84:
                    e9:e0:44:10:ef:07:7d:a3:f0:52:74:dc:41:d5:c5:
                    ad:22:3e:eb:c5:4b:ff:1b:3d:c0:ab:0d:97:dd:1c:
                    be:46:f0:8a:bb:ef:e0:b5:02:c7:c0:73:f7:1a:ff:
                    3e:69:66:60:ab:78:af:f9:f1:df:4b:48:f5:c1:8a:
                    33:12:09:8b:a1:e6:97:26:a9:bb:d3:64:79:7c:eb:
                    5e:6a:4a:48:83:c6:1f:50:f7:31:0f:f2:dc:cb:37:
                    50:cb:d9:94:b7:41:b4:09:23:58:ca:ad:1d:6d:82:
                    ae:06:b0:cb:2c:f3:73:c0:7d:4d:90:c2:72:21:c9:
                    87:40:5c:0f:26:92:9d:68:2f:bb:04:06:4d:0f:df:
                    f0:f5:ba:dd:5e:cc:ff:9f:92:27:49:91:40:1d:c9:
                    d9:ec:40:0b:88:ac:35:d6:71:ae:a7:f0:ae:2d:36:
                    3c:b5:72:1d:8f:50:a4:14:01:1b:89:22:0e:c3:1b:
                    d0:a0:e9:99:4f:a4:51:b3:8d:1d:0a:7c:af:f9:44:
                    5f:41:27:5c:f7:b0:fb:2f:d5:9d:45:e3:e1:53:f9:
                    54:eb:a3:16:82:18:be:d3:ed:f6:bb:31:81:8a:ba:
                    4f:b8:16:e2:4b:bf:af:ef:65:01:46:f8:7c:96:16:
                    2f:af:bf:06:3b:6a:a6:17:bc:76:23:f1:26:83:bc:
                    86:5c:25:99:f0:77:5f:88:10:c9:34:30:0e:cd:3e:
                    0b:7a:84:40:0d:44:55:e5:46:05:9a:5f:a3:d3:bb:
                    41:ef:be:81:02:65:a1:7d:24:f5:e0:27:74:15:aa:
                    66:0b:65:30:3b:c4:59:47:be:fa:15:49:ba:02:e8:
                    b8:9a:5f:63:16:bc:b5:0b:f2:64:ed:de:02:47:3e:
                    e9:2b:0d:78:f4:bb:10:e3:75:64:c8:bf:8d:71:88:
                    dc:4f:42:99:4b:97:49:17:5c:53:70:ac:48:21:4c:
                    c9:5c:4e:b3:81:6a:c6:8d:74:7d:e7:1b:0e:3a:53:
                    4e:05:31:21:e3:28:aa:d7:8e:23:09:cc:bb:da:21:
                    ed:29:80:d2:7d:9b:71:01:96:77:c0:90:a6:9e:a6:
                    14:12:7a:51:08:e6:70:f6:7b:5d:5a:cc:6e:be:3b:
                    61:18:b8:a2:45:6a:a3:b2:4a:f1:2d:48:9d:81:23:
                    d7:d9:95:48:46:bc:a8:a7:38:ff:b6:c4:ab:77:cf:
                    53:5f:03:4e:6d:16:64:e4:f9:79:46:be:22:74:8f:
                    19:0d:67
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         23:70:c2:0e:03:82:46:51:2f:84:fb:1f:1c:5a:e1:6c:51:e8:
         4b:49:b0:5c:f8:08:3e:94:00:7d:3f:ee:ab:d1:b2:88:cf:8c:
         95:fb:7c:f0:43:58:ea:19:e7:b2:37:86:eb:7b:0a:ac:39:98:
         52:0e:b1:32:47:8c:4b:ee:50:8b:ba:67:b5:55:f6:ad:bf:b3:
         5b:d3:fd:47:a9:db:cd:d5:29:f1:fa:fc:52:ac:ba:83:2c:c3:
         e8:96:44:e0:54:96:39:ec:fd:99:c2:8b:84:b8:0c:90:28:21:
         40:37:af:b6:73:e4:e2:25:d4:79:7b:6b:58:42:4a:93:12:ab:
         35:23:66:da:5f:6a:ff:ee:32:11:b6:ac:9c:5c:8c:86:3f:f9:
         11:c6:df:fa:42:38:43:e1:f7:b9:d8:19:82:aa:d4:91:fa:18:
         0e:d8:5d:21:b5:53:c9:61:84:62:41:10:7b:b5:0f:e7:30:93:
         65:2b:8d:5f:61:cd:bd:35:70:a7:4f:7a:d1:8a:0f:47:bc:d2:
         19:8c:a5:97:c0:6b:95:1f:c0:39:ae:a9:81:ce:a4:4e:3d:e3:
         d0:df:12:51:f3:f4:0f:7e:b9:e2:65:3e:ff:d5:af:6d:d7:08:
         b6:13:63:a8:46:d0:98:07:8d:53:53:4f:fe:b1:c9:e4:52:7e:
         49:34:38:23:97:14:6f:c9:8c:14:4d:04:f5:da:e2:78:d9:6b:
         d9:a4:3a:3e:7d:29:54:60:6a:a8:a5:c7:21:57:1b:f5:24:b1:
         90:5e:72:83:2a:26:3a:c9:05:d3:59:b6:e4:f5:61:24:c5:30:
         94:73:22:ec:bd:78:75:69:89:1a:c0:b3:a2:73:da:a4:56:97:
         87:7d:a5:fb:4a:53:00:ca:2e:2d:d7:db:9d:6b:03:ec:80:51:
         c6:d8:d5:8c:a2:1e:cb:71:29:ef:65:be:19:3e:78:3e:9e:42:
         34:1d:c2:5a:b8:2b:50:dd:7f:40:82:99:9f:dd:9f:ea:07:93:
         48:57:4a:88:e5:72:bc:45:67:84:2b:33:a6:4b:67:6e:c8:0c:
         bb:af:3a:96:80:76:48:54:0d:0a:16:a9:55:22:dd:39:b5:3b:
         af:27:5b:ce:a0:70:00:f8:95:8e:12:e9:25:b4:97:1e:b2:08:
         60:a4:cc:cf:d1:70:ef:ed:97:a3:ec:49:5c:e2:51:9f:4a:23:
         52:39:94:51:74:80:22:db:9a:75:7e:5f:7d:c5:a0:f5:39:3e:
         21:0c:25:8b:24:18:cc:f2:f8:c7:9a:c4:5a:2f:40:f7:fa:45:
         a6:16:42:ba:ca:76:c1:42:f4:0f:94:a5:65:82:43:e9:00:13:
         2d:d8:ac:0e:bc:6b:67:36
        

5. Send the Certificate Signing Request to your CA (Certificate Authority) according to their procedure, and wait patiently.
This is the file server.csr. The CA will require you to prove that the CSR is associated with your identity. So, this might involve going to visit your CA while carrying strong credentials of personal or corporate identity and a USB storage device holding the file. Or, more conveniently, if you already have some relationship with your CA including possession of each other's PGP public keys, sending the CSR as a signed attachment to an encrypted e-mail.

6. When your CA provides your certificate, install it as /etc/ssl/server.crt

7. Edit /var/www/conf/httpd.conf and modify the lines highlighted in the following:

#   Turn on SSL
SSLEngine on

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time.
SSLCertificateFile    /etc/ssl/server.crt

#   Point SSLCertificateKeyFile at the private key.
SSLCertificateKeyFile /etc/ssl/server.key

#   If your CA tells you that you need the Intermediate or Root
#   certificate, install and specify it as here:
SSLCACertificateFile  /etc/ssl/ca-bundle.crt

Back to the Linux / Unix page Back to the Security page