Difference between revisions of "Installing SSL certificate in Apache"

From Notes_Wiki
m
m
Line 1: Line 1:
<yambe:breadcrumb>Security_tips|Security tips</yambe:breadcrumb>
<yambe:breadcrumb self="Install SSL certificate in Apache">Security_tips|Security tips</yambe:breadcrumb>
<yambe:breadcrumb>Apache web server configuration|Apache web server configuration</yambe:breadcrumb>
<yambe:breadcrumb self="Install SSL certificate in Apache">Apache web server configuration|Apache web server configuration</yambe:breadcrumb>
 
=Install SSL certificate in apache=
'''StartSSL is no longer a recognized CA.  It is better to use [[Installing lets-encrypt SSL certicficate]] for free automated SSL certificate for your servers'''
 
=Using startssl SSL certificates for HTTPS=
 
It is good to have HTTPS certificate signed by recognized CA instead of using self-signed certificate.  One very viable option for simple HTTPS certificate is http://www.startssl.com  Using this website one can generate SSL certificates recognized by all popular browsers for free.  Steps for obtaining such certificate are:
 
# Register on website and provide authetication code from email
# Wait for another acceptance email with code and paste same in browser
# Generate client certificate to recognize oneself.  Take backup of this certificate with password at some safe location.
# Go to control panel -> Validation wizard -> Domain name validation
# Verify by email ID of domain owner.  An email with verification code will be sent to chosen email ID.
# Go to Certificate wizard -> SSL/TLS web certificate
# Enter domain name of validated domain/sub-domain for which certificate is requested
# Generate certificate using displayed openssl command, such as:
#:<pre>
#::openssl req -newkey rsa:2048 -keyout mail.rekallsoftware.com.key -out mail.rekallsoftware.com.csr
#:</pre>
#::The password can be simple.  We would need it only once.
#Remove the password from private key using:
#:<pre>
#:: openssl rsa -in mail.rekallsoftware.com.key -out mail.rekallsoftware.com-2.key
#:</pre>
# Download the certificate and copy it to server along with key.
# Download CA (pem) format with CRL included  ( https://www.startssl.com/certs/ca-bundle.pem )
#:Other option is to download all CA root and intermediate certificate.  Append all these certificates into one single ca-bundle.crt or ca-bundle.pem file.
 
==Install SSL certificate in apache==
For installation of certificate in apache use following steps:
For installation of certificate in apache use following steps:
# Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
# Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
Line 41: Line 14:




==Securing Apache SSL configuration==
=Securing Apache SSL configuration=


Default SSL configuration of apache is vulnerable to many attacks.  We can improve apache SSL configuration as follows:
Default SSL configuration of apache is vulnerable to many attacks.  We can improve apache SSL configuration as follows:
Line 52: Line 25:
#::In case of Virtualhost '<tt>SSLEngine On</tt>' line is also required.
#::In case of Virtualhost '<tt>SSLEngine On</tt>' line is also required.
#Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html
#Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html


Steps learned from https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html  
Steps learned from https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html  
Line 57: Line 32:




<yambe:breadcrumb>Security_tips|Security tips</yambe:breadcrumb>
<yambe:breadcrumb self="Install SSL certificate in Apache">Security_tips|Security tips</yambe:breadcrumb>
<yambe:breadcrumb>Apache web server configuration|Apache web server configuration</yambe:breadcrumb>
<yambe:breadcrumb self="Install SSL certificate in Apache">Apache web server configuration|Apache web server configuration</yambe:breadcrumb>

Revision as of 11:07, 17 August 2018

<yambe:breadcrumb self="Install SSL certificate in Apache">Security_tips|Security tips</yambe:breadcrumb> <yambe:breadcrumb self="Install SSL certificate in Apache">Apache web server configuration|Apache web server configuration</yambe:breadcrumb>

Install SSL certificate in apache

For installation of certificate in apache use following steps:

  1. Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
  2. chmod 400 ssl.key
  3. Edit /etc/httpd/conf.d/ssl.conf and replace appropriate values. Following three values need to be updated: 
    SSLCertificateFile /etc/httpd/conf/ssl.pem
    

    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
    

    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
  4. Restart apache and verify that certificate is working as expected.


Securing Apache SSL configuration

Default SSL configuration of apache is vulnerable to many attacks. We can improve apache SSL configuration as follows:

  1. Edit /etc/httpd/conf/ssl.conf and replace/insert following two values 
    SSLProtocol all -SSLv2 -SSLv3
    

    SSLHonorCipherOrder on
    

    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    In case of Virtualhost 'SSLEngine On' line is also required.
  2. Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html


Steps learned from https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html


<yambe:breadcrumb self="Install SSL certificate in Apache">Security_tips|Security tips</yambe:breadcrumb> <yambe:breadcrumb self="Install SSL certificate in Apache">Apache web server configuration|Apache web server configuration</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Installing_SSL_certificate_in_Apache&oldid=3215"