Apache Httpd 2.2 Configure CA Certificate to Encrypt Https Communication

Keywords: SSL OpenSSL Apache Web Server

Personal blog address: http://www.pojun.tech/ Welcome to visit

What is CA Certificate

_About what CA certificate is, and how to apply for and build CA certificate using Open-SSL, we have already introduced it in previous articles, and we will not repeat it here. If in doubt, refer to the previous article.
http://www.pojun.tech/blog/2017/09/11/linux-middle-command-1
http://xiaoshuaigege.blog.51cto.com/6217242/1965113
http://blog.csdn.net/eumenides_s/article/details/78040787

Apache Httpd 2.2 implements https encryption communication

_In actual production, CA certificates are generally applied for by some international organizations with professional certification. We will simulate the use of certificates generated by OpenSSL to achieve secure encryption communication for Apache, which is similar to the actual production.

Preparation of experimental environment

Prepare two virtual hosts. Their roles and roles are shown in the figure below.

Next, we build a CA certificate environment on Host B, and then configure the certificate environment on Host A.

Building CA Certificate Environment on Host B

CA certificate environment, the name of the private key and the storage path, as well as the name and storage path of the certificate have certain rules, so if you do not understand, you can view the / etc/pki/tls/openssl.cnf file.

1. Building Private Key Files

We don't use encryption here.

[root@localhost ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem  2048 )
Generating RSA private key, 2048 bit long modulus
.............................................+++
.........................+++
e is 65537 (0x10001)

2. Create a self-signed root CA certificate based on the private key file

The name of the certificate must be cacert.pem, and the storage path must be / etc/pki/CA/cacert.pem

[root@localhost ~]#openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -days 7300 -out  /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:qingdao
Organization Name (eg, company) [Default Company Ltd]:pojun.tech
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server's hostname) []:ca.pojun.tech
Email Address []:

At this point, if we look at the content of the certificate, we can view the information we just specified.

[root@localhost ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17076170100312404196 (0xecfabe3b994470e4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=shandong, L=qingdao, O=pojun.tech, OU=Opt, CN=ca.pojun.tech
        Validity
            Not Before: Sep 29 03:40:10 2017 GMT
            Not After : Sep 24 03:40:10 2037 GMT
        Subject: C=CN, ST=shandong, L=qingdao, O=pojun.tech, OU=Opt, CN=ca.pojun.tech

    *******************Public key and signature information are omitted*************************

3. Create two files necessary for issuing certificates

If these two files are not created in advance, errors will occur during certificate generation.
We create the file under the path specified in the configuration file.

  • Generate certificate index database file touch/etc/pki/CA/index.txt
  • Specify the serial number of the first certificate issued, echo 01 >/etc/pki/CA/serial

Application for Certificate on Host A

1. First install mod_ssl dynamic module

First install mod_ssl module on Host A, and then let's see what it contains.

[root@centos6 ~]$rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf  # configuration file
/usr/lib64/httpd/modules/mod_ssl.so  # Apache Dynamic Module
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

Open / etc/httpd/conf.d/ssl.conf, and you will find that mod_ssl has helped us to add a certificate file, but this certificate file has no meaning. Next, we need to apply for certificates and replace them.

2. Generating Private Key Files

Because the private key file is used by the Web server, the private key file can be stored in the configuration directory of the Web server. This is convenient for management.

# First, create a directory to manage the generated private key and certificate request files, depending on your actual situation.
[root@centos6 ~]$ mkdir /etc/httpd/conf.d/ssl

# Generate your own private key file
[root@centos6 ~]$(umask 066; openssl genrsa -out /etc/httpd/conf.d/ssl/httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)

3. Generating Certificate Request File

Generate your own certificate request file, where the request file is to be passed to host B (root CA) to apply for certificates. The domain name is parsed by Fan domain name.
That is to say, when we have finished configuring all the environments, we should use https:/*.a.com to access the website, so that the server will automatically use encryption to process our requests.

# Generate your own certificate application file, which ends with. csr.
[root@centos6 ssl]$openssl req -new -key /etc/httpd/conf.d/ssl/httpd.key -out /etc/httpd/conf.d/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:yantai
Organization Name (eg, company) [Default Company Ltd]:pojun.tech
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:*.a.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Send the certificate request file to the certificate authority (host B)

We need to send the certificate request file to the certification authority.

[root@centos6 ssl]$scp /etc/httpd/conf.d/ssl/httpd.csr  172.18.2.77:/etc/pki/CA/
root@172.18.2.77's password: 
httpd.csr                                        100%  647     0.6KB/s   00:00 

5. Certificate issuance at root CA (host B)

We need to send the certificate request file to the certification authority.

# Generate certificates according to the certificate application submitted by host A
[root@localhost ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
*****************Output information is omitted in the middle***********************

Issue the generated certificate file to the applicant (Host A)

#  As we said earlier, certificate files are stored in / etc/httpd/conf.d/ssl / directory

[root@localhost ~]#scp  /etc/pki/CA/certs/httpd.crt  172.18.2.66:/etc/httpd/conf.d/ssl/
The authenticity of host '172.18.2.66 (172.18.2.66)' can't be established.
RSA key fingerprint is 00:c0:e5:a6:39:e9:a7:bb:1b:f4:ab:0d:75:9b:38:b0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.2.66' (RSA) to the list of known hosts.
root@172.18.2.66's password: 
httpd.crt                                         100% 3714     3.6KB/s   00:00 

At the same time, the certificate of root CA is sent to Web server (host A). This is very important.

[root@localhost ~]#scp  /etc/pki/CA/cacert.pem   172.18.2.66:/etc/httpd/conf.d/ssl/
root@172.18.2.66's password: 
cacert.pem                                   100% 1334     1.3KB/s   00:00    

Configuring Web Server on Host A

First configure the private key file and certificate file of the Web server, edit "/ etc/httpd/conf.d/ssl.conf"

Then configure the certificate path of the root CA in the configuration file.

Configure FQDN

How to configure FQDN on Apache httpd 2.2 has been described in another article of mine. If you have any questions, you can visit the following sites.
http://www.pojun.tech/blog/2017/09/27/linux-middle-command-5
http://xiaoshuaigege.blog.51cto.com/blog/6217242/1969618
http://blog.csdn.net/eumenides_s/article/details/78130561

We'll give you the configuration directly here, which is located in the / etc/httpd/conf.d / path.

[root@centos6 conf.d]$cat ca.conf 
# This sentence must be added.
NameVirtualHost *:80 

<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/var/www/html"
</VirtualHost>
<VirtualHost *:80>
ServerName mail.a.com
DocumentRoot "/var/www/html"
</VirtualHost>

Test results

After the above configuration, we have implemented the encryption communication of Apache https. Now let's verify the experimental results.
We need a browser to access the network address we configured in FQDN. www.a.coom and www.b.com
Note: DNS should be configured here. We're lazy here because I use the browser on the windows host, so we briefly modify the file C: windows System32 drivers etc hosts and add a line at the end of the file.

# Add such a parse.
172.18.2.66 www.a.com  mail.a.com

After adding the above analysis, we can access our web services through the browser (IE browser is recommended).

You can view our certificate path through IE browser. Note: The root certificate needs to be installed. If you don't understand, you can consult the information.

In summary, after so many configurations, we will understand as a whole what the encryption of https communications and certificate applications are all about. This case can also be used in actual production. If you have any questions, please leave a message.

Posted by kendall on Mon, 20 May 2019 12:16:34 -0700