Customizing SSL with Apache Web Server

In a specific condition, sometime web based application using HTTPS port to strengthen data transaction submitted from client to server or the other way. Although this is not the only way but always become an important consideration for a web programmer to securing the application & data from bad threats such as hacker or other similar. For example, some e-commerce website or internet banking are still using this method. As it phrase means, SSL purposed to make data transmission socket more safety. Read this for more detailed information about Secure Socket Layer. As default value, HTTP layer (known as common web page) are using port 80 to serve the communication, but the HTTPS are using different number, port 443.

Don’t be confused with the above both port number, since it likely available on most of hosting services nowadays. All you can do is just pay, treat your application the same as the server behavior & enjoy the services. One challenge for sure if you plan to create your own public web server & just build it from pieces. Lots of thing have to configure from its standard configuration. But you may think about the priorities which is performance, security, availability & flexibility. As you be the super user, the application life & dead is on your fingers.

Back to topic, as the title referrer to, this article are only explain about customizing the SSL configuration with Apache Web Server, Linux based. Before continuing to next lines, here is my assumption for you; you are able installing Linux web server, including Apache & PHP. A PHP programming skills is a great advantages too. At least, a basic ability. So that you would know & like to test the SSL process on your own application script. Last but not least, an IP public & domain name available to watch the online process. If you don’t have yet, you may test it locally.



Okay, have you ever see above picture on Firefox browser ~ especially in red box signed? It was an example of one of my web based application project before entering a HTTPS page using SSL module in Apache default installation. Continuing it, will display an error dialog box telling that there is a domain name mismatch.



The error will arise because domain name is not the same with SSL certificate belongs to. The real domain name is xxx.co.id but the certificate refer to localhost.localdomain. You will always see this error if you are not yet re-configure the SSL module since the server will use a default certificate key named server.key located in /etc/httpd/conf/ssl.key/server.key on Red Hat Enterprise Linux. So, what we should do is try to generating a new certificate referring to real domain name. To do this, first get log on to server & stay in home directory. Now, let’s create a new key file & named with valid domain name with command below:

[root@home]# openssl genrsa 1024 > www.domain.name.key [enter]
Generating RSA private key, 1024 bit long modulus
............++++++
..++++++
e is 65537 (0x10001)


After a www.domain.name.key file created, continue to creating a csr file:

[root@home]# openssl req -new -key www.domain.name.key -out www.domain.name.csr [enter]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:ID
State or Province Name (full name) [Berkshire]:DKI JAKARTA
Locality Name (eg, city) [Newbury]:JAKARTA
Organization Name (eg, company) [My Company Ltd]: PT. MAJU MUNDUR BERSAMA
Organizational Unit Name (eg, section) []:DIVISI TEKNOLOGI INFORMASI
Common Name (eg, your name or your server's hostname) []:www.domain.name
Email Address []:webmaster@domain.name

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Here below a table explain a short documentation about Distinguished Name:

Available General Hardware










































Name Field
Explanation
Example
Country NameThe two-letter ISO abbreviation for your countryID = Indonesia
State or Province NameThe state or province where your organization is located. Can not be abbreviatedDKI JAKARTA
City or LocalityThe city where your organization is locatedJAKARTA
Organization NameThe exact legal name of your organization. Do not abbreviatedPT. MAJU MUNDUR BERSAMA
Organizational UnitOptional for additional organization informationDIVISI TEKNOLOGI INFORMASI
Common NameThe fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact matchwww.domain.name
Email AddressThe server admin's email addresswebmaster@domain.name


After you made a csr file named www.domain.name.csr, next you need to create crt file refer to your new certificate file. Give a following command right on your still same directory:

[root@home]# openssl req -x509 -days 100000 -key www.domain.name.key -in www.domain.name.csr -out www.domain.name.crt [enter]


Note that, I had give 100000 days for the certificate to be expired. That’s all, now you have 3 new file with following extension; .key, .csr & .crt. Copy the .key file to ssl.key directory located on /etc/httpd/conf. The .csr file also must copied to ssl.csr directory. The last .crt file on ssl.crt directory too.

Next step is re-configure the ssl.conf file. Find & replace crt & key string value with each of new file you have been created. Below is a slice of ssl.conf file you have to edit:


# Server Certificate:
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.domain.name.crt
...
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.domain.name.key


After editing ssl.conf, now it’s turn to edit httpd.conf. Add below complete lines in the last of httpd.conf file:

NamevirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateKeyFile conf/ssl.key/www.domain.name.key
SSLCertificateFile conf/ssl.crt/www.domain.name.crt
DocumentRoot /path/to/html
ServerName www.domain.name
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
SSLOptions +StdEnvVars
</Files>


After that, you need to restart web service in order to test this customization:

[root@home]# service httpd restart [enter]


Now, load the HTTPS page within your browser to see the changes:



The green box shows you the changes. Now the value is same with domain name. For more detailed information, hit the Examine Certificate… button & see dialog box information displayed.



The Distinguished Name variable now is valid with certain changes. For more, take a look in Details tab, right on Issuer Certificate Fields. The field value also affected. It’s mean that your customization is succeeds.

Labels:

Sincerelly,

Eko Wahyudiharto
PS: If you've benefit from this blog,
you can support it by making a small contribution.

Enter your email address:

Delivered by FeedBurner

Post a Comment Bookmark and Share

 

  1. Anonymous arenosoft said,

    Thursday, June 05, 2008 11:59:00 PM

    trackback from http://arenosoft.wordpress.com
    Indonesia Software Engineer Outsource

  2. OpenID webhostings said,

    Friday, December 30, 2011 4:34:00 PM

    I follow above the steps to customize SSL certificate to my server.Above all the points are explained very clearly.Great informative post and i really likes your information.web hosting

Post a Comment

Leave comments here...