Don’t be confused with the above both port number, since it likely available on most of hosting services nowadays. All you can do is just pay, treat your application the same as the server behavior & enjoy the services. One challenge for sure if you plan to create your own public web server & just build it from pieces. Lots of thing have to configure from its standard configuration. But you may think about the priorities which is performance, security, availability & flexibility. As you be the super user, the application life & dead is on your fingers.
Back to topic, as the title referrer to, this article are only explain about customizing the SSL configuration with Apache Web Server, Linux based. Before continuing to next lines, here is my assumption for you; you are able installing Linux web server, including Apache & PHP. A PHP programming skills is a great advantages too. At least, a basic ability. So that you would know & like to test the SSL process on your own application script. Last but not least, an IP public & domain name available to watch the online process. If you don’t have yet, you may test it locally.
Okay, have you ever see above picture on Firefox browser ~ especially in red box signed? It was an example of one of my web based application project before entering a HTTPS page using SSL module in Apache default installation. Continuing it, will display an error dialog box telling that there is a domain name mismatch.
The error will arise because domain name is not the same with SSL certificate belongs to. The real domain name is xxx.co.id but the certificate refer to localhost.localdomain. You will always see this error if you are not yet re-configure the SSL module since the server will use a default certificate key named server.key located in /etc/httpd/conf/ssl.key/server.key on Red Hat Enterprise Linux. So, what we should do is try to generating a new certificate referring to real domain name. To do this, first get log on to server & stay in home directory. Now, let’s create a new key file & named with valid domain name with command below:
[root@home]# openssl genrsa 1024 > www.domain.name.key [enter]
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
After a www.domain.name.key file created, continue to creating a csr file:
[root@home]# openssl req -new -key www.domain.name.key -out www.domain.name.csr [enter]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:ID
State or Province Name (full name) [Berkshire]:DKI JAKARTA
Locality Name (eg, city) [Newbury]:JAKARTA
Organization Name (eg, company) [My Company Ltd]: PT. MAJU MUNDUR BERSAMA
Organizational Unit Name (eg, section) :DIVISI TEKNOLOGI INFORMASI
Common Name (eg, your name or your server's hostname) :www.domain.name
Email Address :email@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Here below a table explain a short documentation about Distinguished Name:
Available General Hardware
|Country Name||The two-letter ISO abbreviation for your country||ID = Indonesia|
|State or Province Name||The state or province where your organization is located. Can not be abbreviated||DKI JAKARTA|
|City or Locality||The city where your organization is located||JAKARTA|
|Organization Name||The exact legal name of your organization. Do not abbreviated||PT. MAJU MUNDUR BERSAMA|
|Organizational Unit||Optional for additional organization information||DIVISI TEKNOLOGI INFORMASI|
|Common Name||The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match||www.domain.name|
|Email Address||The server admin's email firstname.lastname@example.org|
After you made a csr file named www.domain.name.csr, next you need to create crt file refer to your new certificate file. Give a following command right on your still same directory:
[root@home]# openssl req -x509 -days 100000 -key www.domain.name.key -in www.domain.name.csr -out www.domain.name.crt [enter]
Note that, I had give 100000 days for the certificate to be expired. That’s all, now you have 3 new file with following extension; .key, .csr & .crt. Copy the .key file to ssl.key directory located on /etc/httpd/conf. The .csr file also must copied to ssl.csr directory. The last .crt file on ssl.crt directory too.
Next step is re-configure the ssl.conf file. Find & replace crt & key string value with each of new file you have been created. Below is a slice of ssl.conf file you have to edit:
# Server Certificate:
# Server Private Key:
After editing ssl.conf, now it’s turn to edit httpd.conf. Add below complete lines in the last of httpd.conf file:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
<Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
After that, you need to restart web service in order to test this customization:
[root@home]# service httpd restart [enter]
Now, load the HTTPS page within your browser to see the changes:
The green box shows you the changes. Now the value is same with domain name. For more detailed information, hit the Examine Certificate… button & see dialog box information displayed.
The Distinguished Name variable now is valid with certain changes. For more, take a look in Details tab, right on Issuer Certificate Fields. The field value also affected. It’s mean that your customization is succeeds.
Labels: Web Programming
PS: If you've benefit from this blog,
you can support it by making a small contribution.