How To Configure Apache With SSL On CentOS 6.4

Securing the Apache server is one of the most important tasks of the webmaster. In this example, we will show you how to use ssl keys with your Apache web server.

Create Certificates

Change to the following directory:

# cd /etc/pki/tls/certs

Run the following command to make server key file:

[root@amir certs]# make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus

..................+++

..........................................+++

e is 65537 (0x10001)

Enter pass phrase: #give your password here

Verifying - Enter pass phrase: #give your password here

Remove passphrase from private key:

[root@amir certs]#openssl rsa -in server.key -out server.key 

Enter pass phrase for server.key: #give your password here

writing RSA key

Generate CSR key file

[root@amir certs]# make server.csr 

umask 77 ; \

 /usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Bangladesh

Locality Name (eg, city) [Default City]: Dhaka

Organization Name (eg, company) [Default Company Ltd]:MCC Ltd.

Organizational Unit Name (eg, section) []:MCC Ltd.

Common Name (eg, your name or your server's hostname) []:Centos6-Unixmen

Email Address []:amirrumee@gmail.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: #give your password here

An optional company name []: MCCLtd

[root@amir certs]#

Sign the key and make Expiration days:

[root@amir certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 10000
Signature ok
subject=/C=NL/ST=Bangladesh/L= Bangladesh /O=MCC Ltd/OU= MCC Ltd /CN=amir/emailAddress=amirrumee@gmail.com Getting Private key
[root@amir certs]#

Configure SSL keys with Apache 

#yum -y install httpd mod_ssl

Configure  ‘/etc/httpd/conf.d/ssl.conf’
Your ssl.conf should be like this:
  

[root@amir conf.d]# cat /etc/httpd/conf.d/ssl.conf | grep -v "#"

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName 127.0.0.1:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on

SLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
 SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@amir conf.d]#

Restart Apache  

Check if  the ports 80 and  443 are listening:

[root@amir conf.d]# netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN

[root@amir conf.d]# netstat -an | grep 80 tcp 0 0 :::80 :::* LISTEN

[root@amir conf.d]#

Allow the ports 80 and 443 via iptables:

vim /etc/sysconfig/iptables

 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

Reload and restart iptables

Restart ip tables:

#service iptables restart

Open the browser and Check  https://IP-Address.

Done______