HTTPS

---------

A Secure Apache HTTPS Server With SSL

# yum -y install openssl  mod_ssl cyrus*

Create SSL Certificates

Create own-created SSL Certificates. However, If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.

[root@www ~]# cd /etc/pki/tls/certs 

[root@www certs]# make server.key 

umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ... ... e is 65537 (0x10001)

Enter pass phrase:# set passphrase

Verifying - Enter pass phrase:# confirm

# remove passphrase from private key

[root@www certs]# openssl rsa -in server.key -out server.key 

Enter pass phrase for server.key:# input passphrase

writing RSA key

[root@www certs]# make server.csr 

umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [XX]:BD

State or Province Name (full name) []:Dhaka

Locality Name (eg, city) [Default City]:Dhaka

Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.

Organizational Unit Name (eg, section) []:worldcm.net

Common Name (eg, your name or your server's hostname) []:mail.worldcm.netmail Address []: admin@worldcm.net

A challenge password []:world  OR  Enter

An optional company name []: worldcm  OR  Enter

[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok

subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world

Getting Private key

-----------------

Configure httpd for SSL/TLS.

[root@www ~]# yum install mod_ssl openssl

[root@www ~]# vi /etc/httpd/conf.d/ssl.conf

# line 59: uncomment

DocumentRoot "/var/www/html"

# line 60: uncomment and specify the server name

ServerName www.worldcm.net:443

# line 75: change

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

# line 100: change to the one got in [1]

SSLCertificateFile /etc/pki/tls/certs/server.crt

# line 107: change to the one got in [1]

SSLCertificateKeyFile /etc/pki/tls/certs/server.key

# line 116: change to the one got in [1]

SSLCertificateChainFile /etc/letsencrypt/live/www.worldcm.net/chain.pem

[root@www ~]# systemctl restart httpd

[3] If you'd like to set HTTP connection to redirect to HTTPS (Always on SSL/TLS), configure each Virtualhost like follows.

It's OK to set it in [.htaccess] not in httpd.conf.

[root@www ~]# vi /etc/httpd/conf.d/vhost.conf

<VirtualHost *:80>

    DocumentRoot /var/www/html

    ServerName www.worldcm.net

    RewriteEngine On

    RewriteCond %{HTTPS} off

    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

</VirtualHost>

[root@www ~]#  systemctl restart httpd

                                            -----------------   --X ----------------------------

Configure SSL.

[root@www ~]# yum -y install mod_ssl

[root@www ~]# vi /etc/httpd/conf.d/ssl.conf

# line 59: uncomment

DocumentRoot "/var/www/html"

# line 60: uncomment and specify the server name

ServerName www.srv.world:443

# line 100: change to the one created in [1]

SSLCertificateFile /etc/pki/tls/certs/server.crt

# line 107: change to the one created in [1]

SSLCertificateKeyFile /etc/pki/tls/certs/server.key

[root@www ~]# systemctl restart httpd 

[3]

If Firewalld is running, allow HTTPS service. HTTPS uses 443/TCP.

[root@dlp ~]# firewall-cmd --add-service=https --permanent 

success

[root@dlp ~]# firewall-cmd --reload 

success

This section will walk you through setting up a secure HTTPS connection using SSL on Apache.

Install SSL

In order to secure Apache, you need to install SSL first.

You can install SSL using the following command:

sudo yum install mod_ssl openssl

Generate A Self-Signed Certificate

First, you need to generate a private key ca.key with 2048-bit encryption.

sudo openssl genrsa -out ca.key 2048

Then generate the certificate signing request cs.csr using the following command.

sudo openssl req -new -key ca.key -out ca.csr

You will be prompted for information about the certificate.

Finally, generate a self-signed certificate ca.crt of X509 type valid for 365 keys.

sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

After creating the certificate, you need to copy all of the certificate files to the necessary directories.

You can do this by running the following commands:

sudo cp ca.crt /etc/pki/tls/certs/ sudo cp ca.key /etc/pki/tls/private/ sudo cp ca.csr /etc/pki/tls/private/

Set Up The Certificates

All the certificates are ready. The next thing to do is to set up Apache to display the new certificates.

You can do this by editing the SSL config file:

sudo nano /etc/httpd/conf.d/ssl.conf

Find the section that begins with <VirtualHost _default_:443>. Uncomment the DocumentRoot and ServerName line and replace example.com with your server's IP address.

DocumentRoot "/var/www/html" ServerName 192.168.1.42:443

Next, find the SSLCertificateFile and SSLCertificateKeyFile lines and update them with the new location of the certificates.

SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key

After making these changes, restart Apache service for the changes to take effect.

sudo systemctl restart httpd

Test The Secure Apache HTTPS Server

To verify that the secure Apache HTTPS web server is working, open your web browser and go to your server's IP Address with the url https://your.server.ip.address.

-----------