Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)

Recently, I used my Windows-based domain’s Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast — especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:

openssl genrsa

ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
................................................................................

...................................++++++
e is 65537 (0x10001)
Enter pass phrase for ariel.corp.netnerds.net.key: **********
Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********

Next, I used the key to create a certificate signing request

openssl req

ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr
Enter pass phrase for ariel.key: **********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:LA
Locality Name (eg, city) []:Kaplan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ariel.corp.netnerds.net
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:

-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----

I then opened up my domain’s CA @ http://windowsCA/certsrv and went to

  • Request a certificate
    Or, submit an advanced certificate request.
  • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Saved Request:
    —–BEGIN CERTIFICATE REQUEST—–
    wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
    ……
    vwL6
    —–END CERTIFICATE REQUEST—–

    Certificate Template: Web Server

Note: Be sure to decline when prompted by the browser to install the certificate locally.

I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.

openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.key

Next, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:

SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.key

Finally, I restarted the apache service and then partied to Wayne Toups.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, and holds a number of certifications, including those relating to SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Networking, Security
4 comments on “Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)
  1. clemenceau says:

    Thanks for the article,

    i'm just confused about some things :/

    openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.key

    This command has only to be used if you enter a password in the extra attribute right ?

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:

    so if I don't have a password there i save the .cer from certsrv and rename it in .key right ?

    and another thing is

    SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt

    where does the crt come from please ?

    Yes it's a lot of question but i don't really get it :/

    thank you for replying

  2. Marcin says:

    That is actually an error, you should not decode issued certificate but the private key file you used to generate CSR, so the proper command should be:
    openssl rsa -in ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net-decoded.key

  3. Apache user says:

    Marcin, thank you for your correction – you saved my time.

  4. jFMd says:

    If you skip the encryption (-des3) when generating the private key, you wouldn't have to decrypt it later.

    $ openssl genrsa -out ariel.corp.netnerds.net.key 1024

    Actually I'd also consider to adjust the fileowner of my private key and make it unreadable for all

    $ chown root:ssl-cert ariel.corp.netnerds.net.key
    $ chmod 640 ariel.corp.netnerds.net.key

Leave a Reply

Your email address will not be published. Required fields are marked *

*