Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)

Recently, I used my Windows-based domain’s Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast — especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:

openssl genrsa

ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
................................................................................

...................................++++++
e is 65537 (0x10001)
Enter pass phrase for ariel.corp.netnerds.net.key: **********
Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********

Next, I used the key to create a certificate signing request

openssl req

ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr
Enter pass phrase for ariel.key: **********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:LA
Locality Name (eg, city) []:Kaplan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ariel.corp.netnerds.net
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:

-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----

I then opened up my domain’s CA @ http://windowsCA/certsrv and went to

  • Request a certificate
    Or, submit an advanced certificate request.
  • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Saved Request:
    —–BEGIN CERTIFICATE REQUEST—–
    wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
    ……
    vwL6
    —–END CERTIFICATE REQUEST—–

    Certificate Template: Web Server

Note: Be sure to decline when prompted by the browser to install the certificate locally.

I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.

openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.key

Next, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:

SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.key

Finally, I restarted the apache service and then partied to Wayne Toups.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Networking, Security
4 comments on “Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)
  1. clemenceau says:

    Thanks for the article,

    i'm just confused about some things :/

    openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.key

    This command has only to be used if you enter a password in the extra attribute right ?

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:

    so if I don't have a password there i save the .cer from certsrv and rename it in .key right ?

    and another thing is

    SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt

    where does the crt come from please ?

    Yes it's a lot of question but i don't really get it :/

    thank you for replying

  2. Marcin says:

    That is actually an error, you should not decode issued certificate but the private key file you used to generate CSR, so the proper command should be:
    openssl rsa -in ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net-decoded.key

  3. Apache user says:

    Marcin, thank you for your correction – you saved my time.

  4. jFMd says:

    If you skip the encryption (-des3) when generating the private key, you wouldn't have to decrypt it later.

    $ openssl genrsa -out ariel.corp.netnerds.net.key 1024

    Actually I'd also consider to adjust the fileowner of my private key and make it unreadable for all

    $ chown root:ssl-cert ariel.corp.netnerds.net.key
    $ chmod 640 ariel.corp.netnerds.net.key

Leave a Reply

Your email address will not be published. Required fields are marked *

*