Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)

Oct 5, 2009 · 3 min read  ·
Share on:

Recently, I used my Windows-based domain's Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast -- especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:

ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024 Generating RSA private key, 1024 bit long modulus ............++++++ ................................................................................

...................................++++++ e is 65537 (0x10001) Enter pass phrase for ariel.corp.netnerds.net.key: ********** Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********

Next, I used the key to create a certificate signing request

ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr Enter pass phrase for ariel.key: ********** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:LA Locality Name (eg, city) []:Kaplan Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:ariel.corp.netnerds.net Email Address []:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:

-----BEGIN CERTIFICATE REQUEST----- wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo ...... vwL6 -----END CERTIFICATE REQUEST-----

I then opened up my domain's CA @ https://windowsCA/certsrv and went to

  • Request a certificate Or, submit an advanced certificate request.

  • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

  • Saved Request: -----BEGIN CERTIFICATE REQUEST----- wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo ...... vwL6 -----END CERTIFICATE REQUEST-----

    Certificate Template: Web Server

Note: Be sure to decline when prompted by the browser to install the certificate locally.

I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.

openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.key

Next, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:

SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.key Finally, I restarted the apache service and then partied to Wayne Toups.