Difference between revisions of "Installing SSL certificate in Apache"

From Notes_Wiki
m
m
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb>Security_tips|Security tips</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Installing SSL certificate in Apache]]
=Using startssl SSL certificates for HTTPS=


It is good to have HTTPS certificate signed by recognized CA instead of using self-signed certificate. One very viable option for simple HTTPS certificate is http://www.startssl.com  Using this website one can generate SSL certificates recognized by all popular browsers for free.  Steps for obtaining such certificate are:
[[Main Page|Home]] > [[Security tips]] > [[Installing SSL certificate in Apache]]


# Register on website and provide authetication code from email
# Wait for another acceptance email with code and paste same in browser
# Generate client certificate to recognize oneself.  Take backup of this certificate with password at some safe location.
# Go to control panel -> Validation wizard -> Domain name validation
# Verify by email ID of domain owner.  An email with verification code will be sent to chosen email ID.
# Go to control panerl -> Certificate wizard -> SSL/TLS web certificate
# Choose simple password and create private key
# Download private key and decrypt it with password chosen in previous step.  Decoding command is shown on the screen as "openssl rsa -in ssl,key -out ssl.key"
# Enter desired TLD and sub-domain for which certificate is being requested
# Wait for email confirmation for certificate request
# Download the certificate and copy it to server along with key and CA (pem) format with CRL included  ( https://www.startssl.com/certs/ca-bundle.pem )
==Install SSL certificate in apache==
For installation of certificate in apache use following steps:
For installation of certificate in apache use following steps:
# Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
# Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
Line 23: Line 8:
# Edit /etc/httpd/conf.d/ssl.conf and replace appropriate values.  Following three values need to be updated:
# Edit /etc/httpd/conf.d/ssl.conf and replace appropriate values.  Following three values need to be updated:
#:<pre>
#:<pre>
#::SSLCertificateFile /etc/httpd/conf/ssl.crt
#::SSLCertificateFile /etc/httpd/conf/ssl.pem
#::SSLCertificateKeyFile /etc/httpd/conf/ssl.key
#::SSLCertificateKeyFile /etc/httpd/conf/ssl.key
#::SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
#::SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
Line 30: Line 15:




==Securing Apache SSL configuration==
=Securing Apache SSL configuration=


Default SSL configuration of apache is vulnerable to many attacks.  We can improve apache SSL configuration as follows:
Default SSL configuration of apache is vulnerable to many attacks.  We can improve apache SSL configuration as follows:
#Edit /etc/httpd/conf/ssl.conf and replace/insert following two values
#Edit /etc/httpd/conf/ssl.conf and replace/insert following two values
#:<pre>
#:<pre>
#::SSLProtocol all -SSLv2 -SSLv3
#:: SSLEngine on
#::SSLHonorCipherOrder on
#:: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#::SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
#:: SSLHonorCipherOrder on
#:: SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
#:: Header always set Strict-Transport-Security "max-age=31536000"
#:</pre>
#:</pre>
#::In case of Virtualhost '<tt>SSLEngine On</tt>' line is also required.
#Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html
#Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html


Steps learned from https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
Refer:
* https://www.mysterydata.com/how-to-get-a-score-rating-in-ssllabs-qualys/
 
 
 
 
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Installing SSL certificate in Apache]]


<yambe:breadcrumb>Security_tips|Security tips</yambe:breadcrumb>
[[Main Page|Home]] > [[Security tips]] > [[Installing SSL certificate in Apache]]

Latest revision as of 04:19, 18 April 2022

Home > CentOS > CentOS 6.x > Apache web server configuration > Installing SSL certificate in Apache

Home > Security tips > Installing SSL certificate in Apache

For installation of certificate in apache use following steps:

  1. Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
  2. chmod 400 ssl.key
  3. Edit /etc/httpd/conf.d/ssl.conf and replace appropriate values. Following three values need to be updated:
    SSLCertificateFile /etc/httpd/conf/ssl.pem
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
  4. Restart apache and verify that certificate is working as expected.


Securing Apache SSL configuration

Default SSL configuration of apache is vulnerable to many attacks. We can improve apache SSL configuration as follows:

  1. Edit /etc/httpd/conf/ssl.conf and replace/insert following two values
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    Header always set Strict-Transport-Security "max-age=31536000"
    In case of Virtualhost 'SSLEngine On' line is also required.
  2. Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html

Refer:



Home > CentOS > CentOS 6.x > Apache web server configuration > Installing SSL certificate in Apache

Home > Security tips > Installing SSL certificate in Apache