:::: MENU ::::

Apache HTTP Server: Configure HTTPS

With Apache HTTP Server we can publish our Web pages with HTTPS (Hypertext Transfer Protocol Secure). Here we will see how to do it.

Introduction

Currently almost no Web page uses HTTP. Most use HTTPS. HTTPS is a secure protocol that serves (among other things) to encrypt communications between client and server.

Previous requirements

We need an Apache HTTP Server installed and started.

Configuration

Installation of tools

We will need to install two tools, with the following commands:

Vi editor:

apt install -y vim

Console Web Browser Links:

apt install -y links

Apache HTTP Server configuration

And now we configure the Apache HTTP Server:

We activate the Apache SSL module:

a2enmod ssl

And we create the SSL configuration with:

a2ensite default-ssl

We start the Apache server with:

service apache2 start

Or we restart the server with:

service apache2 restart

Creation and configuration of certificates

We need to create and configure keys and certificates for two types of entities:

  • The Certification Authority (CA).
  • The Web Server in which we are going to configure HTTPS.

Certification Authority (CA)

We create the key of the Certificaion Authority:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out cakey.pem

We make the CA self-sign its own certificate:

openssl req -new -x509 -key cakey.pem -out cacert.pem -days 365

It will ask us for these data:

  • Country Name (2 letter code) [AU]:ES
  • State or Province Name (full name) [Some-State]:Madrid
  • Locality Name (eg, city) []:Madrid
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
  • Organizational Unit Name (eg, section) []:MySection
  • Common Name (e.g. server FQDN or YOUR name) []:localhost
  • Email Address []:me@myemail.com

At this moment we have these two elements:

  • The CA key (cakey.pem).
  • The certificate self-signed by the Certification Authority, that is, ourselves (cacert.pem).

Now we need some directories for this authority to sign the Web certificate.

mkdir demoCA
mkdir demoCA/certs
mkdir demoCA/crl
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo 02 > demoCA/serial
mv cacert.pem demoCA/
mv cakey.pem demoCA/private/

And with this, we already have the files of the Certification Authority (CA).

Web server

We create a pair of keys:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out privkey-localhost.pem

We create the certificate signature request:

openssl req -new -key privkey-localhost.pem -out certreq-localhost.crs

It will ask us for these data:

  • Country Name (2 letter code) [AU]:ES
  • State or Province Name (full name) [Some-State]:Madrid
  • Locality Name (eg, city) []:Madrid
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
  • Organizational Unit Name (eg, section) []:MySection
  • Common Name (e.g. server FQDN or YOUR name) []localhost
  • Email Address []:me@myemail.com

We do not enter a value when requesting the Challenge password or Optional company name.

Now we send the request to the Certification Authority and it (we) will issue a certificate:

openssl ca -in certreq-localhost.crs -out cert-localhost.pem

And then we respond to everything with “y”.

Now we configure Apache to use these certificates.

First of all, we verify:

openssl verify -CAfile demoCA/cacert.pem cert-localhost.pem

The system responds with:

cert-localhost.pem: OK

Apache HTTP Server configuration to use SSL

We copy the important files:

cp cert-localhost.pem /etc/ssl/certs/
cp demoCA/cacert.pem /etc/ssl/certs/
cp privkey-localhost.pem /etc/ssl/private/

We edit the Apache SSL configuration:

vi /etc/apache2/sites-available/default-ssl.conf

We modify these two lines with the path of our files:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

For these:

SSLCertificateFile /etc/ssl/certs/cert-localhost.pem
SSLCertificateKeyFile /etc/ssl/private/privkey-localhost.pem

After those two, we introduce a new one:

SSLCACertificateFile /etc/ssl/certs/cacert.pem

We save and exit Vi with”:wq”.

Now we do a reload to load the configuration:

service apache2 reload

If we get an error because the server is off, we start it with:

service apache2 start

Test

We test as follows (using the command console and the “Links” text Web browser instead of a graphical Web browser):

We load the URL without HTTPS:

links http://localhost

Next, we face the URL with HTTPS:

links https://localhost

It will tell us that the certificate is invalid (because we created it ourselves). Click on Yes and the page will load without problem.

Note: To avoid this message, and to be able to use a common web browser like Google Chrome without any alert message, we need a Certification Authority to validate the certificate we have created.


So, what do you think ?