Apache
Setting up one way TLS with a Self-Signed Server Certificate on Linux (Apache)
A Self-Signed Server Certificate should be used for Test purposes only.
This procedure generates a self-signed certificate that does not originate from a generally trusted source; therefore, you should not use this certificate to help secure data transfers between Internet clients and your server.
- Run the following command in your local environment to see if you already have openssl installed.
$ which openssl
/usr/bin/openssl
- If this does not return a path then you will need to install openssl yourself:
apt-get install openssl
- A private key and certificate signing request are required to create an SSL certificate. Run the following commands.
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
...
$ openssl rsa -passin pass:x -in server.pass.key -out server.key
writing RSA key
$ rm server.pass.key
$ openssl req -new -key server.key -out server.csr
...
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
...
A challenge password []:
...
- When you are asked for a “challenge password”, just press return, leaving the password empty.
- You will now have the following files - server.csr server.key
- The self-signed SSL certificate is generated from the server.key private key and server.csr files.
- Run the following command to generate the SSL certificate
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- You will now have the following file - server.crt
- This is your self-signed SSL certificate which along with the server.key can be used for one way TLS on your Apache web server.
- Create a location for your certificates and keys, e.g. /etc/apache2/ssl
- Copy your certificate and key into this location
- Edit your httpd.conf file to reference the above certificate and key in your virtual host entry, and switch on the SSLEngine, e.g.
<IfModule mod_ssl.c>
<VirtualHost _default_:8443>
ServerAdmin webmaster@localhost
ServerName my.domain.com
ServerName <ip address here>
ServerAdmin webmaster@localhost
...
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ server.crt
SSLCertificateKeyFile /etc/apache2/ssl/ server.key
...
</VirtualHost>
</IfModule>
Setting up one way TLS with a trusted TLS certificate on Linux (Apache)
Commercial Certificate Authority TLS certificates allow web servers to encrypt their traffic, and also offer
a mechanism to validate server identities to their visitors.
There are various Certificate Authority companies where you can request and obtain a trusted TLS certificate for use on your web server.
Once you have requested, purchased and downloaded your trusted TLS certificate from a Commercial Certificate Authority, you will need to do the following.
Install the TLS Certificate
- Create a location for your certificates and keys, e.g. /etc/apache2/ssl
- Copy your certificate and key into this location
Edit your httpd.conf file to reference the above TLS Certificate and key in your virtual host entry, and switch on the SSLEngine, e.g.
<IfModule mod_ssl.c>
<VirtualHost _default_:8443>
ServerAdmin webmaster@localhost
ServerName my.domain.com
ServerName <ip address here>
ServerAdmin webmaster@localhost
...
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/your_domain_ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/your_domain_ssl.key
...
</VirtualHost>
</IfModule>
Setting up two way TLS on Linux (Apache)
Download the trusted issuer certificate file from your RapID Customer Dashboard to a location on your webserver. e.g. /etc/apache2/ssl.
Edit the httpd.conf and add reference to the CA Cert in your virtual host.
Note: Depending on the version of Apache you will need to configure SSLCACertificateFile and maybe also SSLCertificateChainFile
SSLCACertificateFile /etc/apache2/ssl/trusted-root-ca.crt
SSLCertificateChainFile /etc/apache2/ssl/trusted-root-ca.crt
Edit the httpd.conf file again and add to your virtual host the directory that should be protected.
<Location /your_protected_directory>
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
</Location>
Your final httpd.conf file should look something like the following now:
<IfModule mod_ssl.c>
<VirtualHost _default_:8443>
ServerAdmin webmaster@localhost
ServerName my.domain.com
ServerName <ip address here>
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/your_domain_ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/your_domain_ssl.kwy
SSLCACertificateFile /etc/apache2/ssl/trusted-root-ca.crt
SSLCertificateChainFile /etc/apache2/ssl/trusted-root-ca.crt
<Location /your_protected_directory>
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
</Location>
</VirtualHost>
</IfModule>
Then finally restart apache
apachectl restart
Securing your Service authentication certificate on Linux
Although your Service authentication certificate can be placed in a secure file location, we highly recommend storing it in a keystore on your server.
- Download your Service authentication certificate (you will need to choose a password for the certificate) from your RapID Customer Dashboard to a location on your web server.
- Run the following command changing the name of the certificate.
keytool -importkeystore –srckeystore SERVICE_AUTHENTICATION_CERTIFICATE_NAME.pfx. - You will prompted for the following
Enter destination keystore password (default password is 'changeit'):
Enter source keystore password (the password of the __service authentication certificate__:
- You will now see a confirmation similar to the following.
Entry for alias cn=5911c403-8155-4061-8f15-5098418ab4dd successfully imported.Import command completed:
1 entries successfully imported, 0 entries failed or cancelled