My linux world » Apache SSL Survival Guide

Apache SSL Survival Guide


Secure Sockets Layer (SSL), is a cryptographic protocol that provide communication security over the Internet. SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.

Wikipedia


Important: Steps have to be followed in the order.

Contents

Readme before starting !!

At the end of the generation you will have:

private.key your private key
public.crt the public key sent by your trusted organism (calculated from your private key)
intermediate.crt the intermediate file from your trusted organism

Generation using openssl

Generate private key

Generate the RSA private key.

openssl genrsa -out private.key 2048

Generate the CSR (Certificate Signing Request)

openssl req -new -key private.key -out mydomain.csr

And fill like this:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Paris
Organization Name (eg, company) [Default Company Ltd]:*.mydomain.com
Organizational Unit Name (eg, section) []:mycompany
Common Name (eg, your name or your server's hostname) []:*.mydomain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Verify your CSR informations:

openssl req -noout -text -in mydomain.csr

Expected values are:

 C=FR, ST=France, L=Paris, O=*.mydomain.com, OU=mycompany, CN=*.mydomain.com

Send the CSR to your trusted organism

Send the mydomain.csr file to your trusted organism (example RapidSSL, SSL, etc.). It will send you a certificate (named public.crt) that contains the X509 format as well.
This certificate, public.crt, is your public key.

Generation from tomcat keystore

You start working with mycompany.kdb (tomcat keystore file).

First, you want to extract it to mycompany.p12 (the p12 format).
Then, you want to extract the private key from mycompany.p12.
Finally, you want to extrat the public key from mycompany.p12.

Extract p12 certificate

keytool -importkeystore -srckeystore mycompany.kdb -destkeystore mycompany.p12 -deststoretype PKCS12 -srcstorepass [keystore_password] -deststorepass [new_password] -srcalias [original_alias] -destalias [new_alias] -srckeypass [original_alias_password] -destkeypass [new_password] -noprompt

The output file is the mycompany.p12 file

Extract the private key

openssl.exe pkcs12 -in mycompany.p12 -clcerts -nokeys -out private.key

Extract the public key

openssl.exe pkcs12 -in mycompany.p12 -clcerts -nokeys -out public.crt

Installation

Apache configuration

update the /etc/httpd/conf/ssl.conf file like this:

  SSLProxyEngine On
  ProxyRequests Off
  ProxyPreserveHost On
 
  SSLCertificateFile /etc/httpd/conf/ssl.crt/public.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/private.key
  SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt

  #################################################################################
  # ENABLE STRONG ENCRYPTION
  # @see documentation : http://httpd.apache.org/docs/trunk/en/ssl/ssl_howto.html
  #################################################################################
  # "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration
  # Generator as of August 2016. This tool is available at
  # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1

  # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
  # require OpenSSL 1.1.0, which as of this writing was in pre-release.
  SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder on
  SSLCompression      off
  SSLSessionTickets   off  # Available in httpd 2.4.11 and later, if using OpenSSL 0.9.8f or later.


  #################################################################################
  # Disable Apache Web Server Signature
  #################################################################################
  ServerSignature Off
  ServerTokens Prod

Then restart apache

systemctl restart httpd.service

Tomcat configuration

If you want to use apache as proxy for tomcat, you should update tomcat connector like this:

 <Connector 
    port="8080"
    protocol="HTTP/1.1"
    connectionTimeout="20000" 
 
    maxHttpHeaderSize="8192" 
    maxThreads="150" 
    minSpareThreads="25" 
    maxSpareThreads="75" 
    enableLookups="false" 
    acceptCount="100" 
    disableUploadTimeout="true" 
 
    scheme="https" 
    proxyPort="443"
  />

Note: sheme and proxyPort are importants.

Test


Copyright © 2023 My linux world - by Marc RABAHI
Design by Marc RABAHI and encelades.

Fork me on GitHub