{"id":1105,"date":"2014-08-11T21:02:54","date_gmt":"2014-08-11T19:02:54","guid":{"rendered":"http:\/\/blog.rabahi.net\/?page_id=1105"},"modified":"2016-12-25T16:37:26","modified_gmt":"2016-12-25T15:37:26","slug":"apache-ssl-survival-guide","status":"publish","type":"page","link":"https:\/\/blog.rabahi.net\/?page_id=1105","title":{"rendered":"Apache SSL Survival Guide"},"content":{"rendered":"<blockquote><p>Secure Sockets Layer (SSL), is a cryptographic protocol that provide communication security over the Internet. SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.<\/p><\/blockquote>\n<p style=\"text-align: right;\">Wikipedia<\/p>\n<hr \/>\n<p class=\"text-danger\"><strong>Important: Steps have to be followed in the order.<\/strong><\/p>\n<div id=\"toc_container\" class=\"no_bullets\"><p class=\"toc_title\">Contents<\/p><ul class=\"toc_list\"><li><a href=\"#Readme_before_starting\"><span class=\"toc_number toc_depth_1\">1<\/span> Readme before starting !!<\/a><\/li><li><a href=\"#Generation_using_openssl\"><span class=\"toc_number toc_depth_1\">2<\/span> Generation using openssl<\/a><ul><li><a href=\"#Generate_private_key\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Generate private key<\/a><\/li><li><a href=\"#Generate_the_CSR_Certificate_Signing_Request\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Generate the CSR (Certificate Signing Request)<\/a><\/li><li><a href=\"#Send_the_CSR_to_your_trusted_organism\"><span class=\"toc_number toc_depth_2\">2.3<\/span> Send the CSR to your trusted organism<\/a><\/li><\/ul><\/li><li><a href=\"#Generation_from_tomcat_keystore\"><span class=\"toc_number toc_depth_1\">3<\/span> Generation from tomcat keystore<\/a><ul><li><a href=\"#Extract_p12_certificate\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Extract p12 certificate<\/a><\/li><li><a href=\"#Extract_the_private_key\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Extract the private key<\/a><\/li><li><a href=\"#Extract_the_public_key\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Extract the public key<\/a><\/li><\/ul><\/li><li><a href=\"#Installation\"><span class=\"toc_number toc_depth_1\">4<\/span> Installation<\/a><ul><li><a href=\"#Apache_configuration\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Apache configuration<\/a><\/li><li><a href=\"#Tomcat_configuration\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Tomcat configuration<\/a><\/li><li><a href=\"#Test\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Test<\/a><\/li><\/ul><\/li><\/ul><\/div>\n<h1><span id=\"Readme_before_starting\">Readme before starting !!<\/span><\/h1>\n<p>At the end of the generation you will have:<\/p>\n<table class=\"table\">\n<tr>\n<td>private.key<\/td>\n<td>your private key<\/td>\n<\/tr>\n<tr>\n<td>public.crt<\/td>\n<td>the public key sent by your trusted organism (calculated from your private key)<\/td>\n<\/tr>\n<tr>\n<td>intermediate.crt<\/td>\n<td>the intermediate file from your trusted organism<\/td>\n<\/tr>\n<\/table>\n<h1><span id=\"Generation_using_openssl\">Generation using openssl<\/span><\/h1>\n<h2><span id=\"Generate_private_key\">Generate private key<\/span><\/h2>\n<p>Generate the RSA private key.<\/p>\n<pre lang=\"bash\">\r\nopenssl genrsa -out private.key 2048\r\n<\/pre>\n<h2><span id=\"Generate_the_CSR_Certificate_Signing_Request\">Generate the CSR (Certificate Signing Request)<\/span><\/h2>\n<pre lang=\"bash\">openssl req -new -key private.key -out mydomain.csr\r\n<\/pre>\n<p>And fill like this:<\/p>\n<pre>You are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [XX]:FR\r\nState or Province Name (full name) []:France\r\nLocality Name (eg, city) [Default City]:Paris\r\nOrganization Name (eg, company) [Default Company Ltd]:*.mydomain.com\r\nOrganizational Unit Name (eg, section) []:mycompany\r\nCommon Name (eg, your name or your server's hostname) []:*.mydomain.com\r\nEmail Address []:\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\n<\/pre>\n<p>Verify your CSR informations:<\/p>\n<pre lang=\"bash\">openssl req -noout -text -in mydomain.csr<\/pre>\n<p>Expected values are:<\/p>\n<pre>\r\n C=FR, ST=France, L=Paris, O=*.mydomain.com, OU=mycompany, CN=*.mydomain.com\r\n<\/pre>\n<h2><span id=\"Send_the_CSR_to_your_trusted_organism\">Send the CSR to your trusted organism<\/span><\/h2>\n<p>Send the <strong class=\"text-success\">mydomain.csr<\/strong> file to your trusted organism (example RapidSSL, SSL, etc.). It will send you a certificate (named <strong class=\"text-success\">public.crt<\/strong>) that contains the X509 format as well.<br \/>\nThis certificate, <strong class=\"text-success\">public.crt<\/strong>, is your public key.<\/p>\n<h1><span id=\"Generation_from_tomcat_keystore\">Generation from tomcat keystore<\/span><\/h1>\n<p>You start working with <strong class=\"text-success\">mycompany.kdb<\/strong> (tomcat keystore file).<\/p>\n<p>First, you want to extract it to <strong class=\"text-success\">mycompany.p12<\/strong> (the p12 format).<br \/>\nThen, you want to extract the private key from <strong class=\"text-success\">mycompany.p12<\/strong>.<br \/>\nFinally, you want to extrat the public key from <strong class=\"text-success\">mycompany.p12<\/strong>.<\/p>\n<h2><span id=\"Extract_p12_certificate\">Extract p12 certificate<\/span><\/h2>\n<pre lang=\"bash\">\r\nkeytool -importkeystore -srckeystore mycompany.kdb -destkeystore mycompany.p12 -deststoretype PKCS12 -srcstorepass [keystore_password] -deststorepass [new_password] -srcalias [original_alias] -destalias [new_alias] -srckeypass [original_alias_password] -destkeypass [new_password] -noprompt\r\n<\/pre>\n<p>The output file is the <strong class=\"text-success\">mycompany.p12<\/strong> file<\/p>\n<h2><span id=\"Extract_the_private_key\">Extract the private key<\/span><\/h2>\n<pre lang=\"bash\">\r\nopenssl.exe pkcs12 -in mycompany.p12 -clcerts -nokeys -out private.key\r\n<\/pre>\n<h2><span id=\"Extract_the_public_key\">Extract the public key<\/span><\/h2>\n<pre lang=\"bash\">\r\nopenssl.exe pkcs12 -in mycompany.p12 -clcerts -nokeys -out public.crt\r\n<\/pre>\n<h1><span id=\"Installation\">Installation<\/span><\/h1>\n<h2><span id=\"Apache_configuration\">Apache configuration<\/span><\/h2>\n<p>update the \/etc\/httpd\/conf\/ssl.conf file like this:<\/p>\n<pre>\r\n  SSLProxyEngine On\r\n  ProxyRequests Off\r\n  ProxyPreserveHost On\r\n \r\n  SSLCertificateFile \/etc\/httpd\/conf\/ssl.crt\/public.crt\r\n  SSLCertificateKeyFile \/etc\/httpd\/conf\/ssl.key\/private.key\r\n  SSLCertificateChainFile \/usr\/local\/ssl\/crt\/intermediate.crt\r\n\r\n  #################################################################################\r\n  # ENABLE STRONG ENCRYPTION\r\n  # @see documentation : http:\/\/httpd.apache.org\/docs\/trunk\/en\/ssl\/ssl_howto.html\r\n  #################################################################################\r\n  # \"Modern\" configuration, defined by the Mozilla Foundation's SSL Configuration\r\n  # Generator as of August 2016. This tool is available at\r\n  # https:\/\/mozilla.github.io\/server-side-tls\/ssl-config-generator\/\r\n  SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1\r\n\r\n  # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some\r\n  # require OpenSSL 1.1.0, which as of this writing was in pre-release.\r\n  SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256\r\n  SSLHonorCipherOrder on\r\n  SSLCompression      off\r\n  SSLSessionTickets   off  # Available in httpd 2.4.11 and later, if using OpenSSL 0.9.8f or later.\r\n\r\n\r\n  #################################################################################\r\n  # Disable Apache Web Server Signature\r\n  #################################################################################\r\n  ServerSignature Off\r\n  ServerTokens Prod\r\n\r\n<\/pre>\n<p>Then restart apache<\/p>\n<pre lang=\"bash\">systemctl restart httpd.service\r\n<\/pre>\n<h2><span id=\"Tomcat_configuration\">Tomcat configuration<\/span><\/h2>\n<p>If you want to use apache as proxy for tomcat, you should update tomcat connector like this:<\/p>\n<pre lang=\"xml\">\r\n <Connector \r\n    port=\"8080\"\r\n    protocol=\"HTTP\/1.1\"\r\n    connectionTimeout=\"20000\" \r\n\r\n    maxHttpHeaderSize=\"8192\" \r\n    maxThreads=\"150\" \r\n    minSpareThreads=\"25\" \r\n    maxSpareThreads=\"75\" \r\n    enableLookups=\"false\" \r\n    acceptCount=\"100\" \r\n    disableUploadTimeout=\"true\" \r\n\r\n    scheme=\"https\" \r\n    proxyPort=\"443\"\r\n  \/>\r\n<\/pre>\n<p><strong>Note<\/strong>: <strong class=\"text-success\">sheme<\/strong> and <strong class=\"text-success\">proxyPort<\/strong>  are importants.<\/p>\n<h2><span id=\"Test\">Test<\/span><\/h2>\n<ul>\n<li>You can go here: https:\/\/mydomain.com<\/li>\n<li>You can also verify the certificate:\n<pre lang=\"bash\">\r\nopenssl s_client -connect mydomain.com:443\r\n<\/pre>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Secure Sockets Layer (SSL), is a cryptographic protocol that provide communication security over the Internet. SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Wikipedia Important: Steps have to be followed in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":484,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-1105","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1105"}],"version-history":[{"count":45,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1105\/revisions"}],"predecessor-version":[{"id":1835,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1105\/revisions\/1835"}],"up":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/484"}],"wp:attachment":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}