Waji
Posted on February 22, 2023
Introduction
👉 SSL/TLS are cryptographic protocols that establish secure communication channels between web servers and browsers to protect data exchanged between them from unauthorized access and tampering. They ensure privacy and security over the internet, and are used in online transactions such as e-commerce and online banking.
👉 When a web browser connects to a secure website using SSL/TLS, the following process occurs:
- The browser requests a secure connection from the web server
- The web server responds by sending a digital certificate containing its public key to the browser
- The browser verifies the digital certificate and uses the public key to establish a secure session key
- The browser and server use the session key to encrypt and decrypt data exchanged between them
Applying SSL/TLS certificate
From the Apache web server
vi /etc/httpd/conf/httpd.conf
Right under the DocumentRoot
area, we will add
127 <VirtualHost *:80>
128 Redirect "/" "https://<Your Domain Name>"
129 </VirtualHost>
👉 We are redirecting the HTTP
traffic to the Https
Installing ssl/tls
yum -y install mod_ssl
rpm -qa | grep mod_ssl
mod_ssl-2.4.6-98.el7.centos.6.x86_64
💡 I will be creating my personal SSL certificate for this hands on as I won't be actually hosting this test website over the internet
Confirming if we have openssl
installed
rpm -qa | grep openssl
openssl-libs-1.0.2k-25.el7_9.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-1.0.2k-25.el7_9.x86_64
Creating the private key
openssl genrsa -out /etc/pki/tls/private/waji.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
...............................+++
e is 65537 (0x10001)
Creating a csr
file for the key that we just created
openssl req -new -key /etc/pki/tls/private/waji.key -out /etc/pki/tls/private/waji.csr
👉 This will ask for some information that will be related to the certificate
Now if we check,
ls -l /etc/pki/tls/private/
합계 12
-rw------- 1 root root 1675 2ì›” 22 09:27 localhost.key
-rw-r--r-- 1 root root 1029 2ì›” 22 09:32 waji.csr
-rw-r--r-- 1 root root 1675 2ì›” 22 09:30 waji.key
💡 We won't be creating a key or a csr file ourselves when we use an actual SSL/TLS certificate for our real website
Creating the crt
authentication file
openssl x509 -req -days 365 -in /etc/pki/tls/private/waji.csr -signkey /etc/pki/tls/private/waji.key -out /etc/pki/tls/certs/waji.crt
Signature ok
subject=/C=KR/ST=Seoul/L=Gangnam/O=Waji/OU=Cloud/CN=waji/emailAddress=waji@test.com
Getting Private key
👉 After this step we should have the .crt
file under /etc/pki/tls/certs
Entering the cert path in the config file
vi /etc/httpd/conf.d/ssl.conf
59 DocumentRoot "/apache/www"
75 SSLProtocol -ALL +TLSv1.2
80 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHERSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
100 SSLCertificateFile /etc/pki/tls/certs/waji.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/waji.key
👉 In the Apache Web Server configuration, we included all of the config files under /etc/httpd/conf.d
meaning this is also a part of the main configuration
Now, we need to test the configurations
apachectl configtest
Syntax OK
Restarting and checking the network status
systemctl restart httpd
netstat -antp | grep httpd
tcp6 0 0 :::443 :::* LISTEN 1457/httpd
tcp6 0 0 :::80 :::* LISTEN 1457/httpd
👉 We are able to see 443 port and 80 port open for LISTEN
Setting up the firewall to accept https
firewall-cmd --permanent --add-service=https
success
firewall-cmd --reload
success
If we open our server from the browser
👉 It shows unsafe because we aren't using a verified certificate from an authorized entity but we can confirm that it redirects to https
as we inteneded
Posted on February 22, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.