Installing SSL certificates in Apache

Once we have our SSL certificate. If we want to use it with our web server, we just have to edit our VirtualHost file to include this information.

First, we must make sure Apache SSL module is loaded (as root):

# a2enmod ssl
Module ssl already enabled

Disabling unsecure protocols

We’ve been seeing some severe vulnerability issues during this month, so we may protect us from them. Simply edit /etc/apache2/mods-available/ssl.conf or /etc/apache2/conf.d/ssl.conf it the file is not there, just search it, it can’t go so far.

Configuring certificate for our Virtual Host

.

Search for a line starting with SSLProtocol and make sure it is like this:

SSLProtocol all -SSLv2 -SSLv3

you may have to write the text in bold. It’s also interesting change (or include) the line:

SSLCompression off

because attackers can use it to break our server.

Including the certificate

Then edit our VirtualHost File. Include:

<IfModule mod_ssl.c>

in the beginning and

</IfModule>

at the end.

Then, our VirtualHost will bind on port 443 (https), so <VirtualHost *:80> will translate to <VirtualHost *:443>

Then, tell Apache about our certificate and key:

        SSLEngine on

        SSLCertificateFile    /tmp/apache2/certs/myserver.crt
        SSLCertificateKeyFile /tmp/apache2/certs/myserver.key

if we have a self-signed certificate. SSLCertificateFile and SSLCertificateChanFile will be the same, so if we have a CA signed certificate, we’ll do this:

        SSLEngine on

        SSLCertificateFile    /tmp/apache2/certs/myserver.crt
        SSLCertificateKeyFile /tmp/apache2/certs/myserver.key
        SSLCertificateChainFile /tmp/apache2/certs/myCA.crt

Then, add some options (I borrowed these options from some default configuration files, so your installation may include somehing similar:

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

It adds some performance, only adds SSL related environment variables to scripts, so images, javascripts, css and so won’t load these variables.

Also, I use these settings borrowed again from some default configuration files, I feel they are interesting for some clients (not every visitor uses a decent browser):

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

So, the resulting file will be like this

<IfModule mod_ssl.c>
        <VirtualHost *:4430>
                ServerAdmin info@totaki.com
                ServerName totaki.com
                ServerAlias www.totaki.com

                DocumentRoot /home/cloud/www/totaki.com/www
                <Directory />
                        Options FollowSymLinks
                        AllowOverride All
                </Directory>
                <Directory /home/cloud/www/totaki.com/www/>
                        Options FollowSymLinks MultiViews
                        AllowOverride All
                        Order allow,deny
                        allow from all
                </Directory>
                ErrorLog    "/home/cloud/www/totaki.com/logs/error.log"        
                LogLevel warn        
                CustomLog "/home/cloud/www/totaki.com/logs/access.log" combined       

                SSLEngine on

                SSLCertificateFile    /tmp/apache2/certs/myserver.crt
                SSLCertificateKeyFile /tmp/apache2/certs/myserver.key
                SSLCertificateChainFile /tmp/apache2/certs/myCA.crt

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                       SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                       nokeepalive ssl-unclean-shutdown \
                       downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


        </VirtualHost>
</IfModule>

Extra: check certificate on server

To check certificate info of an external server directly from our terminal, just use this command:

$ echo | openssl s_client -showcerts -connect server.com:443 | openssl x509 -text

We will see signature, validity, subject, key and extension informations. We can also use some variants to extract particular information, for example validity dates:

$ echo | openssl s_client -showcerts -connect server.com:443 | openssl x509 -noout -dates

or subject

$ echo | openssl s_client -showcerts -connect server.com:443 | openssl x509 -noout -subject

Leave a Reply

Your email address will not be published. Required fields are marked *