Wednesday, September 30, 2009

CentOS: Setting up SSL Webserver

1. Getting the required software

# yum install mod_ssl openssl

2. Generate a self-signed certificate

--Generate private key
# openssl genrsa -out ca.key 1024

--Generate CSR
# openssl req -new -key ca.key -out ca.csr

Will ask your info:

Country CODE CA - Canada
You can find define at:
http://www.geocities.com/Colosseum/Track/7635/2ltrcode.html
Ontario
Toronto
Company Ltd: LambertDatabase Inc.
Organizational section:
hostname:www.testserver1.com
email:admin@testserver1.com

--Generate Self Signed Key
# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

--Move the files to the correct locations
# mv ca.crt /etc/pki/tls/certs
# mv ca.key /etc/pki/tls/private/ca.key
# mv ca.csr /etc/pki/tls/private/ca.csr

--Then we need to update the Apache SSL configuration file
# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Quit and save the file and then restart Apache:
# service httpd restart

3. SELinux error

When you restart the service you may got:

Stopping httpd: [FAILED]
Starting httpd: Syntax error on line 112 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/ca.crt' does not exist or is empty [FAILED]

To Fix this:

# chcon --reference=/etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca.crt
# chcon --reference=/etc/pki/tls/private/localhost.key /etc/pki/tls/private/ca.key

4.Test

In Firefox:
go to https://192.168.0.35

You will got a security alert.
Accept and save it.

CentOS how to change hostname?
# Goto /etc/sysconfig/
# Type vi network
# Press i on the keyboard and change the HOSTNAME to your preferred servername
# Press ESC on the keybord
# Save the configuration by :wq!
# Reboot

Done.

Please feel free to ask any questions.

7 comments:

  1. it sure helped me a lot as well. this is not an easy topic, but you make it easy to be understood. thank you so much! lista de emails lista de emails lista de emails lista de emails lista de emails

    ReplyDelete
  2. Thanks for reply my post.
    The post is the biggest motion for me to publish more and more.

    you guys rock!

    ReplyDelete
  3. you are welcome.
    Let me know if you have any questions!

    ReplyDelete
  4. I simply want to mention I am very new to weblog and truly liked your blog site. Likely I’m want to bookmark your website . You actually have amazing posts. Kudos for sharing with us your website.

    ReplyDelete
  5. I added 2 commands to fix the error of not found certificate file, then restart apache. But its still failed. And got the same error: SSLCertificateFile: file '/ssl/bookstore.cert' does not exist or is empty
    Is there any one can help me to fix this?!

    ReplyDelete