Saturday, 11 November 2017

SSL Implementation on Operating System CentOS - 6.5

What is SSL?

SSL (Secure Sockets Layer) is the standard security protocol for establishing an encrypted link between server and client platform i.e between a web server and client browser. SSL ensures that all data transmitted between web server and browser remains encrypted and secure.

Steps to implement SSL on Linux server

For implementing SSL on linux, we first have to installed LAMP (optional if already installed) and then need to create SSL certificate as mentioned below:

  1. Installation of LAMP (Linux/Apache/MySQL/PHP) - no need to install linux as already installed centOS.
  1. Install Apache - open terminal and type command for different purposes:


    1. For installing apache
      • yum install httpd
    2. For starting apache after installation
      • /sbin/service httpd start
      • /etc/init.d/httpd start
    3. For restarting apache
      • /sbin/service httpd restart
      • /etc/init.d/httpd restart
    4. For stopping apache
      • /sbin/service httpd stop
      • /etc/init.d/httpd stop
    5. For checking current status of apache
      • /sbin/service httpd status
      • /etc/init.d/httpd status
  1. Install MySQL- open terminal and type command for different purposes:


    1. For installing MySQL
      • yum install mysql-server
    2. For starting MySQL after installation
      • /sbin/service mysqld start
      • /etc/init.d/mysqld start
    3. For restarting MySQL
      • /sbin/service mysqld restart
      • /etc/init.d/mysqld restart
    4. For stopping MySQL
      • /sbin/service mysqld stop
      • /etc/init.d/mysqld stop
    5. For checking current status of apache
      • /sbin/service mysqld status
      • /etc/init.d/mysqld status
  1. Install PHP- open terminal and type command for installing PHP:

      • yum install php php-mysql


  1. Create SSL Certificate on Apache on CentOS
  1. Install SSL - In order to set up the self signed certificate, we first have to be sure that Apache and Mod_SSL are installed on our server. You can install both with one command:

yum install mod_ssl
  1. Create New Directory - we need to create a new directory where we will store the server key and certificate

mkdir /etc/httpd/ssl
  1. Create a Self-Signed Certificate - When we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number of days we prefer. As it stands this certificate will expire after one year.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt 
Below is the details of each keyword used in this command:
    • openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
    • req: This specifies a sub-command for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate management. Since we are wanting to create a new X.509 certificate, this is what we want.
    • -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
    • -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
    • -days 365: This specifies that the certificate we are creating will be valid for one year.
    • -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
    • -keyout: This parameter names the output file for the private key file that is being created.
    • -out: This option names the output file for the certificate that we are generating.
When you hit "ENTER", you will be asked a number of questions. The most important item that is requested is the line that reads "Common Name (e.g. server FQDN or YOUR name)". You should enter the domain name you want to associate with the certificate, or the server's public IP address if you do not have a domain name.
  1. Set-up the Certificate- To setup hosting server to display the new certificate:


    • Open up the SSL config file using command:
vi /etc/httpd/conf.d/ssl.conf
    • Find the section that begins with <VirtualHost _default_:443> and make some quick changes.
Uncomment the DocumentRoot and ServerName line and 
replace example.com with your DNS approved domain name  
or server IP address  
(it should be the same as the common name on the certificate)
    • Find the following three lines, and make sure that they match the extensions below:
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt  
SSLCertificateKeyFile /etc/httpd/ssl/apache.key 
Your virtual host is now all set up! Save and Exit out of the file.
  1. Restart apache - Restarting the Apache server will reload it with all of your changes in place.

    • In your browser, type https://youraddress to view the new certificate.