Custom "SSL" deployment

[nidhinjo]

 Configure SSL to use secure encrypt connection.

[1]    Create certificates first,

Code: [Select]

[root@www ~]# cd /etc/pki/tls/certs

Code: [Select]

[root@www certs]# make server.key umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...
...
e is 65537 (0x10001)

Enter pass phrase:# set passphrase

Verifying - Enter pass phrase:# confirm

# remove passphrase from private key

Code: [Select]

[root@www certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase

Code: [Select]

[root@www certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [XX]:# country

State or Province Name (full name) []:# state

Locality Name (eg, city) [Default City]:# city

Organization Name (eg, company) [Default Company Ltd]:# company

Organizational Unit Name (eg, section) []:# department

Common Name (eg, your name or your server's hostname) []:# server's FQDN

Email Address []:# email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:# Enter

An optional company name []:# Enter

writing RSA key

Code: [Select]

[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok

[2]    Configure SSL.

Code: [Select]

[root@www ~]# yum -y install mod_ssl
[root@www ~]# vi /etc/httpd/conf.d/ssl.conf
 # line 59: uncomment

DocumentRoot "/var/www/html"

# line 60: uncomment and specify the server name
ServerName www.srv.world\:443
# line 75: change

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
# line 100: change to the one created in [1]

SSLCertificateFile /etc/pki/tls/certs/server.crt
# line 107: change to the one created in [1]

SSLCertificateKeyFile /etc/pki/tls/certs/server.key

Code: [Select]

[root@www ~]# systemctl restart httpd
[3]    If Firewalld is running, allow HTTPS service. HTTPS uses 443/TCP.

Code: [Select]

[root@www ~]# firewall-cmd --add-service=https --permanent

success
[root@www ~]# firewall-cmd --reload

success [4]    Access to the test page from a client computer with a Web browser via HTTPS. The example below is the Firefox. Following screen is shown because Certificates is own created one, but it's no problem, Proceed to next.



[5]    Just accessed.