Skip to end of banner
Go to start of banner

Configuring SSL Access to Servers - an example

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

 

Setting up Apache Web Server

Enterprises will typically require that all access is over SSL and that SSO features are supported.  This requires Apache to be configured to support this.

For SSO configuration please see SSO for Opmantek Applications

NOTES ON VERSIONS AND OPTIONS

BELOW is based on Apache 2.2 which has differing vhosts configuration from version 2.4

You will need to consider how you create, manage and install the certficates you need. This varies based on company policy, certificate sources and a number of other factors. Usually the simplest is to use a Certificate Signing Request and this is discussed below.

 

Using VHosts to Ensure the FQDN is used.

For HTTPS and for SSO to work right, all access needs to use the FQDN of the server.  So we get Apache to handle that.

Each Server has a vhosts.conf added with the below code.  The first VirtualHost is the default and catches any access to the server using any URL and redirects it to the second VirtualHost which is for the FQDN host. 

 

#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
<VirtualHost *:80>
    ServerAdmin opmantek@example.com
    DocumentRoot "/var/www/html"
    ServerName servername002
    RewriteEngine on
    RewriteCond %{HTTP_HOST} !=localhost
    RewriteCond %{HTTP_HOST} !=127.0.0.1
    RewriteCond %{REMOTE_ADDR} !=127.0.0.1
    RewriteCond %{REMOTE_ADDR} !=::1
    RewriteRule (.*) http://servername002.example.org$1
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin opmantek@example.com
    DocumentRoot "/var/www/html"
    ServerName servername002.example.org
</VirtualHost>

Creating CSR (Certificate Signing Request)

You must create a CSR for each server, these are used to create the final SSL Cert

The details used for example were:

Country: US
State/Province: New York
Locality: New York
Organisation: The example Corporation
Common Name (CN): FQDN of the server, e.g.  servername001.example.org

To generate the CSR's easily, the following SHELL script generate-csr.sh was created:

 

#!/bin/sh
if [ "$1" == "" ]
then
        echo Please define HOSTNAME AND DOMAINNAME seperated by space
    echo eg. $0 servername001 example.org 
        exit
else
        SERVER=$1
        DOMAIN=$2
fi
echo Working on $SERVER $DOMAIN
openssl req -nodes -newkey rsa:2048 -keyout $SERVER.key -out $SERVER.csr -subj "/C=US/ST=New York/L=New Tork/O=The example Corporation/OU=Example Department/CN=$SERVER.$DOMAIN"

View the CSR

To view a CSR, run this:

openssl req -text -in  servername001.csr

Converting a CER into a CRT

If the certificates come from a Microsoft system, they will likely have the extension "CER", these will be in the format DER/Binary, and they need to be converted to Standard PEM for Apache.

This web page helped with that. https://www.sslshopper.com/ssl-converter.html

View the CRT

To view a CSR, run this:

openssl x509 -text -in servername001.cer

You can check the contents and make sure the names match up if required.

Installing the Certificate

TBD

 

  • No labels