[root@myserver][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh httpd-2.2.3-31.el5.i386.rpm
warning: httpd-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
error: Failed dependencies:
libapr-1.so.0 is needed by httpd-2.2.3-31.el5.i386
libaprutil-1.so.0 is needed by httpd-2.2.3-31.el5.i386
[root@myserver][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh apr-1.2.7-11.el5_3.1.i386.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm
warning: apr-1.2.7-11.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
error: Failed dependencies:
libpq.so.4 is needed by apr-util-1.2.7-7.el5_3.2.i386
[root@myserver][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh postgresql-libs-8.1.11-1.el5_1.1.i386.rpm
warning: postgresql-libs-8.1.11-1.el5_1.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:postgresql-libs ########################################### [100%]
[root@myserver][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh apr-1.2.7-11.el5_3.1.i386.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm
warning: apr-1.2.7-11.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:apr ########################################### [ 50%]
2:apr-util ########################################### [100%]
[root@myserver][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh httpd-2.2.3-31.el5.i386.rpm
warning: httpd-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:httpd ########################################### [100%]
[root@myserver][/media/RHEL_5.4 i386 DVD/Server]
$
To enable SSL, then, need to install a package mod_ssl-2.2.3-31.el5.i386.rpm
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh mod_ssl-2.2.3-31.el5.i386.rpm
warning: mod_ssl-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
error: Failed dependencies:
libdistcache.so.1 is needed by mod_ssl-2.2.3-31.el5.i386
libnal.so.1 is needed by mod_ssl-2.2.3-31.el5.i386
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh distcache-1.4.5-14.1.i386.rpm
warning: distcache-1.4.5-14.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:distcache ########################################### [100%]
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ rpm -ivh mod_ssl-2.2.3-31.el5.i386.rpm
warning: mod_ssl-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:mod_ssl ########################################### [100%]
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ service httpd status
httpd is stopped
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ service httpd start
Starting httpd: [ OK ]
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ netstat -ntpl |grep 443
tcp 0 0 :::443 :::* LISTEN 29673/httpd
[root@sampath][/media/RHEL_5.4 i386 DVD/Server]
$ cd /etc/pki/tls/certs/
[root@sampath][/etc/pki/tls/certs]
$ make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@sampath][/etc/pki/tls/certs]
$ make server.crt
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -x509 -days 365 -out server.crt -set_serial 0
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Tamilnadu
Locality Name (eg, city) [Newbury]:Pollachi
Organization Name (eg, company) [My Company Ltd]:HP
Organizational Unit Name (eg, section) []:MW
Common Name (eg, your name or your server's hostname) []:sampath.hp.com
Email Address []:
[root@sampath][/etc/pki/tls/certs]
$ make server.crt
make: `server.crt' is up to date.
[root@sampath][/etc/pki/tls/certs]
$ ls -lrt
total 484K
-rw-r--r-- 1 root root 2.2K Jun 29 2009 Makefile
-rwxr-xr-x 1 root root 610 Jun 29 2009 make-dummy-cert*
-rw-r--r-- 1 root root 431K Jun 29 2009 ca-bundle.crt
drwxr-xr-x 5 root root 4.0K Apr 27 13:36 ../
-rw------- 1 root root 1.4K Jun 15 12:18 localhost.crt
-rw------- 1 root root 963 Jun 15 12:26 server.key
-rw------- 1 root root 1.1K Jun 15 12:27 server.crt
drwxr-xr-x 2 root root 4.0K Jun 15 12:27 ./
[root@sampath][/etc/pki/tls/certs]
$ mv server.key ../private/
[root@sampath][/etc/pki/tls/certs]
$ cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup
[root@sampath][/etc/pki/tls/certs]
$ vi /etc/httpd/conf.d/ssl.conf
[root@sampath][/etc/pki/tls/certs]
$ /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server sampath.hp.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
There are few steps to be followed in this process.
1. Create Private key file by using the below commands.
2. Generate CSR file by using the key which was created in the step 1
3. Send the CSR file to certificate issuing authorities like Verisign and get the certificate which will be installed on either webserver/Load Balancer
Private Key fileà CSR generationàSend CSR to VerisignàGet the certificateàInstall it either on LB or Webserver
Please follow the below Steps:
Step 1: Generate a Private Key
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.
The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
…………………………………………………++++++
……..++++++
e is 65537 (0×10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Step 2: Generate a CSR (Certificate Signing Request)
Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.
# openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [IN]:IN
State or Province Name (full name) [Nikesh Jauhari]:Nikesh
Locality Name (eg, city) [Pune]:Pune
Organization Name (eg, company) [My Company Ltd]:Cybage Software Pvt. Ltd.
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server’s hostname) []:poison.hell.com
Email Address []:njauhari@cybage.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Step 3: Remove Passphrase from Key
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
The newly created server.key file has no more passphrase in it.
-rw-r–r– 1 root root 745 Jun 29 12:19 server.csr
-rw-r–r– 1 root root 891 Jun 29 13:22 server.key
-rw-r–r– 1 root root 963 Jun 29 13:22 server.key.org
Step 4: Generating a Self-Signed Certificate
To generate a temporary certificate which is good for 365 days, issue the following command:
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
………………………..
Getting Private key
Step 5: Installing the Private Key and Certificate
When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.
# cp server.crt /usr/local/apache/conf/ssl.crt
# cp server.key /usr/local/apache/conf/ssl.key
Step 6: Configuring SSL Enabled Virtual Hosts
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
Step 7: Restart Apache and Test
/etc/init.d/httpd stop
/etc/init.d/httpd start
Now you can use https://yourwebservername.dowmain-name.
Posts
