“You cannot swim for new horizons until you have courage to lose sight of the shore.” ― William Faulkner
Contents
1. Introduction
The Apache Web Server is the most popular web server software. According to the January 2018 Web Server Survey, about 38.2% of domains were running the Apache Web Server. As for active sites, Apache held about 44% share followed by NGINX at 21%.
When you operate a web server, whether it is a company web site or a shopping site or a blog, you should make sure it supports the HTTPS protocol. This offers security to your customers and also improves your site ranking in Google (SEO). You can do this by obtaining and installing an SSL (Secure Sockets Layer) Certificate. Obtaining an SSL certificate involves the following steps.
- Selecting a suitable SSL Certificate provider. This depends on the price of the certificate, features offered, reputation and browser support, etc.
- Creating a Certificate Signing Request (CSR). An SSL certificate provider requires that you submit a CSR, which contains information that you want certified. We have previously covered the process of creating and submitting a CSR.
- Verification: The SSL provider will verify the information provided in the CSR using whatever procedure suits them. Once the verification is complete, they will issue the SSL Certificate.
- Installation of the SSL Certificate: Once you have obtained the SSL certificate, you need to setup your web server to start using the SSL certificate.
In this article, we cover the installation of the SSL certificate into the Apache web server. We assume that you are running a popular Linux distribution such as Ubuntu on your web server, and that you have console access to the server.
2. Directory Structure
We create and use the following directory structure for installing the SSL certificate. The reason is: the Apache web server needs access to the SSL certificate, the private key, and an intermediate CA (Certifying Authority) certificates if applicable. For modularity, it is better to separate the components into separate directories.
We start with a directory ssl, and make sub-directories under it: ssl.crt, ssl.csr, and ssl.key. Execute the following commands as root on your web server.
cd /etc/apache2 mkdir ssl cd ssl mkdir ssl.crt ssl.csr ssl.key chmod go-rwx . ssl.crt ssl.csr ssl.key
The directories are:
- ssl.crt holds the your SSL certificate, as well as any intermediate CA certificates if required.
- ssl.csr holds the parameters of the CSR (Certificate Signing Request), including the request you sent to the SSL provider. Technically these files are not required for running the server; they are there only if you need to re-issue the SSL certificate or renew it.
- ssl.key holds the your private key that you used to sign the CSR. Apache requires this file at runtime to validate the ownership of the SSL certificate.
Note that we removed all permissions for the group and others from the directories. These directories only need to be accessed by root, and hence, for improved security the permissions should be minimal. This is true even if your web server runs normally as another less-privileged user (such as www).
3. Remove Password from RSA Private Key
When you submitted the CSR to the SSL provider, you probably used a password-protected RSA private key file. While a password protected file is more secure, it can be inconvenient when used with an SSL certificate. This is because Apache requires you to enter the password at startup. Imagine your server rebooting at 3:00AM and the web server unable to start up because it is waiting for the password! For this reason, we remove the password from the RSA private key file, and store it as is. Again, make sure the directories are properly protected as above so no one else can get access to this file.
Assuming your private key file is named www.example.com.key, here is how you can remove the password from it and save it to www.example.com.keynopass.
openssl rsa -in www.example.com.key -out www.example.com.keynopass
If you need to, you can protect it again with a password using Triple-DES encryption:
openssl rsa -in www.example.com.keynopass -out www.example.com.key -des3
Copy this file www.example.com.keynopass to /etc/apache2/ssl/ssl.key. We will use this path for configuring Apache.
4. Install the SSL Certificate
You should now copy the SSL certificate sent by the SSL provider into the /etc/apache2/ssl/ssl.crt directory. The SSL certificate is sent as text file and looks something like this:
-----BEGIN CERTIFICATE----- MIIGqjCCBZKgAwIBAgIQA3n+1jSOZvhK2Jp2qp+cuDANBgkqhkiG9w0BAQsFADBe MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRSYXBpZFNTTCBSU0EgQ0EgMjAxODAe Fw0xODAyMTQwMDAwMDBaFw0yMDA1MTUxMjAwMDBaMBoxGDAWBgNVBAMTD3d3dy5u b3ZpeHlzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANE2dKp2 ... -----END CERTIFICATE-----
5. Install the Intermediate CA Certificate
Some SSL providers may send you an additional certificate termed something like “intermediate CA certificate”. This file is required because some browsers may not trust the SSL provider directly. But they will trust one of the “root” providers such as Thawte or Verisign. So your SSL provider will ship a certificate from one of these “more trusted” providers telling your browser it is OK to trust your SSL provider.
If you have such an Intermediate CA Certificate, you should install it in the /etc/apache2/ssl/ssl.crt directory.
6. Store the CSR
As mentioned above, you can also store the CSR and the config file used in generating the CSR in the /etc/apache2/ssl/ssl.csr directory. This helps in keeping all SSL certificate stuff in one place, and you can easily use the config file for re-issue or renewal. Since this information is public anyway, there is no security downside to storing it on the web server.
7. Configuring Apache
Let us now get into the details of configuring Apache. We store these Apache directives in a file called /etc/apache2/sites-available/www.example.com-ssl. The file may also contain other directives for proper operating of the web site, but this does not interfere with the SSL configuration.
The directives are enclosed within Apache conditionals as follows:
<IfModule mod_ssl.c> <VirtualHost _default_:443> ... </VirtualHost> </IfModule>
7.1. Enable SSL
First step is to turn on SSL for the web site. As indicated above, the SSL part of the site runs on port 443, which is a standard and where browser look for HTTPS requests.
SSLEngine on
7.2. Turn TLS On and SSL Off
Both SSL and TLS are protocols that provide the authentication and data encryption as a part of HTTPS. SSL is an older protocol has gone through three versions: SSL 1.0 was internal to Netscape who developed it, SSL 2.0 in 1995 and SSL v3 in 1996. TLS 1.0 was based on SSL 3.0 and is currently in use. SSLv2 was deprecated in 2011 and SSLv3 in 2015 as they contained vulnerabilities. This means you need to turn of usage of these protocols in Apache, leaving on TLS on the table.
SSLProtocol all -SSLv3 -SSLv2
7.3. Setup SSL Certificate and RSA Key File
Apache needs to be aware of where your SSL certificate and the associated private key file are located. You can use these two directives to inform Apache of the paths.
SSLCertificateFile /etc/apache2/ssl/ssl.crt/www.example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key/www.example.com.keynopass
7.4. Intermediate CA Certificate
In some cases, you need to use an “intermediate CA certificate” as explained above. If your SSL provider has sent you such a file, you need to tell Apache where to find it. Below, the intermediate CA file is named CACertificate-INTERMEDIATE.cer.
SSLCACertificateFile /etc/apache2/ssl/ssl.crt/CACertificate-INTERMEDIATE.cer
7.5. Special IE Configuration
The implementation of SSL in Internet Explorer (IE) is broken in some versions. For these versions to work properly, and protect your server from the effects of these broken implementations, you need the following directives.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
This is basically turning off Keep-Alive for IE versions 2 through 6, and properly shutting down the SSL subsystem when one of these browsers happen to connect to your server.
And that’s it folks. With these settings, your web server should be as secure as Fort Knox 🙂
Let us now restart the server and check the configuration.
7.6. Verifying SSL
Restart the server now as follows:
service apache2 restart
Now verify that SSL is working by checking with the browser. At this point, you can also check the details in the certificate from the browser. It should be the same information as you submitted in the CSR.
You can also check that all parts of the SSL are working correctly by using these online tools.
- DigiCert SSL Installation Diagnostics Tool at https://www.digicert.com/help/. Checks your SSL certificate for common vulnerabilities
- SSL Labs Server Test at https://www.ssllabs.com/ssltest/index.html. A comprehensive test of all parts of the SSL subsystem.
- GeoTrust CryptoReport at https://cryptoreport.rapidssl.com/checker/.
- A tool which runs from the Linux command line is found at: https://testssl.sh/. Pretty thorough checking of the SSL suite, you can do it from your machine and not have to expose results. It is also in continuous and active development (as of Feb 2018) and more tests are being added.
Conclusion
In this article, we discussed how to configure Apache Web Server with the SSL certificate that was obtained in the previous step. After you follow this procedure, your website should be secured properly with SSL.