Configure TLS Security

General Information

Configuring TLS security (certificates).

Lab Setup

The following virtual machines will be used:

  • ( → Perform all connectivity tests from here
  • ( → Install Apache Web Server here

Previous Sections Completed

Create a Cert

Install require packages

yum install mod_ssl openssl

Create a key and certificate with openssl - check syntax

cat /etc/pki/tls/certs/make-dummy-cert | grep answer
  • This line contains the syntax you are looking for: answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null

Create a key and certificate with openssl

openssl req -newkey rsa:2048 -keyout /etc/pki/tls/bluesite.key -nodes -x509 -days 365 -out /etc/pki/tls/bluesite.crt

Prompts from the openssl cert create

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Here
Locality Name (eg, city) [Default City]:Right
Organization Name (eg, company) [Default Company Ltd]:Ur Co
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []
Email Address []:
  • For the purposes of the lab, the 'Common Name' (website name) is really the only important part.

Configuring a Site with a TLS Certificate

Edit virtual host file and add a tcp/443 listen entry for bluesite

vim /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:443>
  DocumentRoot /var/www/html/bluesite
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/bluesite.crt
  SSLCertificateKeyFile /etc/pki/tls/bluesite.key
  ErrorLog logs/bluesite-ssl-error_log
  CustomLog logs/blusite-ssl-access_log combined

Allow https through the firewall

firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Restart httpd

systemctl restart httpd

Visit the secure site

Redirect to TLS

Redirect http to https.

Option 1: Using Redirect (Apache documentation recommends this method)

<VirtualHost *:80>
  Redirect /

Option 2: Using mod_rewrite

<VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^(/.*)$  https://%{HTTP_POST}$1 [redirect=301]

  • linux_wiki/configure_tls_security.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)