linux_wiki:configure_tls_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:configure_tls_security [2016/08/28 23:51]
billdozor [Configure Tls Security] 		linux_wiki:configure_tls_security [2019/05/25 23:50] (current)
Line 7: Line 7:
 ---- ----
  
-====== Generate CSR ======+====== Lab Setup ====== 
 + 
 +The following virtual machines will be used: 
 +  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here 
 +  * server2.example.com (192.168.1.151) -> Install Apache Web Server here 
 + 
 +**Previous Sections Completed** 
 +  * [[linux_wiki:network_services_overview_apache_web_server|Install/Configure]] 
 +    * Except leave listening on port 80/tcp 
 +  * [[linux_wiki:configure_a_virtual_host|Virtual Host Config]] 
 + 
 +---- 
 + 
 +====== Create a Cert ======
  
 Install require packages Install require packages
Line 15: Line 28:
  
 \\ \\
-Create private key file+Create key and certificate with openssl - check syntax
 <code bash> <code bash>
-openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out testsite.example.com.key+cat /etc/pki/tls/certs/make-dummy-cert | grep answer
 </code> </code>
 +  * This line contains the syntax you are looking for: answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
  
 \\ \\
-Create CSR (Certificate Signing Request)+Create a key and certificate with openssl
 <code bash> <code bash>
-openssl req -new -key testsite.example.com.key -out testsite.example.com.csr+openssl req -newkey rsa:2048 -keyout /etc/pki/tls/bluesite.key -nodes -x509 -days 365 -out /etc/pki/tls/bluesite.crt
 </code> </code>
-  * Prompted for informational questions that will be used for domain ownership validation. 
-  * Completed CSR is sent to a certificate authority 
- 
-===== Self-Signed Cert ===== 
- 
-If not sending the CSR to a certificate authority, you can create a self-signed cert. (Usually only for development systems or testing) 
  
 \\ \\
-Self sign a CSR+Prompts from the openssl cert create
 <code bash> <code bash>
-openssl x509 -req -days 365 -signkey testsite.example.com.key -in testsite.example.com.csr -out testsite.example.com.crt+Country Name (2 letter code) [XX]:US 
 +State or Province Name (full name) []:Here 
 +Locality Name (eg, city) [Default City]:Right 
 +Organization Name (eg, company) [Default Company Ltd]:Ur Co 
 +Organizational Unit Name (eg, section) []: 
 +Common Name (eg, your name or your server's hostname) []:bluesite.example.com 
 +Email Address []:
 </code> </code>
 +  * For the purposes of the lab, the 'Common Name' (website name) is really the only important part.
  
 ---- ----
Line 42: Line 57:
 ====== Configuring a Site with a TLS Certificate ====== ====== Configuring a Site with a TLS Certificate ======
  
-Edit virtual host file and add a tcp/443 listen entry+Edit virtual host file and add a tcp/443 listen entry for bluesite
 <code bash> <code bash>
-vim /etc/httpd/conf.d/myvhost.conf+vim /etc/httpd/conf.d/vhosts.conf
  
 <VirtualHost *:443> <VirtualHost *:443>
-  ServerAdmin admin@myvhost.example.com +  ServerAdmin admin@bluesite.example.com 
-  DocumentRoot /var/www/html/myvhost +  DocumentRoot /var/www/html/bluesite 
-  ServerName myvhost.example.com:443 +  ServerName bluesite.example.com 
-   + 
-  SSLCertificateFile /etc/pki/tls/certs/testsite.example.com.crt +  SSLEngine On 
-  SSLCertificateKeyFile /etc/pki/tls/certs/testsite.example.com.key +  SSLCertificateFile /etc/pki/tls/bluesite.crt 
-   +  SSLCertificateKeyFile /etc/pki/tls/bluesite.key 
-  ErrorLog logs/myvhost-ssl-error_log + 
-  CustomLog logs/myvhost-ssl-access_log combined+  ErrorLog logs/bluesite-ssl-error_log 
 +  CustomLog logs/blusite-ssl-access_log combined
 </VirtualHost> </VirtualHost>
 </code> </code>
Line 75: Line 91:
 Visit the secure site Visit the secure site
 <code bash> <code bash>
-https://testsite.example.com+https://bluesite.example.com 
 +</code> 
 + 
 +---- 
 + 
 +====== Redirect to TLS ====== 
 + 
 +Redirect http to https. 
 + 
 +\\ 
 +Option 1: Using Redirect (**Apache documentation recommends this method**) 
 +<code bash> 
 +<VirtualHost *:80> 
 +  ServerName bluesite.example.com 
 + 
 +  Redirect / https://bluesite.example.com/ 
 +</VirtualHost> 
 +</code> 
 + 
 +\\ 
 +Option 2: Using mod_rewrite 
 +<code bash> 
 +<VirtualHost *:80> 
 +  ServerName bluesite.example.com 
 +   
 +  RewriteEngine on 
 +  RewriteRule ^(/.*)$  https://%{HTTP_POST}$1 [redirect=301] 
 +</VirtualHost>
 </code> </code>
  
 ---- ----
  
  • linux_wiki/configure_tls_security.1472442704.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)