Skip to main content

Working with OpenSSL and Httpd

Hands-On Lab

 

Photo of Stosh Oldham

Stosh Oldham

Course Development Director in Content

Length

01:00:00

Difficulty

Advanced

Approximately 25% of the LPIC-3 Security exam is based on cryptography and how to employ it in Linux. In this hands-on lab, we will learn how to generate a signed certificate using openssl and use that certificate to secure HTTP traffic. We will then use the openssl command to verify the Apache configuration.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with OpenSSL and Httpd

Introduction

Approximately 25% of the LPIC-3 Security exam is based on cryptography and how to employ it in Linux. In this hands-on lab, we will learn how to generate a signed certificate using openssl and use that certificate to secure HTTP traffic. We will then use the openssl command to verify the Apache configuration.

Connecting to the Lab

  1. Open your terminal application, and run the following command (remember to replace <PUBLIC_IP> with the public IP you were provided on the lab instructions page):
    ssh cloud_user@<PUBLIC_IP>
  2. Type yes at the prompt.
  3. Enter your cloud_user password at the prompt.

Install mod_ssl on the Host webserver

  1. Log in to the webserver host.
    ssh webserver
  2. Escalate privileges to root.
    sudo su -
  3. Install mod_ssl.
    yum install -y mod_ssl

Generate and Sign a Private Key

  1. Change to the /tls/ directory.
    cd /etc/pki/tls/
  2. Create a new encrypted private key.
    openssl genrsa -aes128 -out private/httpdkey.pem
  3. Enter httpd at the next two passphrase prompts.
  4. Generate a self-signed certificate using the encrypted private key.
    openssl req -new -x509 -key private/httpdkey.pem -out certs/httpdcert.pem -days 365
  5. Enter httpd at the passphrase prompt.
  6. At the next prompt, enter the following information:
    • Country Name: US
    • State or Province Name: Texas
    • Locality Name: Dallas
    • Organization Name: Example Corp
    • Common Name: shop.example.com
    • Email Address: webmaster@example.com

Configure the Default Apache Virtual Host

  1. Edit /etc/httpd/conf.d/ssl.conf.
    vim /etc/httpd/conf.d/ssl.conf
  2. Type /Virtual to search for the SSH Virtual Host Context section.
  3. At the end of the <VirtualHost _default_:443> section, add the following on a new line:
    ServerName shop.example.com:443
  4. Type /SSLCert to search for the Server Certificate section.
  5. Locate the line SSLCertificateFile /etc/pki/tls/certs/localhost.crt, and change it to the following:
    SSLCertificateFile /etc/pki/tls/certs/httpdcert.pem
  6. Locate the line SSLCertificateKeyFile /etc/pki/tls/private/localhost.key, and change it to the following:
    SSLCertificateKeyFile /etc/pki/tls/private/httpdkey.pem
  7. Press Esc, then type :wq to exit the vim text editor.
  8. Restart the Apache httpd server.
    systemctl restart httpd
  9. Enter httpd at the passphrase prompt.
  10. Open port 443 on the OS firewall.
    firewall-cmd --add-service=https --permanent
  11. Reload the firewall.
    firewall-cmd --reload

Verify the Configuration

  1. Press Ctrl + D twice to log out of webserver and return to workstation.
  2. Verify that the configuration is working properly.
    openssl s_client -connect shop.example.com:443
  3. Press Ctrl + C to return to the command prompt.
  4. Write the s_client output to a file.
    openssl s_client -connect shop.example.com:443 > /home/cloud_user/httpd_output
  5. List the contents of the file to verify that the certificate information is there.
    cat /home/cloud_user/httpd_output

Conclusion

Congratulations, you've successfully completed this hands-on lab!