Getting an A on your CentOS SSL cert.

ko geek 0 Comments

So you finally got your server up and running, but want to serve your pages via HTTPS, which according to the big G spot, aka Google is what you should be doing anyway. If you’re managing your own server we’re going to assume you have the ability to connect to your headless server via the terminal or Putty, whichever you prefer. What are you waiting for, SSH in to your machine. Oh, and the disclaimer. We’re not responsible for you goofing up your machine. It works great here. Check out the green padlock, secure in the url bar.

Let’s get going, we need to make sure to install mod_ssl and openssl. Follow along or feel free to copy and paste, not the hashtag symbol, that tells us we’re performing commands as root, just the commands themselves.

# yum -y install mod_ssl openssl

Now let’s generate a strong private key.

# openssl genrsa -out apache.key 4096

Now we generate a CSR or certificate signing request. Your SSL authority (RapidSSL, Comodo, etc. for example) will need this.

# openssl req -new -key apache.key -out apache.csr

Now we generate a self signed key. Note the 3650, good for 10 years. Your typical SSL authority will renew yearly.

# openssl x509 -req -days 3650 -in apache.csr -signkey apache.key -out apache.crt

Now we’ll move our files to the correct location. If you’re using selinux you can replace mv with cp otherwise selinux will complain.

# mv apache.crt /etc/pki/tls/certs
# mv apache.key /etc/pki/tls/private/apache.key
# mv apache.csr /etc/pki/tls/private/apache.csr

Now let’s do some editing.

# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

There will be multiple items changed so pay attention and be careful. The following lines in this file need to look like this with no leading hashtags. Yes, back in the day the hashtags were referred to as commenting out a line. This is 2017, HASHTAGS, lol!

SSLCertificateFile /etc/pki/tls/certs/apache.crt
SSLCertificateKeyFile /etc/pki/tls/private/apache.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

Don’t leave just yet. We have a few more things to do so we get that A on our SSL. Scroll on up to the top of the file and begin working your way down. Since you’re here go ahead and put the right server name in where it says “example.com”, you probably already did this in the main httpd.conf file which is good but at the end I’ll show you how to turn off the name which is how it should be for security purposes but apache likes the files to be correct. Here are the other lines you will need to edit as you scroll down, take your time you want this to be correct or when you go to restart httpd it won’t. Don’t forget to save.

# SSLProtocol all -SSLv2 -SSLv3
# SSLCipherSuite HIGH:!aNULL:!MD5
# SSLHonorCipherOrder on

Okay, we’re getting closer. Now let’s copy our CSR to give to our SSL authority.

# cat /etc/pki/tls/private/apache.csr

Highlight and copy the entire contents of your apache.csr file for your SSL authority. You recieve confirmation that it’s a legit CSR and will send an email letting you know the next step in getting your ssl.cert and intermediate.crt
Now you’ve downloaded the files. Now open the ssl.crt in your favorite text editor, copy in it’s entirety and replace the contents of the file located here and save.

 # vi /etc/pki/tls/certs/apache.crt

Now open and copy the contents of the intermediate.crt, possibly SSL chain file, depending on the SSL authority. Create the file here and paste the contents in and save.

 # vi /etc/pki/tls/certs/intermediate.crt

I promise we’re close. Let’s make the ssl.crt really strong. Here’s where you get a cup of coffee, or tea, whatever your preference, or something stronger if you will. This will take a bit.

# openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096

Done yet? If so do this.

 # cat /etc/pki/tls/certs/dhparam.pem | tee -a /etc/pki/tls/certs/apache.crt

Guess what, we’re done, now let’s restart apache.

# systemctl restart httpd

Oh yeah, turn off server name.

 # vi /etc/httpd/conf/httpd.conf

Add the following at the bottom of the httpd.conf file you have open.

ServerSignature Off
ServerTokens Prod

Go ahead and restart apache for good measure.

 # systemctl restart httpd

No head over to Qualys SSL Labs and go for the A. Let us know how it went.

How do you really feel?

Your email address will not be published. Required fields are marked *