Securing websites, especially those that saves users information, is of utmost importance. We use SSL certificates to secure communication between users & websites. SSL certificates helps in encrypting communication between user & website, so even if a person could get hold of the communication it will be almost impossible for him to decrypt the data.
SSL certificates are created using algorithm known as SHA (Secure Hash Algorithm), its used by certificate authorities to sign a SSL certificate. There are currently 2 types of SHA algorithm available SHA-1 (not being used now), SHA-2 (most popular) & SHA-3 (not that popular ) with SHA 2 further divided into SHA-224, SHA-256, SHA-384 & SHA-512. SHA-256 is the most widely used among SHA-2 but others are also used as well.
Though there is nothing wrong with using SHA-1 technically, but most of the website have now moved onto using SHA2 certificate as SHA-1 is quite old & some potential problems have been discovered with it. In this tutorial, we are going to discuss how you can create a SSL SHA2 certificate to secure your apache server.
( Recommended Read: How to use Apache as Reverse Proxy on CentOS & RHEL )
( Also Read : Learn to create SSL certificate for APACHE server )
Pre-requisites
We will need a webserver with a website hosted & opessl installed. To install httpd, run
$ yum install httpd
For detailed apache installation, read our article STEP BY STEP GUIDE TO CONFIGURE APACHE SERVER.
Generating private key file & CSR (Certificate Signing Request)
Firstly we need to create a private key, which will than be used to create a CSR file. To create a CSR file, run the following command,
$ openssl genrsa -out test_domain.key 2048
where, test_domain.key is the name of private key. You can also replace 2048 with value 4096 for extra security. Now we will create a CSR file from the created key file by executing,
$ openssl req -out test_domain.csr -key test_domain.key -new -sha256
This will create a CSR file with SHA 2 algorithm. You can now send this CSR to certificate authority for creating SHA2 certificate. Once the CSR has been signed & provided by CA, we only need to configure them SSL in our apache server. Remember CA also provides a CA chain certificate which will also be configured in apache server along with private key & website certificate.
( Recommended Read : 12 important things to do for securing Apache Server )
Configuring Apache server
We now need to configure httpd.conf or ssl.conf (depending on setup you are using). I like to to keep all my server setting at one place, so I will be using httpd.conf,
$ vi httpd.conf
& add the following lines in your virtual host definitions (or paste them at the end httpd.conf, If using single web server)
SSLEngine on
SSLCertificateFile /data/webserver/apache2/ssl/TEST_DOMAIN/test_domain.com.crt
SSLCertificateKeyFile /data/webserver/apache2/ssl/TEST_DOMAIN/test_domain.key
SSLCertificateChainFile /data/webserver/apache2/ssl/TEST_DOMAIN/ca_chain.crt
where, test_domain.com.crt is your main, website certificate, test_domain.key is the private key that we generated & lastly ca_chain.crt is the CA chain certificate, provided by certificate authority.
Also make sure that you have mod_ssl.so module enabled in httpd.conf file,
LoadModule ssl_module modules/mod_ssl.so
After all the changes have been made to httpd.conf, save file & exit & restart your apache services.
$ service httpd restart
You now have a website that has a SSL SHA2 certificate. You can also test your website/certificate for any security flaws by visiting,
https://www.ssllabs.com
That's all for now, please leave your feedback, suggestions or queries in the comment box down below.
If you think we have helped you or just want to support us, please consider these :-
Connect to us: Facebook | Twitter | Google Plus
Become a Supporter - Donate us some of you hard earned money: [paypal-donation]
Linux TechLab is thankful for your continued support.