Table des matières

Apache - AD - Linux : Generate SSL request, sign and install

Always start by create a private key per server (or name), this key should be create only once (and should be valid for 10 years):

 openssl genrsa -out servername.domain.extension.key 2048

This command will output:

Generating RSA private key, 2048 bit long modulus (2 primes)
...................+++++
..........................................................................................................................................+++++
e is 65537 (0x010001)

Move this key to:

/etc/apache2/ssl/

You may need to create the folder and grant READ access to www-data user (or httpd)

We will also install all required certificates in this folder

as we use virtualhost, we need to mitigate also SAN attribute.

Method #1: SAN attribute within CSR

Generate SAN attribute within the CSR. Create additional config file, one by hostname, since attributes are embedded within a .conf file:

mywebname.conf:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Brussels
localityName = Locality Name (eg, city)
localityName_default = Brussels
organizationName = Organization Name (eg, company)
organizationName_default = Your Organisation
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = //virtualhostname//.domain.extension
#DNS.2 = xxxxxxx
#IP.1 = xx.yy.zz.aa
#IP.2 = ....

Invoque openssl to create the CSR file with this configuration

# openssl req -new -sha256 -config mywebname.conf -key servername.domain.extension.key -out virtualhostname.domain.extension.csr

Method #2: SAN attribute in signature

Request « classic CSR », but specify SAN as extension via the addext command:

# openssl req -new -sha256 -key servername.domain.extension.key -out virtualhostname.domain.extension.csr -addext "subjectAltName = DNS:virtualhostname.domain.extension"

Fill the query:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brussels
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nox-Rhea
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:hostname.domain.extension
Email Address []:contact@domain.extension

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign Request

Native Microsoft CA server may not generate certiifcates WITH SAN attributes (that’s an optional features not enabled by default on 2008 CA servers).

In this cas you can enable it following thoses steps:

  • certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
  • Net stop certsvc
  • net start certsvc

Go to microsoft CA server :

https://Your-CA-Server.domain.extension/certsrv/

then choose:

Past CSR’s file content

If you've opted for Method #1:

Select template « webserver »

Click « submit »

If you've opted for Method #2 :

Select template « webserver »

Within « additional Attributes:” type:

san:dns=My_Virtual_Name.domain.extension

Click « submit »

Download Certificate as base64 file

Choose « Download Certificate »

Apache Configuration

You can download your CA on the CA server's home page.

Choose certificate and download it as Base64 :

Change site's configuration file (generally locate in /etc/apache2/sites-available/)

     #   SSL Engine Switch:
     #   Enable/Disable SSL for this virtual host.
     SSLEngine on
 
     SSLCertificateFile      /etc/apache2/ssl/AD-Certificates.domain.extension.crt
     SSLCertificateKeyFile   /etc/apache2/ssl/GeneratedKey.domain.extension.key
 
     #   Server Certificate Chain:
     #   Point SSLCertificateChainFile at a file containing the
     #   concatenation of PEM encoded CA certificates which form the
     #   certificate chain for the server certificate. Alternatively
     #   the referenced file can be the same as SSLCertificateFile
     #   when the CA certificates are directly appended to the server
     #   certificate for convinience.
     SSLCertificateChainFile /etc/apache2/ssl/LWWK-CA.crt

sources: