- Generating Certificates.
- yum -y install crypto-utils mod_ssl
- genkey server1.example.com
- it will generate .key and .crt
- /etc/pki/tls/certs/server1.example.com.crt
- /etc/pki/tls/private/server1.example.com.key
- click next
- select recommended security
- 2048 (medium-security, medium speed) [RECOMMENDED]
- Would you like to send a Certificate Request (CSR) to a Certificate Authority (CA)?
- YES - if you will send it to external certificate authority.
- NO - use in testing (self signed certificate).
- select NO for testing purpose.
- Encrypt the private key
- enabling this feature will create a passphrase and will prompt every start of SSL server.
- leave it blank and click next.
- Enter details for your certificate
- Common name [fully qualified domain name] make sure the hostname is correct this is the most important entry.
- server1.example.com
- check if the file has the correct selinux type.
-rw-------. root root unconfined_u:object_r:cert_t:s0 localhost.key
-r--------. root root unconfined_u:object_r:cert_t:s0 server1.example.com.key
[root@server1 ~]# ls -Z /etc/pki/tls/certs/
-rw-------. root root unconfined_u:object_r:cert_t:s0 localhost.crt
-rw-r-----. root root unconfined_u:object_r:cert_t:s0 server1.example.com.crt
[root@server1 conf.d]# vim server1.conf
<Directory "/web/server1">
AllowOverride none
Require all granted
</Directory>
<VirtualHost *:443>
ServerAdmin root@server1.example.com
DocumentRoot "/web/server1"
ServerName "server1.example.com"
ErrorLog "logs/server1_error_log"
CustomLog "logs/server1_access_log" combined
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/server1.example.com.key
SSLCertificateFile /etc/pki/tls/certs/server1.example.com.crt
</VirtualHost>
-rw-------. root root unconfined_u:object_r:cert_t:s0 localhost.crt
-rw-r-----. root root unconfined_u:object_r:cert_t:s0 server1.example.com.crt
- Create a virtual host.
[root@server1 conf.d]# vim server1.conf
<Directory "/web/server1">
AllowOverride none
Require all granted
</Directory>
<VirtualHost *:443>
ServerAdmin root@server1.example.com
DocumentRoot "/web/server1"
ServerName "server1.example.com"
ErrorLog "logs/server1_error_log"
CustomLog "logs/server1_access_log" combined
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/server1.example.com.key
SSLCertificateFile /etc/pki/tls/certs/server1.example.com.crt
</VirtualHost>
- vim /web/server1/index.html
- Welcome, this website is using TLS (Transport layer Security)
- make sure that the file context for selinux is applied to DocumentRoot
- semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
- restorecon -R -v /web
- Restart httpd
- [root@server1 conf.d]# systemctl restart httpd
- Add https service in firewalld
- [root@server1 conf.d]# firewall-cmd --permanent --add-service=https
- [root@server1 conf.d]# firewall-cmd --reload
- [root@server1 conf.d]# firewall-cmd --list-all
- https should be added in services.
- services: dhcpv6-client http https myservice samba ssh
- Add server1.example.com in /etc/hosts if DNS is not available.
- Browse the website.
- https://server1.example.com
No comments:
Post a Comment