Wednesday, October 5, 2016

Apache SSL Signing Request with Active Directory Certificate Services

Setup the DNS Address
Make sure that you have DNS configured with the correct FQDN before proceeding. 

Generate a Private Key 
Generate a Private Key
openssl genrsa 2048 > wiki.key

Generate a Request
openssl req -new -key wiki.key  -sha256 > wiki.csr
The important thing on the openssl Req is that you get your common name right. If your server has multiple DNS names, you will need to look into specifying your Subject Alternate Names. Currently not covered in this howto.

Sign the Request on The CA
Copy the Request Over to the CA
certreq -submit -attrib "CertificateTemplate: WebServer" .\wiki.csr

Move the Generated .crt file back over to the server
Place the .key and the .crt files in the apache2 directory. I recommend creating the following directory
/etc/apache2/ssl

sudo mkdir /etc/apache2/ssl && cd /etc/apache2/ssl
sudo chmod 400 *.key
cd ../sites-available
sudo vi default-ssl.conf

Change the following Lines:
SSLCertificateFile        /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

To
SSLCertificateFile /etc/apache2/ssl/wiki.crt

SSLCertificateKeyFile /etc/apache2/ssl/wiki.key

Restart Apache 
This varies from distro to distro, but for me its
sudo service apache2 restart

Verify it works
Navigate to your web server via FQDN. Check your thumbprints against what you have installed on the server. 
To get your sha1 thumbprint on the crt, you can use the following:
openssl x509 -noout -in /etc/apache2/ssl/wiki.crt -fingerprint -sha1

Compare the fingerprint here with the thumbprint listed when you inspect the certificate. 

No comments:

Post a Comment