Securing Apache - Fedora/RedHat

Step 2a - Creating and Securing the Apache Key/Certificate Store

Create/Secure the Apache Key/Certificate Store

Let us create a place to securely hold the Public/Private Keys and Certificates

Change to the Apache Directory

cd /etc/httpd/

Create the SSL Directory

mkdir ssl 

Change permissions on the SSL Directory

chmod 644 ssl/

Copy the Keys to the SSL directory

cp /etc/pki/tls/private/*.key /etc/httpd/ssl

Change permissions on the Keys

chmod 640 ssl/*.key 

Copy the Certificates to the SSL directory

Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate

cp /etc/pki/tls/private/*.crt /etc/httpd/ssl

Change permissions on the Certificates

chmod 644 ssl/*.crt 

Generating Diffie-Hellman (DH) and Elliptic Curve Parameters

With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).

BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!

Change to the Apache SSL directory

cd /etc/httpd/ssl

Generate the DH Params file (Mandatory Step - Takes a long time to generate)

If you have time, we recommend using 8192 instead of 4096 bit in the command below.

openssl dhparam -out dhparam.pem 4096

Set permissions on the DH PEM file (Mandatory Step)

chmod 640 *.pem

Change to the OpenSSL Directory

cd /etc/pki/tls/certs

Generate the EC Params file (Recommended - EC generation is quick)

You can generate a file for each curve if you like or just the ones that are being used

openssl ecparam -name prime256v1 -out prime256v1.pem

Check the EC Param file

openssl ecparam -in prime256v1.pem -check

Creating a private key w/ the EC Parameters file

openssl ecparam -in prime256v1.pem -genkey -noout -out prime256v1.key

Creating a private key w/o the EC Parameters file

openssl ecparam -name (prime256v1 or secp384r1 or secp521r1) -noout -out ec_key.pem -genkey

Set permissions of the EC Pem file

chmod 640 *.pem

To print out the EC Parameters to standard output

openssl ecparam -in prime256v1.pem -noout -text

List available EC Curves in OpenSSL

openssl ecparam -list_curves

Add the Params files to the SSL config

You can append the DHparams you generated earlier to the end of your certificate file. The documentation for that is here