Step2a-Create & Secure Apache Key/Certificate (Debian/Ubuntu)

Debian/Ubuntu Step 2a - Creating and Securing the Apache Key/Certificate Store

Change to the Apache Directory

cd /etc/apache2

Create the SSL Directory

mkdir ssl

Change permissions on the SSL Directory

chown 644 ssl/

Copy the Keys to the SSL directory

cp /etc/ssl/private/*.key /etc/apache2/ssl

Change permissions on the Keys

chown 640 ssl/*.key

Copy the Certificates to the SSL directory

Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate

cp /etc/ssl/private/*.crt /etc/apache2/ssl

Change permissions on the Certificates

chown 644 ssl/*.crt

Generating Diffie-Hellman (DH) and Elliptic Curve Parameters

With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).

BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!

Change to the Apache2 SSL directory

cd /etc/apache/ssl

Generate the DH Params file (Mandatory - Slow)

openssl dhparam -out dhparam.pem 4096

Set permissions on the DH PEM file (Mandatory)

chown 640 *.pem

Set permissions on the PEM file

chown 640 *.pem

Add the Params files to the SSL config - (Global use - Preferred Method)

Add the blue lines below (Preferred)

nano /etc/apache2/mods-available/ssl.conf

<IfModule mod_ssl.c>
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512
        SSLOpenSSLConfCmd Options -SessionTicket        <--- We do not want clients connecting with older tickets, but instead initiate a full handshake
        SSLCompression off        <--- Prevents Crime Attack but it should be disabled in Apache2 with the latest version
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"        <--- Helps to speed the random generation, increase DH key strength and handshake process
............................
</IfModule>

A copy & paste version is found below:

					SSLOpenSSLConfCmd Options -SessionTicket
					SSLCompression off
					SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"

Close and exit the file

ctrl+o (save)
ctrl+x (exit)

Apache2 Web site config file (Local use - Alternative)

Add the blue lines below (Alternative)

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLOpenSSLConfCmd Options -SessionTicket
        SSLCompression off
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
........................
    </VirtualHost>
</IfModule>

A copy & paste version is found below:

					SSLOpenSSLConfCmd Options -SessionTicket
					SSLCompression off
					SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"

Close and exit the file

ctrl+o (save)
ctrl+x (exit)

previous next