Skip to content
CA Single Sign-On - 12.52 SP1
Documentation powered by DocOps

Configuring SSL on Apache Web Server Manually

Last update February 13, 2015

Manage Certificates

CA Access Gateway uses the OpenSSL cryptography toolkit that implements the SSL v2/v3 and Transport Layer Security (TLS v1) network protocols and related cryptography standards. The OpenSSL toolkit includes the openssl command line tool for generating keys and certificates. The openssl executable image and supporting libraries are located in the installation_home\SSL\bin folder or the corresponding UNIX directory.

Follow these steps:

  1. Review the considerations.
  2. Generate a private key using one of the following steps:
    1. Generate a private key for FIPS ONLY mode.
    2. Generate a private key for FIPS COMPAT mode.
  3. Perform one of the following steps:
    1. Generate and submit a certification signing request to a Certification Authority, and download and install the certificates from the Certification Authority.
    2. Generate a self-signed public certificate.
  4. Enable SSL.

Review the Considerations

Before you configure SSL, review the following information about private keys and server certificates:

  • As the server certificate and private key work together, use the server certificate with the corresponding private key.
  • The server certificate must be digitally signed by a Certificate Authority (CA). If you want to enable SSL for an internal demo, the server certificate may be self-signed with your own private key.
  • The SSLCertificateFile and SSLCertificateKeyFile directives in the SSL.conf file must point to the corresponding certificate and key files.
  • If you are using Apache virtual host feature, each virtual host you want to secure must have its own private key and server certificate.

Generate a Private Key

SSL uses keys to encrypt and decrypt messages. Keys come in pairs: one public key, and one private key.

Keys use various cryptographic algorithms and key exchange methods. For generating private keys for use with certificates, the RSA key exchange method with the Date Encryption Standard (DES) cryptographic algorithm is commonly used. The key output file is in an encrypted ASCII PEM format.

Generate a Private Key for FIPS ONLY Mode

The PKCS#8 format uses compatible encryption and hashing algorithms to encrypt the file. The necessary strong encryption uses 3DES signing and SHA1 hashing.

To generate a private encrypted key, perform the following steps:

  1. Open a command-line window. 
  2. Navigate to the following directory:

    installation_home\SSL\bin

    installation_home
    Defines the directory where CA SiteMinder® SPS is installed.

    Default: (Windows) [32-bit] C:\Program Files\CA\secure-proxy

    Default: (Windows) [64-bit] C:\CA\secure-proxy

    Default: (UNIX/Linux) /opt/CA/secure-proxy

  3. Execute the following command to generate an unencrypted key:

    openssl genrsa -out unencryptedserver.key numbits

    (Optional) numbits
    Specifies the size in bits of the private key that must be generated.
    Default: 1024
    Range: 1024 - 2048

  4. Execute the following command to encrypt the generated key and enter a passphrase to protect the file:

openssl pkcs8 -in unencryptedserver.key -topk8 -out server.key -v1 PBE-SHA1-3DES

server

Specifies the fully qualified domain name of the server.

To generate an unencrypted private key, perform the following steps:

  1. Open a command-line window.
  2. Navigate to the following directory:

    installation_home\SSL\bin

    installation_home
    Defines the directory where CA SiteMinder® SPS is installed.
    Default: (Windows) [32-bit] C:\Program Files\CA\secure-proxy

    Default: (Windows) [64-bit] C:\CA\secure-proxy

    Default: (UNIX/Linux) /opt/CA/secure-proxy

  3. Execute the following command:

    openssl genrsa -out ..\keys\server.key numbits


    server
    Specifies the fully qualified domain name of the server.

    (Optional) numbits

    Specifies the size in bits of the private key that must be generated.

    Default: 1024

    Range: 1024 - 2048

The private unencrypted server key is generated.

Generate a Private Key in FIPS COMPAT Mode

This uses compatible encryption and hashing algorithms to encrypt the file. The necessary strong encryption uses 3DES signing and MD5 hashing.

To generate a private encrypted key, perform the following steps:

  1. Open a command-line window.
  2. Navigate to the following directory:

    installation_home\SSL\bin


    installation_home
    Defines the directory where CA SiteMinder® SPS is installed.
    Default: (Windows) [32-bit] C:\Program Files\CA\secure-proxy
    Default: (Windows) [64-bit] C:\CA\secure-proxy
    Default: (UNIX/Linux) /opt/CA/secure-proxy

  3. Execute the following command and enter a passphrase to protect the file:

    openssl genrsa -des3 -out ..\keys\server.key [numbits]


    server
    Specifies the fully qualified domain name of the server.
    (Optional) numbits
    Specifies the size in bits of the private key that must be generated.
    Default: 1024
    Range: 1024 - 2048

To generate an unencrypted private key, perform the following steps:

  1. Open a command-line window.
  2. Navigate to the following directory:

    installation_home\SSL\bin


    installation_home
    Defines the directory where CA SiteMinder® SPS is installed.
    Default: (Windows) [32-bit] C:\Program Files\CA\secure-proxy
    Default: (Windows) [64-bit] C:\CA\secure-proxy
    Default: (UNIX/Linux) /opt/CA/secure-proxy

  3. Execute the following command:

    openssl genrsa -out ..\keys\server.key [numbits]


    server
    Specifies the fully qualified domain name of the server.

    (Optional) numbits

    Specifies the size in bits of the private key that must be generated.

    Default: 1024

     Range: 1024 - 2048

Generate and Submit a Certificate Signing Request

Generate a certificate request or Certificate Signing Request using the private key and submit it to a Certificate Authority for signing into a certificate.

Follow these steps:

  1. Open a command-line window.
  2. Execute the following command:

    openssl req -config .\openssl.cnf -new -key ..\keys\server.key -out ..\keys\server.csr

  3. Enter the values as prompted.
    The system generates a certificate request with the certificate file name and a request number.
  4. (Optional) Record the file name and Certificate Signing Request for the future reference.
  5. Submit the Certificate Signing Request to the Certificate Authority.

Download and Install the Certificates from the Certificate Authority

Download the signed certificates from the Certificate Authority.

Follow these steps:

  1. Log in to the CA Access Gateway host from which you issued the certificate requests.
  2. Open the httpd-ssl conf file.
    Default Pathinstallation_home\httpd\conf\extra\httpd-ssl.conf
  3. Verify that the directives of the server key and certs are correct.
  4. Set the value of the SSLPassPhraseDialog variable to custom.
  5. Set the value of the SSLCustomPropertiesFile variable to installation_home>\httpd\conf\spsapachessl.properties.
  6. Verify that the reference to RootCA is set.
  7. Perform the following steps to add RootCA or the self-signed certificate into ca-bundle.cert:
    1. Open the certificate in a notepad and copy the lines from BEGIN to END.
    2. Open ca-bundle.cert in a notepad and paste the lines of the certificate at the end.
  8. Save the changes.

Generate a Self-signed Certificate

To generate a self-signed certificate, perform the following steps:

  1. Open a command-line window.
  2. Execute the following command:

    openssl req -new -x509 -key server.key -out server.crt -days 365 -config openssl.cnf

  3. Place the output in the following location:

installation_home\SSL\certs

Enable SSL

You can enable SSL for an encrypted or unencrypted private key.

Enable SSL for an Unencrypted Private Key on Windows

To enable SSL for an unencrypted private key on Windows, generate the spsapachessl.properties file.

Follow these steps:

  1. Open a command-line window with administrative privileges.
  2. Navigate to the following directory:

    installation_home\httpd\bin
  3. Run the following script file:

    configssl.bat -enable
    Note: If an overwrite warning appears, confirm that you want to overwrite the existing spsapachessl.properties file.

    SSL is configured.

Enable SSL for an Unencrypted Private Key on UNIX

To enable SSL for an unencrypted private key on UNIX, edit the spsapachessl.properties located in the following location:

installation_home/httpd/conf/spsapachessl.properties

Follow these steps:

  1. Open the spsapachessl.properties file in a text editor.
  2. Add or edit the following line:
  3. Perform one of the following tasks:
    • If apache.ssl.enabled= exists in the file, set the line to the following value:

      apache.ssl.enabled=Y
    • If apache.ssl.enabled= does not exist in the file, add the line in the following format:

      apache.ssl.enabled=Y
  4. Save the changes.

Enable SSL for an Encrypted Private Key

To enable SSL for an encrypted private key, generate the spsapachessl.properties file.

Follow these steps:

  1. Open a command-line window with administrative privileges.
  2. Navigate to the following directory:
    Windows

    installation_home\httpd\bin

    UNIX

    installation_home/httpd/bin
  3. Run the following script:
    Windows

    configssl.bat -enable passphrase 

    UNIX

    configssl.sh passphrase 
    Note: The passphrase value must match the passphrase value of the server key. If an overwrite warning appears, confirm that you want to overwrite the existing spsapachessl.properties file. On UNIX, if you want to use special characters in pass phrase, specify the special character in single quotes.


    The passphrase is encrypted and is stored in the spsapachessl.properties file.

  4. Restart the Secure Proxy Service.

Enable SSL for Virtual Hosts

The Apache server supports virtual hosts, which are multiple Web hosts that are run from a single Apache binary. Apache virtual hosts can be name-based or IP-based. Name-based virtual hosts can share a single IP address, while IP-based virtual hosts require a different IP address for each virtual host.

Apache virtual hosts using the SSL protocol:

  • Must be IP-based due to limitations in the protocol.
  • Must have virtual host containers in the Apache configuration file for both secure (HTTPS) and not secure (HTTP) requests.

The following is an example of a secure (HTTPS) virtual host:

<VirtualHost 10.0.0.1:443>
DocumentRoot ".../htdocs/site1"
ServerName www.site1.net
ServerAdmin webmaster@site1.net
ErrorLog logs/covalent_error_log_site1
TransferLog logs/...
SSLEngine on
SSLCertificateFile /www.site1.net.cert
SSLCertificateKeyFile /www.site1.net.key
CustomLog logs/cipher_log_site1 \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Was this helpful?

Please log in to post comments.