Configuring Apache HTTPD TLS Using Microsoft ADCS Certificates

configuring apache with PKI managed tls certificate solution

Learn How to Configure Apache HTTPD TLS Using Microsoft ADCS Certificates

This quick guide will give you step-by-step instructions on how to configure Apache HTTPD on Linux with TLS (SSL) using an x.509 certificate issued from a Microsoft Active Directory Certificate Services (ADCS) PKI environment.  We will cover two methods of achieving this both of which have very different levels of complexity and real cost:

  • METHOD 1 – Use OpenSSL to manually create and copy certificates.
  • METHOD 2 – Use CertAccord Enterprise to automatically create and renew certificates without any manual processes.

A common method used by many, but not necessarily the best is a manual process using OpenSSL which is built-in to most Linux distributions.   The second method we will cover is using CertAccord Enterprise to create and renew certificates automatically using Microsoft ADCS.

Background

Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL).  It provides validation of a server’s identity and encryption of all communications between the client (web browser, etc) and server (Apache HTTPD, etc).  TLS requires that a server have an x.509 certificate.  These certificates can be self-signed or issued by a trusted Certificate Authority (CA).  Use of self-signed certificates is insecure and rarely the best option.

In many organizations Microsoft ADCS (sometimes referred to as Windows PKI or Windows Certificate Authority) provides the Public Key Infrastructure (PKI) for certificate issuance.  Apache HTTPD is often used in such environments to provide web services.

Conventions

We will use the name “www.contoso.com” in our examples.  When you follow these steps change this name to your server’s name.

METHOD 1 – OpenSSL

The first method we will cover is using OpenSSL.  OpenSSL is a set of command line tools and libraries that are part of nearly every Linux distribution.  OpenSSL provides the ability to create Certificate Signing Requests (CSR) which must be manually transported to Microsoft ADCS and submitted.  Once ADCS issues the certificate it must be manually transported back to the target linux system.

It is also important to remember that certificates expire and using this method you must manually track when your certificates expire.  Prior to expiration you have to perform the same manual CSR process.

STEP: Install OpenSSL

Most Linux distributions already have OpenSSL installed but if yours does not you should use the appropriate command to install the package.  On Red Hat based systems use yum:

yum install openssl

On Debian based systems use apt-get:

apt-get install openssl

STEP: Generate Private Key

It’s best practice to create a new key for each new CSR you sign.  To create a key we first create a working directory:

mkdir ~/certs
cd ~/certs

Create the key and place in a file:

openssl genrsa -out www.contoso.com.key 2048

STEP: Generate CSR

This command will create a Certificate Signing Request (CSR) which we will later use to request the actual certificate:

openssl req -new -sha256 -key www.contoso.com.key -out www.contoso.com.csr

You will be prompted to enter some information as shown below, but Microsoft ADCS only cares about the Common Name.   Note that no challenge password should be provided.

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.contoso.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

STEP: Create Certificate

Copy the www.contoso.csr file to a Windows domain joined system such as an issuing CA.

Open cmd prompt and submit the CSR:

certreq -submit -attrib "CertificateTemplate:WebServer" -config DOMAINCA\CA1 www.contoso.com.csr www.contoso.com.cer

You must change DOMAINCA\CA1 to be a valid DOMAIN\HOST value for your environment.  You may also need to change “WebServer” to a Microsoft Template name appropriate for your organization.

If all goes right you should see output similar to:

RequestId: 9871
RequestId: "9871"
Certificate retrieved(Issued) Issued

Your certificate should now be in the www.contoso.com.cer file.

Install the certificate and key files:

cp www.contoso.com.key /etc/pki/tls/private/
cp www.contoso.com.cer /etc/pki/tls/certs/
chmod 400 /etc/pki/tls/private/www.contos.com.key
chmod 400 /etc/pki/tls/certs/www.contoso.com.cer

STEP: Obtain Trust CA Certificates

You will need to obtain a file containing all your enterprise trusted CAs.  Contact your Microsoft ADCS administrator and ask how to obtain this file.  You need all the certificates in a single PEM file.

Install the CA trust file in:

/etc/pki/tls/ca/ca-bundle.crt

STEP: Configure Apache HTTPD

The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.

Edit /etc/httpd/conf.d/ssl.conf and change the following:

SSLCertificateFile /etc/pki/tls/certs/www.contoso.com.cer
SSLCertificateKeyFile /etc/pki/tls/private/www.contos.com.key
SSLCACertificateFile /etc/pki/tls/ca/ca-bundle.crt

Save the file and then restart Apache:

systemctl restart httpd

The process is now complete.  All you have to do now is remember to redo this process before your certificate expires.  You could also automate this process using Method – CertAccord Enterprise.

METHOD 2 – CertAccord Automated Certificates

CertAccord Enterprise is a commercial solution which allows enterprises of any size to create certificates on Linux from Microsoft ADCS without manual processes.  Certificates can be created from the Linux command line in a simple command.  Even better certificates are automatically renewed without any manual process.

STEP: Install CertAccord Enterprise

Installation of the CertAccord server can be done in a few hours.  Please refer to CertAccord Enterprise Installation guide for details.

Install the CertAccord Agent on the linux system using the CertAccord Enterprise Installation Guide.  This typically can be one in 1-2 minutes.

STEP: Create Certificate

Open a shell prompt and run;

cmb cert create purpose=webserver

You will be prompted for your Active Directory username and password.  After that the certificate will be created and the file names of the certificate, key, and CA trust should be output:

Created certificate ID: 7Sp88B4S SUBJECT: "www.contoso.com" SERIAL: 25000001a3dd2d58b4bf2275550000000001a3 PURPOSES: WebServer EXPIRES: "Apr 02 2019 00:57:06 PDT"
Exported Certificate 7Sp88B4S as PEM [CHANGED] FILE: /var/cmb/cert/www.contoso.com-webserver.crt
Exported Private Key [CHANGED] FILE: /var/cmb/cert/www.contoso.com.com-webserver.key
Applying certificate to Apache HTTP Web Server: ID: 7Sp88B4S PURPOSE: WebServer
COMMAND [/bin/systemctl reload-or-restart httpd] ran successfully
Reloaded Apache HTTP Web Server
Apply certificate to Apache HTTP Web Server: ID: 7Sp88B4S RESULT: Succeeded

STEP: Configure Apache HTTPD

The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.

Edit /etc/httpd/conf.d/ssl.conf and change the following:

SSLCertificateFile /var/cmb/cert/www.contoso.com-webserver.crt
SSLCertificateKeyFile /var/cmb/cert/www.contoso.com-webserver.key
SSLCACertificateFile /var/cmb/ca/ca-trust.crt

Save the file and then restart Apache:

systemctl restart httpd

The process is now complete.  Sit back and relax without worrying about renewing your certificate.

Summary

Both methods described will get Apache HTTPD configured with TLS.  The OpenSSL method is “free” from licensing cost but is heavy on people time/cost and has no automated renewal process.  It often will lead to service outages because of expired certificates.

The CertAccord Enterprise solution solves the problem and has a very low long term cost because of the time savings both in certificate creation, but also preventing service outages.

Categories