Configuring Apache HTTPD TLS Using Microsoft ADCS Certificates

professional construction worker laying bricks and building barbecue in industrial site. Detail of hand adjusting bricks

This quick guide will give you step-by-step instructions on how to configure Apache HTTPD on Linux with TLS (SSL) using an x.509 certificate issued from a Microsoft Active Directory Certificate Services (ADCS) PKI environment.  We will cover two methods of achieving this goal both of which have very different levels of complexity and real cost.

A common method used by many, but not necessarily the best is a manual process using OpenSSL which is built-in to most Linux distributions.   The second method we will cover is using CertAccord Enterprise to create and renew certificates automatically using Microsoft ADCS.

Background

Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL).  It provides validation of a server’s identity and encryption of all communications between the client (web browser, etc) and server (Apache HTTPD, etc).  TLS requires that a server have an x.509 certificate.  These certificates can be self-signed or issued by a trusted Certificate Authority (CA).  Use of self-signed certificates is insecure and rarely the best option.

In many organizations Microsoft ADCS (sometimes referred to as Windows PKI or Windows Certificate Authority) provides the Public Key Infrastructure (PKI) for certificate issuance.  Apache HTTPD is often used in such environments to provide web services.

Conventions

We will use the name “www.contoso.com” in our examples.  When you follow these steps change this name to your server’s name.

METHOD 1 – OpenSSL

The first method we will cover is using OpenSSL.  OpenSSL is a set of command line tools and libraries that are part of nearly every Linux distribution.  OpenSSL provides the ability to create Certificate Signing Requests (CSR) which must be manually transported to Microsoft ADCS and submitted.  Once ADCS issues the certificate it must be manually transported back to the target linux system.

It is also important to remember that certificates expire and using this method you must manually track when your certificates expire.  Prior to expiration you have to perform the same manual CSR process.

STEP: Install OpenSSL

Most Linux distributions already have OpenSSL installed but if yours does not you should use the appropriate command to install the package.  On Red Hat based systems use yum:

On Debian based systems use apt-get:

STEP: Generate Private Key

It’s best practice to create a new key for each new CSR you sign.  To create a key we first create a working directory:

Create the key and place in a file:

STEP: Generate CSR

This command will create a Certificate Signing Request (CSR) which we will later use to request the actual certificate:

You will be prompted to enter some information as shown below, but Microsoft ADCS only cares about the Common Name.   Note that no challenge password should be provided.

STEP: Create Certificate

Copy the www.contoso.csr file to a Windows domain joined system such as an issuing CA.

Open cmd prompt and submit the CSR:

You must change DOMAINCA\CA1 to be a valid DOMAIN\HOST value for your environment.  You may also need to change “WebServer” to a Microsoft Template name appropriate for your organization.

If all goes right you should see output similar to:

Your certificate should now be in the www.contoso.com.cer file.

Install the certificate and key files:

STEP: Obtain Trust CA Certificates

You will need to obtain a file containing all your enterprise trusted CAs.  Contact your Microsoft ADCS administrator and ask how to obtain this file.  You need all the certificates in a single PEM file.

Install the CA trust file in:

STEP: Configure Apache HTTPD

The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.

Edit /etc/httpd/conf.d/ssl.conf and change the following:

Save the file and then restart Apache:

The process is now complete.  All you have to do now is remember to redo this process before your certificate expires.  You could also automate this process using Method – CertAccord Enterprise.

METHOD 2 – CertAccord Automated Certificates

CertAccord Enterprise is a commercial solution which allows enterprises of any size to create certificates on Linux from Microsoft ADCS without manual processes.  Certificates can be created from the Linux command line in a simple command.  Even better certificates are automatically renewed without any manual process.

STEP: Install CertAccord Enterprise

Installation of the CertAccord server can be done in a few hours.  Please refer to CertAccord Enterprise Installation guide for details.

Install the CertAccord Agent on the linux system using the CertAccord Enterprise Installation Guide.  This typically can be one in 1-2 minutes.

STEP: Create Certificate

Open a shell prompt and run;

You will be prompted for your Active Directory username and password.  After that the certificate will be created and the file names of the certificate, key, and CA trust should be output:

STEP: Configure Apache HTTPD

The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.

Edit /etc/httpd/conf.d/ssl.conf and change the following:

Save the file and then restart Apache:

The process is now complete.  Sit back and relax without worrying about renewing your certificate.

Summary

Both methods described will get Apache HTTPD configured with TLS.  The OpenSSL method is “free” from licensing cost but is heavy on people time/cost and has no automated renewal process.  It often will lead to service outages because of expired certificates.

The CertAccord Enterprise solution solves the problem and has a very low long term cost because of the time savings both in certificate creation, but also preventing service outages.

Categories