Learn How to Configure Apache HTTPD TLS Using Microsoft ADCS Certificates
This quick guide will give you step-by-step instructions on how to configure Apache HTTPD on Linux with TLS (SSL) using an x.509 certificate issued from a Microsoft Active Directory Certificate Services (ADCS) PKI environment. We will cover two methods of achieving this both of which have very different levels of complexity and real cost:
- METHOD 1 – Use OpenSSL to manually create and copy certificates.
- METHOD 2 – Use CertAccord Enterprise to automatically create and renew certificates without any manual processes.
A common method used by many, but not necessarily the best is a manual process using OpenSSL which is built-in to most Linux distributions. The second method we will cover is using CertAccord Enterprise to create and renew certificates automatically using Microsoft ADCS.
Background
Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). It provides validation of a server’s identity and encryption of all communications between the client (web browser, etc) and server (Apache HTTPD, etc). TLS requires that a server have an x.509 certificate. These certificates can be self-signed or issued by a trusted Certificate Authority (CA). Use of self-signed certificates is insecure and rarely the best option.
In many organizations Microsoft ADCS (sometimes referred to as Windows PKI or Windows Certificate Authority) provides the Public Key Infrastructure (PKI) for certificate issuance. Apache HTTPD is often used in such environments to provide web services.
Conventions
We will use the name “www.contoso.com” in our examples. When you follow these steps change this name to your server’s name.
METHOD 1 – OpenSSL
The first method we will cover is using OpenSSL. OpenSSL is a set of command line tools and libraries that are part of nearly every Linux distribution. OpenSSL provides the ability to create Certificate Signing Requests (CSR) which must be manually transported to Microsoft ADCS and submitted. Once ADCS issues the certificate it must be manually transported back to the target linux system.
It is also important to remember that certificates expire and using this method you must manually track when your certificates expire. Prior to expiration you have to perform the same manual CSR process.
STEP: Install OpenSSL
Most Linux distributions already have OpenSSL installed but if yours does not you should use the appropriate command to install the package. On Red Hat based systems use yum:
yum install openssl
On Debian based systems use apt-get:
apt-get install openssl
STEP: Generate Private Key
It’s best practice to create a new key for each new CSR you sign. To create a key we first create a working directory:
mkdir ~/certs cd ~/certs
Create the key and place in a file:
openssl genrsa -out www.contoso.com.key 2048
STEP: Generate CSR
This command will create a Certificate Signing Request (CSR) which we will later use to request the actual certificate:
openssl req -new -sha256 -key www.contoso.com.key -out www.contoso.com.csr
You will be prompted to enter some information as shown below, but Microsoft ADCS only cares about the Common Name. Note that no challenge password should be provided.
Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.contoso.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
STEP: Create Certificate
Copy the www.contoso.csr file to a Windows domain joined system such as an issuing CA.
Open cmd prompt and submit the CSR:
certreq -submit -attrib "CertificateTemplate:WebServer" -config DOMAINCA\CA1 www.contoso.com.csr www.contoso.com.cer
You must change DOMAINCA\CA1 to be a valid DOMAIN\HOST value for your environment. You may also need to change “WebServer” to a Microsoft Template name appropriate for your organization.
If all goes right you should see output similar to:
RequestId: 9871 RequestId: "9871" Certificate retrieved(Issued) Issued
Your certificate should now be in the www.contoso.com.cer file.
Install the certificate and key files:
cp www.contoso.com.key /etc/pki/tls/private/ cp www.contoso.com.cer /etc/pki/tls/certs/ chmod 400 /etc/pki/tls/private/www.contos.com.key chmod 400 /etc/pki/tls/certs/www.contoso.com.cer
STEP: Obtain Trust CA Certificates
You will need to obtain a file containing all your enterprise trusted CAs. Contact your Microsoft ADCS administrator and ask how to obtain this file. You need all the certificates in a single PEM file.
Install the CA trust file in:
/etc/pki/tls/ca/ca-bundle.crt
STEP: Configure Apache HTTPD
The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.
Edit /etc/httpd/conf.d/ssl.conf and change the following:
SSLCertificateFile /etc/pki/tls/certs/www.contoso.com.cer SSLCertificateKeyFile /etc/pki/tls/private/www.contos.com.key SSLCACertificateFile /etc/pki/tls/ca/ca-bundle.crt
Save the file and then restart Apache:
systemctl restart httpd
The process is now complete. All you have to do now is remember to redo this process before your certificate expires. You could also automate this process using Method – CertAccord Enterprise.
METHOD 2 – CertAccord Automated Certificates
CertAccord Enterprise is a commercial solution which allows enterprises of any size to create certificates on Linux from Microsoft ADCS without manual processes. Certificates can be created from the Linux command line in a simple command. Even better certificates are automatically renewed without any manual process.
STEP: Install CertAccord Enterprise
Installation of the CertAccord server can be done in a few hours. Please refer to CertAccord Enterprise Installation guide for details.
Install the CertAccord Agent on the linux system using the CertAccord Enterprise Installation Guide. This typically can be one in 1-2 minutes.
STEP: Create Certificate
Open a shell prompt and run;
cmb cert create purpose=webserver
You will be prompted for your Active Directory username and password. After that the certificate will be created and the file names of the certificate, key, and CA trust should be output:
Created certificate ID: 7Sp88B4S SUBJECT: "www.contoso.com" SERIAL: 25000001a3dd2d58b4bf2275550000000001a3 PURPOSES: WebServer EXPIRES: "Apr 02 2019 00:57:06 PDT" Exported Certificate 7Sp88B4S as PEM [CHANGED] FILE: /var/cmb/cert/www.contoso.com-webserver.crt Exported Private Key [CHANGED] FILE: /var/cmb/cert/www.contoso.com.com-webserver.key Applying certificate to Apache HTTP Web Server: ID: 7Sp88B4S PURPOSE: WebServer COMMAND [/bin/systemctl reload-or-restart httpd] ran successfully Reloaded Apache HTTP Web Server Apply certificate to Apache HTTP Web Server: ID: 7Sp88B4S RESULT: Succeeded
STEP: Configure Apache HTTPD
The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.
Edit /etc/httpd/conf.d/ssl.conf and change the following:
SSLCertificateFile /var/cmb/cert/www.contoso.com-webserver.crt SSLCertificateKeyFile /var/cmb/cert/www.contoso.com-webserver.key SSLCACertificateFile /var/cmb/ca/ca-trust.crt
Save the file and then restart Apache:
systemctl restart httpd
The process is now complete. Sit back and relax without worrying about renewing your certificate.
Summary
Both methods described will get Apache HTTPD configured with TLS. The OpenSSL method is “free” from licensing cost but is heavy on people time/cost and has no automated renewal process. It often will lead to service outages because of expired certificates.
The CertAccord Enterprise solution solves the problem and has a very low long term cost because of the time savings both in certificate creation, but also preventing service outages.