Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Use OCI Certificates for Internal CA Setup, Creation, and Installation of certificates on Apache Web Server
Introduction
In the rapidly evolving world of cloud computing and digital security, the need for robust and flexible solutions to manage digital certificates has never been more critical. Oracle Cloud Infrastructure (OCI) Certificate Service emerges as a powerful and reliable tool designed to streamline the complex task of certificate lifecycle management within the Oracle Cloud ecosystem. OCI Certificates is a service for creating and managing Transport Layer Security (TLS) certificates. This free-of-cost service enables organizations to create private Certificate Authorities (CA) hierarchies and TLS certificates, that can be deployed and renewed automatically in the customer tenancy, integrated with OCI services such as OCI Load Balancer, OCI API Gateway, Web Application Firewall and Others.
In this tutorial, we will explore the utilization of the OCI Certificates Service as an enterprise certificate management solution. We will delve into the process of creating an internal CA by administrators and guide server administrators on generating Certificate Signing Requests (CSRs) for their Apache Web Servers. Furthermore, we will cover the steps involved in creating certificates using the internal CA and demonstrate how to install these certificates on the Apache Web Servers.
An administrator with the necessary privileges will create a CA to issue internal certificates for internal web servers. Additionally, the administrator will create a dynamic group and set up policies to grant this dynamic group access to the OCI Certificates service. By adding an instance to the dynamic group and applying the necessary policies, an application running on that instance can access the OCI Certificates service without the need for user credentials or a configuration file.
Administrators share compartment details and Certificate Authority identification information, specifically the Oracle Cloud Identifier (OCID) with server administrators. The OCID functions as a unique identifier for the Certificate Authority. With this information, server administrators can proceed to install the Oracle Cloud Infrastructure Command Line Interface (OCI CLI) on their systems. Once installed, server administrators utilize the OCI CLI to request certificates from the Certificate Authority previously created by the administrators. This systematic approach ensures proper identification of the Certificate Authority, facilitating the secure and efficient issuance of certificates within the Oracle Cloud Infrastructure environment.
Objectives
- Internal Certificate Authority setup, creation, and installation of certificates on Apache Web Server.
Prerequisites
-
OCI user must have the required policies for certificates and OCI Compute to manage the resources. For policy reference of all the services, see Policy Reference.
-
An RSA key to create the CA and the availability of a compute instance designated as the web server. For more information, see Create a vault master encryption key.
Note:
Tasks such as creating a Certificate Authority, generating certificates, managing OCI IAM policies, and so on, can be performed using the OCI Console. However, in this tutorial, CLI commands are used.
OCI administrators should perform Tasks 1 to 3 and server administrators should perform Tasks 4 to 9.
Task 1: Create Certificate Authority
Create Certificate Authority using the following commands, see Root Certificate Authority.
Command Format:
oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id <compartment_OCID> --name <CA_display_name> --subject <CA_subject_information> --kms-key-id <Vault_encryption_key_OCID>
Note: Subject is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the
file://path/to/filesyntax. In this tutorial we are following the file approach.
Sample Command:
Create a sample file subject.json with the following information.
{
"commonName": "INTERNAL-ROOTCA"
}
oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id ocid1.compartment.oc1..aaaaaaaabcdefghij12abcdefgh78abcde --name INTERNAL-ROOTCA --subject file://subject.json --kms-key-id ocid1.key.oc1.iad.abcdefghijklm.abcdefghijklmnop12abcdiklmnop56abcdef
Task 2: Create Dynamic group
Create Dynamic group using the following commands, see Dynamic Group.
Command Format:
oci iam dynamic-group create --compartment-id <Tenancy OCID> --description <description> --name <DG Name> --matching-rule <Matching Rule>
Sample Command:
oci iam dynamic-group create --compartment-id ocid1.tenancy.oc1..aaaaaaaabbbbcdefgh12abcdabcdefghijkl --description Web-servers --name Web-servers-DG --matching-rule "instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaabcdefghij12abcde6abcdefghij78abcde'"
Task 3: Create necessary policies to grant this dynamic group access to the OCI Certificates service
Create OCI IAM policies using the following commands, see OCI IAM policies.
Command Format:
oci iam policy create --compartment-id <compartment_id> --description <description> --name <name> --statements file://statements.json
Sample Command:
Create a file statements.json with the following information.
[
"Allow dynamic-group Web-servers-DG to manage leaf-certificate-family in compartment chaitanyachintala",
"Allow dynamic-group Web-servers-DG to use certificate-authority-family in compartment chaitanyachintala"
]
oci iam policy create --compartment-id ocid1.compartment.oc1..aaaaaaaabcdefgh56abcdefghij78abcde --description Create-Certficate --name Cert-policies --statements file://statements.json
Task 4: Install OCI CLI on Compute Instance (Apache Web Server)
Install and configure the OCI Command Line Interface (CLI).
After connecting to the compute instance, run the following commands to install and verify Python and OCI CLI packages on Linux instance.
sudo dnf -y install oraclelinux-developer-release-el8
sudo dnf install python36-oci-cli
Task 5: Create a Certificate Signing Request (CSR) using OpenSSL in the Apache Web Server
-
Change the directory.
cd /etc/pki/tls/private/ -
Create a file
examplecert.cnfwith the following information to specify the certificate parameters with Subject Alternative Name (SAN).Note: The SAN extension enables the attachment of additional identities, such as domain names or IP addresses, to the certificate subject.The use of the SAN extension is standard practice for SSL certificates, and it’s on its way to replacing the use of the common name.
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = Texas L = Texas O = Elpmaxe CN = www.example.com [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = example.com IP.1 = 1.1.1.1 -
Create CSR using following command.
openssl req -out example.csr -newkey rsa:2048 -nodes -keyout example.key -config examplecert.cnf -
(Optionally) Verify the CSR using the following command.
openssl req -noout -text -in example.csr
Task 6: Create a certificate using the CA created by OCI administrator
-
Capture the contents of the
example.csrfile into a variableexamplecsrusing the following command.examplecsr=$(cat example.csr) -
Create certificate managed externally issued by internal CA.
Command Format:
oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --csr-pem <csr_pem> --issuer-certificate-authority-id <CA_OCID> --name <Certificate-name>Sample Command:
oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..aaaaaaaabcdefghhij78abcde --csr-pem "$examplecsr" --issuer-certificate-authority-id ocid1.certificateauthority.oc1.iad.abcdefghi56abcdefghijklmnop --name example.com --auth instance_principal
Note: Copy the OCID of the certificate created.
Task 7: Download the certificate and the certificate chain
Note: Run the following commands as root user.
Command to download certificate and certificate chain.
Command Format:
oci certificates certificate-bundle get --certificate-id <Certificate_OCID>
Sample Command - Certificate:
oci certificates certificate-bundle get --certificate-id ocid1.certificate.oc1.iad.abcdefghijbcdefghijk --raw-output --query 'data."certificate-pem"' > certificate.crt --auth instance_principal
Sample Command - Certificate-Chain:
oci certificates certificate-bundle get --certificate-id ocid1.certificate.oc1.iad.abcdefghip56abcdefghijk --raw-output --query 'data."cert-chain-pem"' > certificate-chain.pem --auth instance_principal
Task 8: Install and configure the Apache Web Server with the certificate
-
Install the httpd package, HTTPS add-on for Apache and its dependencies.
sudo dnf install httpd sudo dnf install mod_sslAs a best practice, secure all communications between a web browser and Apache server by using HTTPS with a TLS certificate generated earlier.
To change the root path for your web server, do not edit the
/etc/httpd/conf/httpd.conffile directly. Instead, as a preferred method, create a site-specific configuration file in the/etc/httpd/conf.ddirectory. In the following example, the file/etc/httpd/conf.d/example.com.confis created to contain configurations for virtual hosts. -
Create virtual hosts by adding the following information in
/etc/httpd/conf.d/example.com.conf.Listen *:443 <VirtualHost *:443> ServerName example.com ServerAlias www.example.com SSLEngine on SSLCertificateFile /etc/pki/tls/private/certificate.crt SSLCertificateKeyFile /etc/pki/tls/private/example.key DocumentRoot /var/www/example.com/html/ ErrorLog /var/log/httpd/example.com_error.log CustomLog /var/log/httpd/example.com_access.log combined </VirtualHost> -
Create the document root folder. The root folder hosts the web pages that Apache will provide to browsers.
sudo mkdir -p /var/www/example.com/html sudo echo "example.com" > /var/www/example.com/html/index.html sudo chown -R apache:apache /var/www/example.com/html -
Restart the Apache service to load the new configuration.
sudo systemctl restart httpdNote: Comment the line Listen 443 https in the file
/etc/httpd/conf.d/ssl.confif you are getting error “Cannot define multiple Listeners on the same IP:port”. -
Configure the firewall. These commands enable the firewall port 443 for the Apache HTTPS service and reloads the default firewall service.
sudo firewall-cmd --add-service=https --permanent sudo firewall-cmd --reloadNote: Ensure that the Security List associated with the subnet and the Security Groups associated with the VNIC allow traffic on port 443.
Task 9: Test the webpage
-
Curl from Host: Use the curl command from the host where the Apache Web Server is running to test the connection. You will get an error curl failed to verify the legitimacy of the server.
-
Curl from a Laptop: From a laptop or another machine, use curl to check the connection to the Apache Web Server. Replace IP address or hostname with the actual IP address or hostname of your server. You will get the same error curl failed to verify the legitimacy of the server.
-
Web browser: Open a web browser on your laptop and access the webpage using
https://your-server-ip. Check for any security warnings or errors that might be displayed by the browser.
All the errors stem from the fact that the certificate installed on the web server is not issued by a public Certificate Authority, and the root certificate of the internal CA is not present in the certificate store.
-
Install the certificate chain: Install the previously downloaded certificate chain into the root trusted authorities on the client machine. This step is crucial for the client to recognize and trust the certificate served by your Apache Web Server.
-
Access the webpage with a valid TLS Certificate: After installing the certificate chain, revisit the webpage using the web browser. You should now observe that the webpage is being served with a valid TLS certificate, and any security warnings or errors encountered earlier should be resolved.
By following these steps, you ensure that your Apache Web Server is properly configured with the internal CA certificate, and clients can securely access the webpage over HTTPS.
Related Links
Acknowledgments
- Author - Chaitanya Chintala (Cloud Security Advisor)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Use OCI Certificates for Internal CA Setup, Creation, and Installation of certificates on Apache Web Server
F90568-01
January 2024
Copyright © 2024, Oracle and/or its affiliates.