- Lab
-
Libraries: If you want this lab, consider one of these libraries.
- Cloud
- Security

Working with OpenSSL and Httpd
Approximately 25% of the LPIC-3 Security exam is based on cryptography and how to employ it in Linux. In this hands-on lab, we will learn how to generate a signed certificate using `openssl` and use that certificate to secure HTTP traffic. We will then use the `openssl` command to verify the Apache configuration.

Lab Info
Table of Contents
-
Challenge
Install `mod_ssl` on the host `webserver`.
Run
yum install mod_ssl
, and accept the prompts. -
Challenge
Generate and sign the private key for `shop.example.com` using `openssl`.
- Create a new encrypted private key.
openssl genrsa -aes128 -out /etc/pki/tls/private/httpdkey.pem
- Enter
httpd
at the passphrase prompt. - Generate a self-signed certificate using the key.
openssl req -new -x509 -key /etc/pki/tls/private/httpdkey.pem -out /etc/pki/tls/certs/httpdcert.pem -days 365
- Enter
httpd
at the passphrase prompt. - At the prompts, enter the field information provided in the instructions (use defaults where not specified).
-
Challenge
Update the default Apache virtual host to accept connections on `shop.example.com` using the new keypair, and allow HTTPS traffic through the firewall.
-
Make the following changes to
/etc/httpd/conf.d/ssl.conf
:- At the end of the
<VirtualHost _default_:443>
section, add the following on a new line:ServerName shop.example.com:443
- Locate the line
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
, and change it to the following:SSLCertificateFile /etc/pki/tls/certs/httpdcert.pem
- Locate the line
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
, and change it to the following:SSLCertificateKeyFile /etc/pki/tls/private/httpdkey.pem
- At the end of the
-
Restart
httpd
to put the changes into effect.
systemctl restart httpd
- Enter
httpd
at the passphrase prompt. - Open port 443 on the OS firewall.
sudo firewall-cmd --add-service=https --permanent sudo firewall-cmd --reload
-
-
Challenge
Verify the configuration with `openssl` from the host `workstation`.
- On the
workstation
machine, run the following command:
openssl s_client -connect shop.example.com:443 > /home/cloud_user/httpd_output
**Note:** The OpenSSL `s_client` will briefly wait for input before terminating the connection. You may either interrupt the running command or let it close automatically. No further input is required.
- On the
About the author
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.