Configure HTTPS using OpenSSL

NOTE:

If you want to set up FIPS or CSNA mode, see Set up FIPS mode and Set up CNSA mode.

Procedure
  1. Obtain OpenSSL, mod_ssl, and Apache's interface to OpenSSL.

    yum install mod_ssl openssl

  2. Add the Subject Alternative Name (SAN) field with the IP address of the Linux external repository in the section titled [v3_req], in /etc/pki/tls/openssl.cnf.

    If it is an IPv4 repository, [v3_req] should look like the following example: 

    [v3_req]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = IP:172.20.5.55

    If it is an IPv6 repository, add the IPv6 address in the DNS attribute along with parentheses.

    For example, subjectAltName DNS=[1::3] IP=1::3

    [v3_req] should look like the following example: 

    [v3_req]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName DNS=[1::3] IP=1::3
  3. Generate the key and certificate with the required values for the attributes.

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes -days 3650 -subj '/CN=<repo hostname or IP>,C=<Country>,ST=<State>,L=<City>,O=<Customer>,OU=<IT>' -extensions v3_req

  4. Copy the generated certificate and key to the correct location.

    cp cert.pem /etc/pki/tls/certs/localhost.crt

    cp key.pem /etc/pki/tls/private/localhost.key

  5. Set the protocol by uncommenting the following line in /etc/httpd/conf.d/ssl.conf:

    SSLProtocol -all +TLSv1.2

  6. Set up the cipher suites by performing the following steps:
    1. Comment the following existing lines in /etc/httpd/conf.d/ssl.conf:

      #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

      #SSLCipherSuite ECDHE-ECDSA-AES256-SHA:HIGH:MEDIUM:!aNULL:!MD5

      SSL Cipher Suite details in the ssl.conf file should look like the following example: 

      #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
#SSLCipherSuite ECDHE-ECDSA-AES256-SHA:HIGH:MEDIUM:!aNULL:!MD5
    2. Add cipher suites.

      SSLCipherSuite ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES256-GCM-SHA38#4:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RS#A-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-R#SA-AES128-GCM-SHA256:AES128-SHA256:AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:ECDH-RSA-AES128-SHA:ECDHE-ECDSA#-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA

  7. Save the changes and exit the text editor.
  8. Restart Apache.

    service httpd restart