How to Setup PKI and Secure Apache Web server

The focus of this tutorial is the working of  Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. The different concept related to  PKI will be explained first and later a test bed using Ubuntu 14.04 LTS will be prepared to apply  PKI knowledge.

In this article, a detailed explanation will be given on the generation of certification authority (CA), server and user keys/certificates. In the end, generated keys/certificates will be used in different scenarios.

About Public Key Infrastructure (PKI)

It is used to establish trust and security in computer networking. The purpose of PKI is to bind public keys with attributes that are used in various applications and protocols for following security features.

  • digital signature,
  • authentication,
  • non repudiation
  • S/MIME.

PKI consists of key pairs which has private and public keys. As the name indicates,  Private Key (Pr) should always be kept secure and  Public key (Pu) is distributed to all participants for trusted communication. Both keys can be used for encryption and decryption however their usage in the application is different.

  • Public key is used for encryption, then the associated private key is used for decryption.
  • Private key is used for encryption, then associated public key is used for decryption. (S/MIME)

RSA (Rivest Shamir Adleman) is the most well-known algorithm used for PKI  and it supports different sizes of key length (512,1024,2048 etc). RSA keys are composed of 2 prime numbers which should be very large otherwise it will decrease the security of algorithm.

In the PKI system, digital certificate is the main component that binds the public key to a user/website with extra details.  Basically, ownership of public key is proved using digital certificates because it includes information about the generated key, owner's identity and allowed operation (like digital signature, non-repudiation & server authentication etc ).  There are two parts of digital certificates

  • Data part
  • Signature part

The name of an entity (user or web site), generated public key for the entity, other useful information (e.g., Common Name, Organizational Unit, validity period for the public key etc) are included in the Data part.  The digital signature  generated by CA over the data part is known as signature part

Data part

data part

Signature part


A PKI system includes the following components.

  1.  CA’s -->  Responsible for issuing and revoking digital certificates to the users or subscribers.
  2. Registration Authorities (RA’s) -->  verify the binding between identities of their holders and public keys.
  3. Digital certificate holders --> Computers, people, network devices that have been issued with certificates.
  4. End Clients --> These validate digital signatures and the certificates of the communicating parties.

Installation and Configuration

In this article, Ubuntu 14.04 LTS  is installed on the VM and the following required packages are installed.

Install apache web server using the following command

apt-get install apache2

Install OpenSSL package using the following command

apt-get install openssl.

Key is generated for CA  using the following command.

openssl genrsa -out myCA_key.pem 2048

A custom configuration file ( my_ca.cfg) is created for CA.

[ ext ]
keyUsage = critical, cRLSign, keyCertSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash

[ req ]
distinguished_name      = req_distinguished_name
[ req_distinguished_name ]
CN = Common Name
CN_default="My CA"
policy = policy_supplied

[ policy_supplied ]
CN = supplied

Run the following command to create self-signed certificate for CA.

 openssl req -config my_ca.cfg -extensions ext -days 180 -new -x509 -key myCA_key.pem  -out myCA_cert.crt -set_serial 11 -batch -text
self signed CA cert

Generated CA certificate is shown in the following snapshots.


Now, generate keys and certificates for Apache server.

openssl genrsa -out apache_server.key 2048

A Certificate Signing Request (CSR) will be generated for the Apache server then it will be signed using our CA.

openssl req  -out apache_server.csr -key apache_server.key -new -batch

CSR request is shown in the following snapshot


Signing apache server certificate using the following command.

openssl x509 -req -extensions req_ext -in apache_server.csr -CA myCA_cert.crt -CAkey myCA_key.pem -out apache_server.crt -days 720 -set_serial 10 -text

Now, Apache server will be configured to use above generated keys and certificate.  Currently, it is running on http (port 80).


Create directory "certificates" under /etc/apache2 path using the following command.

mkdir /etc/apache2/certificates

cd /etc/apache2/certificates

Copy CA certificate, server certificate and server key under "/etc/apache2/certificates"  directory.


Change SSL configuration file "default-ssl.conf" exists under /etc/apache2/sites-available path with newly generated certificates and key. For testing, add the following in the SSL configuration file and restart the apache server.


DocumentRoot /var/www/html/
ServerName test


DocumentRoot /var/www/html/
ServerName test
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/certificates/apache_server.crt
SSLCertificateKeyFile /etc/apache2/certificates/apache_server.key
SSLCACertificateFile /etc/apache2/certificates/myCA_cert.crt


Before restarting Apache web server, make sure "ssl" module is enabled.  Use the following command to enable SSL module of Apache.

 a2enmod ssl

Enable ssl web site using following command.

 a2ensite default-ssl

Add CA certificate on client browser like shown below.

adding -ca

Finally, the Apache web server is configured to listen on port 443 (https).


PKI is a critical component in the IT world and it is integrated with many applications.  It provides the authenticity of the entity and encrypted channel for secure communication.

Leave a Comment