How to Setup PKI and Secure Apache Web server

The focus of this tutorial is working of  Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. Different concept related to  PKI will be explained first and later a test bed using Ubuntu 14.04 LTS will be prepared to apply  PKI knowledge.  In this article, detailed explanation will be given on the generation of certification authority (CA), server and user keys/certificates. In the end, generated keys/certificates will be used in different scenarios.

About Public Key Infrastructure (PKI)

It is used to establish trust and security in computer networking. The purpose of PKI is to bind public keys with attributes which are used in various applications and protocols for following security features.

  • digital signature,
  • authentication,
  • non repudiation
  • S/MIME.

PKI consist of key pairs which has private and public keys. As name indicates,  Private Key (Pr) should always be kept secure and  Public key (Pu) is distributed to all participants for trusted communication. Both keys can be used for encryption and decryption however their usage in application is different.

  • Public key is used for encryption, then associated private key is used for decryption.


  • Private key is used for encryption, then associated public key is used for decryption. (S/MIME)

Public_key_signing.svgRSA (Rivest Shamir Adleman) is the most well-known algorithm used for PKI  and it supports different sizes of key length (512,1024,2048 etc). RSA keys are composed of 2 prime numbers which  should be very large otherwise it will decrease the security of algorithm.

In the PKI system, digital certificate is the main component which binds the public key to a user/web site with extra details.  Basically ownership of public key is proved using digital certificates because it include information about the generated key, owner's identity and allowed operation (like digital signature, non-repudiation & server authentication etc ).  There are two parts of digital certificates

  • Data part
  • Signature part

The name of an entity (user or web site), generated public key for the entity, other useful information (e.g., Common Name, Organizational Unit, validity period for the public key etc) are included in the Data part.  The digital signature  generated by CA over the data part is known as signature part

Data part

data part

Signature part


A PKI system includes following components.

  1.  CA’s -->  Responsible for issuing and revoking digital certificates to the users or subscribers.
  2. Registration Authorities (RA’s) -->  verify the binding between identities of their holders and public keys.
  3. Digital certificate holders --> Computers, people, network devices that have been issued with certificates.
  4. End Clients --> These validate digital signatures and the certificates of the communicating parties.

Installation and Configuration

In this article, Uuntu 14.04 LTS  is installed on the VM and following required packages are installed.

Install apache web server using following command

apt-get install apache2

Install OpenSSL package using following command

apt-get install openssl.

Key is generated for CA  using following command.

openssl genrsa -out myCA_key.pem 2048


A custom configuration file ( my_ca.cfg) is created for CA.

[ ext ]
keyUsage = critical, cRLSign, keyCertSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash

[ req ]
distinguished_name      = req_distinguished_name
[ req_distinguished_name ]
CN = Common Name
CN_default="My CA"
policy = policy_supplied

[ policy_supplied ]
CN = supplied


Run following command to create self signed certificate for CA.

 openssl req -config my_ca.cfg -extensions ext -days 180 -new -x509 -key myCA_key.pem  -out myCA_cert.crt -set_serial 11 -batch -text

self signed CA cert

Generated CA certificate is shown in following snapshots.



2. CA-cert2

Now, generate keys and certificates for Apache server.

 openssl genrsa -out apache_server.key 2048


A Certificate Signing Request (CSR) will be generated for the Apache server then it will be signed using our CA.

openssl req  -out apache_server.csr -key apache_server.key -new -batch


CSR request is shown in following snapshot


Signing apache server certificate using following command.

openssl x509 -req -extensions req_ext -in apache_server.csr -CA myCA_cert.crt -CAkey myCA_key.pem -out apache_server.crt -days 720 -set_serial 10 -text


Now, Apache server will be configured to use above generated keys and certificate.  Currently it is running on http (port 80).

testCreate directory "certificates" under /etc/apache2 path using following command.

mkdir /etc/apache2/certificates

cd /etc/apache2/certificates


Copy CA certificate, server certificate and server key under "/etc/apache2/certificates"  directory.


Change ssl configuration file "default-ssl.conf" exists under /etc/apache2/sites-available path with newly generated certificates and key. For testing, add following in the ssl configuration file and restart the apache server.


DocumentRoot /var/www/html/
ServerName test


DocumentRoot /var/www/html/
ServerName test
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/certificates/apache_server.crt
SSLCertificateKeyFile /etc/apache2/certificates/apache_server.key
SSLCACertificateFile /etc/apache2/certificates/myCA_cert.crt



Before restarting Apache web server, make sure "ssl" module is enabled.  Use following command to enable ssl module of Apache.

 a2enmod ssl


Enable ssl web site using following command.

 a2ensite default-ssl


Add CA certificate on client browser like shown below.

adding -ca

Finally, Apache web server is configured to listen on port 443 (https).


PKI is the critical component in the IT world and it is integrated with many applications.  It provides the authenticity of entity and encrypted channel for secure communication.

shah 10:30 am


Your email address will not be published. Required fields are marked *

All comments are subject to moderation.