# Encrypting Web Servers using SSL

In SSL/TLS, a **CA Certificate** (Certificate Authority Certificate) is a digital certificate issued by a trusted authority (CA) that verifies the identity of websites or services. The **CA Chain** (or certificate chain) is a sequence of certificates that begins with the server's certificate, followed by one or more intermediate certificates, and ends with the root CA certificate. This chain establishes a path of trust from the CA to the server's certificate. The **Key** (specifically, the private key) is a cryptographic key that remains confidential on the server and is used to encrypt and decrypt data as well as to sign the certificate request, ensuring secure communication.

***

## LAB :  Encrypting Apache2 Web server using SSL

Installing Apache2 Web server&#x20;

```
# sudo apt update
# sudo apt install apache2
# sudo apt enable apache2

~ General Apache2 Service Commands
# sudo systemctl (restart , stop , restart , disable) apache2
```

<figure><img src="/files/PMYyVDEUlQQ49QtVyr9Z" alt=""><figcaption><p>Apach2 Default config page</p></figcaption></figure>

By default the apach2 web server is running on HTTP we need to configure ssl for running it on HTTPS

#### Configuring SSL

* **Step - 1 :  Generating the Private Key (.key)**&#x20;

```
# openssl genrsa -out ghoulsec.key 2048
~ Where 2048 is the key size & rsa is the key algorithm 
```

* **Step - 2 : Generating the Key Signing Request (.csr)**

```
# openssl req -new -key ghoulsec.key -out ghoulsec.csr

~ The following information will be asked
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Gujarat
Locality Name (eg, city) []:Ahmedabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ghoulsec
Organizational Unit Name (eg, section) []:Ghoulsec
Common Name (e.g. server FQDN or YOUR name) []:Ghoulsecurity
Email Address []:ghoulsec@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Admin@123
An optional company name []:
```

* &#x20;Step - 3 : Generating the Self Signed Certificate (.crt)

```
# openssl x509 -req -days 365 -in ghoulsec.csr -signkey ghoulsec.key -out ghoulsec.crt
```

* Step - 4 :  Genarat\`ing CA-Chain (.bundle)&#x20;

```
# cat ghoulsec_intermediate.crt ghoulsec.crt > ghoulsec.ca-chain.bundle
```

* &#x20;Step - 5 : Installing SSL on Apache2

```
# sudo a2enmod ssl
# sudo a2ensite default-ssl.conf
```

Now we will edit the default configuration file to point out our self signed certificates

```
# cp /home/ghoul/ghoulsec.key /etc/ssl/private/
# cp /home/ghoul/ghoulsec.crt /etc/ssl/certs/
# sudo nano /etc/apache2/default-ssl.conf
# sudo systemctl restart apache2
```

<figure><img src="/files/tWn7wTirbZOhhDYydpEH" alt=""><figcaption><p>Edits done on the apche2 config files</p></figcaption></figure>

<figure><img src="/files/JxAH4Q3G4f72I5CHB8Sh" alt=""><figcaption><p>Website is Redirected to the HTTPS protocol &#x26; SSL is successfully configured.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/ssl-handbook/encrypting-web-servers-using-ssl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.