rss logo

Obtain and Configure SSL Certificates for a Linux Web Server in an AD CS Environment

In this article I'll show you how to set up, SSL certificates for a GNU/Linux web server in an AD CS environment. The aim is to have web servers available on the corporate network secured by SSL but without the warning that can be encountered with self-signed certificates.

I'll be using a Debian machine with an Apache HTTP Server, but this can be reproduced on any distribution and any web server.

Firefox warning message about a potential security risk when accessing a web server
The warning message that appears with self-signed certificates.

Generating a Certificate Signing Request (CSR)

Debian logo
  • From the debian server, create an openssl-san.cnf file, example here with a web server named webserver.std.local which has the following IP address: 192.168.1.200. Note the different alternative names, corresponding to the different urls that users can use to access the website:
[ req ] default_bits = 4096 prompt = no default_md = sha512 distinguished_name = dn req_extensions = req_ext [ dn ] CN = webserver.std.local [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = webserver.std.local DNS.2 = webserver DNS.3 = www.webserver DNS.4 = www.webserver.std.local IP.1 = 192.168.1.200
  • Next, use the openssl command to generate a private key and a certificate signing request for our ADCS:
user@webserver:~$ openssl req -new -nodes -keyout webserver.std.local.key -out webserver.std.local.csr -config openssl-san.cnf
  • Copy the csr file to /tmp/ for later retrieval from the AD CS server:
user@webserver:~$ cp webserver.std.local.csr /tmp/

Requesting a Certificate from Windows AD CS

Microsoft Logo
  • From the AD CS server, open the Certificate Templates Settings console, and make sure you have the Web Server template:
Windows ADCS certificate templates showing web server template selected for server authentication
  • If not, right-click on Certificate Templates and click on Certificate Template to Issue:
Windows ADCS interface showing how to issue a new certificate template from the Certificate Templates menu
  • Select the Web Server template, and click on OK:
Enable certificate templates dialog in Windows ADCS with Web Server template selected for server authentication
  • Now right-click on Certificate Templates, and click on Manage:
Windows ADCS interface showing how to access the manage option in the Certificate Templates menu
  • In the Certificate Templates console, right-click on Web Server, and note the name of the template, which will be used later with the certreq command:
Certificate Templates Console in Windows ADCS showing Web Server template properties, including template name and validity period settings
  • Copy the certificate signing request file from the web server, for example here with a PowerShell command:
PS > scp user@192.168.1.200:/tmp/webserver.std.local.csr .
  • From a PowerShell console, request a certificate to the AD CS certification authority:
PS > certreq -submit -attrib "CertificateTemplate:webserver" .\webserver.std.local.csr webserver.std.local.cer
  • A Certification Authority List window should appear, click on OK:
Certification Authority List dialog in Windows ADCS showing available certification authorities
  • If everything goes well, the Issued message should appear indicating that the certificate has been issued in the current directory:
PowerShell command output showing certificate request submission and issuance confirmation for web server certificate
  • Copy the cer certificate to the Linux Web Server, for example here with a PowerShell command that copies it to the web server's /tmp directory:
PS > scp webserver.std.local.cer user@192.168.1.200:/tmp/

Installing the Issued Certificate on an Apache Web Server

  • Connect to your Linux web server and copy the ssl certificates into these folders (note that the cer file has been renamed to pem):
root@webserver:~# cp /tmp/webserver.std.local.cer /etc/ssl/certs/webserver.std.local.pem root@webserver:~# cp /home/user/webserver.std.local.key /etc/ssl/private/webserver.std.local.key
  • Edit the configuration file of your https apache2 site, for example here the file /etc/apache2/sites-enabled/default-ssl.conf:
# A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/webserver.std.local.pem SSLCertificateKeyFile /etc/ssl/private/webserver.std.local.key
  • Reload the apache2 service:
root@webserver:~# systemctl reload apache2.service
  • From a machine in the domain, open a web browser and connect to the web server url (https://webserver for example). You shoul no longer see the warning. From the web browser, you can check the certificate properties:
Firefox connection security message showing secure connection to webserver with certificate issued by std-ADCS-CA Certificate details for webserver.std.local issued by std-ADCS-CA, showing validity period and subject alternative names
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address