Obtain and Configure SSL Certificates for a Linux Web Server in an AD CS Environment

Last updated: Nov 2, 2024

In this article I'll show you how to set up, SSL certificates for a GNU/Linux web server in an AD CS environment. The aim is to have web servers available on the corporate network secured by SSL but without the warning that can be encountered with self-signed certificates.

I'll be using a Debian machine with an Apache HTTP Server, but this can be reproduced on any distribution and any web server.

Firefox warning message about a potential security risk when accessing a web server — The **warning** message that appears with **self-signed** certificates.

Generating a Certificate Signing Request (CSR)

From the debian server, create an openssl-san.cnf file, example here with a web server named webserver.std.local which has the following IP address: 192.168.1.200. Note the different alternative names, corresponding to the different urls that users can use to access the website:

[ req ]
default_bits = 4096
prompt = no
default_md = sha512
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = webserver.std.local

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = webserver.std.local
DNS.2 = webserver
DNS.3 = www.webserver
DNS.4 = www.webserver.std.local
IP.1 = 192.168.1.200

Next, use the openssl command to generate a private key and a certificate signing request for our ADCS:

user@webserver:~$ openssl req -new -nodes -keyout webserver.std.local.key -out webserver.std.local.csr -config openssl-san.cnf

Copy the csr file to /tmp/ for later retrieval from the AD CS server:

user@webserver:~$ cp webserver.std.local.csr /tmp/

Requesting a Certificate from Windows AD CS

From the AD CS server, open the Certificate Templates Settings console, and make sure you have the Web Server template:

Windows ADCS certificate templates showing web server template selected for server authentication

If not, right-click on Certificate Templates and click on Certificate Template to Issue:

Windows ADCS interface showing how to issue a new certificate template from the Certificate Templates menu

Select the Web Server template, and click on OK:

Enable certificate templates dialog in Windows ADCS with Web Server template selected for server authentication

Now right-click on Certificate Templates, and click on Manage:

Windows ADCS interface showing how to access the manage option in the Certificate Templates menu

In the Certificate Templates console, right-click on Web Server, and note the name of the template, which will be used later with the certreq command:

Certificate Templates Console in Windows ADCS showing Web Server template properties, including template name and validity period settings

Copy the certificate signing request file from the web server, for example here with a PowerShell command:

PS > scp user@192.168.1.200:/tmp/webserver.std.local.csr .

From a PowerShell console, request a certificate to the AD CS certification authority:

PS > certreq -submit -attrib "CertificateTemplate:webserver" .\webserver.std.local.csr webserver.std.local.cer

A Certification Authority List window should appear, click on OK:

Certification Authority List dialog in Windows ADCS showing available certification authorities

If everything goes well, the Issued message should appear indicating that the certificate has been issued in the current directory:

PowerShell command output showing certificate request submission and issuance confirmation for web server certificate

Copy the cer certificate to the Linux Web Server, for example here with a PowerShell command that copies it to the web server's /tmp directory:

PS > scp webserver.std.local.cer user@192.168.1.200:/tmp/

Installing the Issued Certificate on an Apache Web Server

Connect to your Linux web server and copy the ssl certificates into these folders (note that the cer file has been renamed to pem):

root@webserver:~# cp /tmp/webserver.std.local.cer /etc/ssl/certs/webserver.std.local.pem root@webserver:~# cp /home/user/webserver.std.local.key /etc/ssl/private/webserver.std.local.key

Edit the configuration file of your https apache2 site, for example here the file /etc/apache2/sites-enabled/default-ssl.conf:

#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
SSLCertificateFile      /etc/ssl/certs/webserver.std.local.pem
SSLCertificateKeyFile   /etc/ssl/private/webserver.std.local.key

Reload the apache2 service:

root@webserver:~# systemctl reload apache2.service

From a machine in the domain, open a web browser and connect to the web server url (https://webserver for example). You shoul no longer see the warning. From the web browser, you can check the certificate properties:

Firefox connection security message showing secure connection to webserver with certificate issued by std-ADCS-CA

Certificate details for webserver.std.local issued by std-ADCS-CA, showing validity period and subject alternative names

Computing

Music

Misc

Obtain and Configure SSL Certificates for a Linux Web Server in an AD CS Environment

Generating a Certificate Signing Request (CSR)

Requesting a Certificate from Windows AD CS

Installing the Issued Certificate on an Apache Web Server