---cut---
o Configuring SSL - properly and create your own Certificate
Authority (CA)
Become root and change to some empty work
directory.
- First create your own Certificate Authority
(CA) signing key.
Create a RSA private key for your CA (will
be Triple-DES encrypted and
PEM formatted):
# openssl genrsa
-des3 -out ca.key 1024
Create a self-signed CA Certificate (X509
structure) with the RSA key of
the CA (output will be PEM formatted). Important:
you should simply use
your own name (or formalized, like 'CA John
Doe', 'CA Officer') in the
CN (Common Name) field for the CA key, which
we are self-signing now,
but _not_ for the web server key (use the
FQDN there), but we will come
to that later!
Enter a secret password in lieu of "CA-XXXX",
and write it down on a
floppy sticker, too (validity of one (1) year):
# openssl req -new
-x509 -days 365 -key ca.key -out ca.crt
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase: CA-XXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MV
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization
Organizational Unit Name (eg, section) []:CA Your section
Common Name (eg, YOUR name) []:CA Your Name
Email Address []:ca@yourdomain
- Secondly, create a RSA private key for
the web server itself.
Create a RSA private key for your Apache server
(will be Triple-DES
encrypted and PEM formatted):
# openssl genrsa
-des3 -out server.key 1024
Create a Certificate Signing Request (CSR)
with the web server RSA
private key (output will be PEM formatted).
Important: you must use
the FQDN of the web server and NOT your own
name in the CN (Common Name)
field (as contrasted to the CA key, where
we did use our own name)!
Enter secret (challenge) passwords in lieu
of "SERVER-XXXX" and
"CHAL-XXXX", and write it down on the floppy
sticker, too:
# openssl req -new
-key server.key -out server.csr
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase:SERVER-XXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MV
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization
Organizational Unit Name (eg, section) []:Your section
Common Name (eg, YOUR name) []:yourhost.yourdomain
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:CHAL-XXXX
An optional company name []:Your Organization/Section: www.yourdomain
- Thirdly, and finally, CA sign the server
key's signing request.
Sign the server key's signing request with
your own CA key (validity of
one (1) year); create a serial number in the
form of the ISO 8601 date
(http://www.cl.cam.ac.uk/~mgk25/iso-time.html
) if the serial file is not
already there (bourne shell assumed):
# [ ! -f ca.ser
] && date '+%Y%m%d' > ca.ser
# openssl x509 -days
365 \
-CA
ca.crt -CAkey ca.key -CAserial ca.ser \
-in
server.csr -req -out server.crt
Getting CA Private Key
Enter PEM pass phrase:CA-XXXX
You now have these files (file sizes and
dates will probably differ!):
# ls -lrt
-rw-r--r-- 1 root root 963 Feb 16 14:01 ca.key
-rw-r--r-- 1 root root 1533 Feb 16 14:06 ca.crt
-rw-r--r-- 1 root root 963 Feb 16 14:08 server.key
-rw-r--r-- 1 root root 915 Feb 16 14:14 server.csr
-rw-r--r-- 1 root root 1123 Feb 16 14:14 server.crt
-rw-r--r-- 1 root root 9 Feb 16 14:14 ca.ser
Verify that the web server public key MD5
hashes are the same
(web server key, SERVER-XXXX, necessary for
second command):
# openssl x509 -noout
-modulus -in server.crt | openssl md5
# openssl rsa -noout
-modulus -in server.key | openssl md5
Remove the signing request file and serial
file (if you are not
generating more keys today), fix permissions
and put files in place
(you might also want to save them on a floppy
and store securely):
# rm server.csr
ca.ser
# chmod 0400 ca.crt
ca.key server.crt server.key
# mv ca.key server.key
/etc/httpd/ssl.key/.
# mv ca.crt server.crt
/etc/httpd/ssl.crt/.
To enable SSL, edit the Apache configuration
file and set the SSL
related tags, and ServerName and ServerAdmin
(if not already done):
ServerName yourhost.yourdomain
ServerAdmin [email protected]
SSLEngine on
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCACertificatePath /etc/httpd/ssl.crt
Because we use SSLCACertificatePath (and
not SSLCACertificateFile),
the hash symlinks must be updated:
# cd /etc/httpd/ssl.crt
&& make clean && make
Restart the web server, monitor log files
and check both the
unsecure (http) and secure (https) page.
# rcapache restart
# tail -f /var/log/httpd.error_log
# tail -f /var/log/ssl_engine_log
# lynx http://www.yourdomain/
# lynx https://www.yourdomain/
You might want to keep the ca and server keys and certs
on a floppy
and store them in a secure place.
During a machine reboot, you will be asked for the server
key pass-phrase.
There is a short time-out, and usually the server therefore
won't start.
The solution is to remove the encryption from the server
key. See question
"How can I get rid of the pass-phrase dialog at Apache
startup time?" in
the mod_ssl faq for more on the security aspects. Here's
what you do:
# cd /etc/httpd/ssl.key
# cp -p server.key server.key.orig
# openssl rsa -in server.key.orig
-out server.key
# chmod 0400 server.key server.key.orig
# chown root server.key server.key.orig
---cut---
--
Eric Maryniak <[email protected]>
Home page: http://pobox.com/~e.maryniak/ University of Amsterdam, Department of Psychology. Tel/Fax: +31 20 5256853/6391656. Internet: http://www.neuromod.org/You know you've watched too much Star Trek when:
A mugger demands your money and your first instinct
is to apply the Vulcan nerve pitch.