Introduction
This article will show you how to generate a Certificate Authority (CA), a server certificate and then how to sign this certificate yourself. Finally it will describe how to configure Apache and have a working SSL web server.
I recommend you read the whole article before going straight in to it too.
Software needed
I was using a base distribution of Debian stable, Apache 1.3.26, mod_ssl 2.8.7 and openssl 0.9.6c.
This should be generic enough to use with any distribution but the configuration may vary if you’re using Apache2 for example.
So obviously you need Apache, mod_ssl and openssl installed. Debian users just need to install libapache-mod-ssl.
Before starting – Create a directory structure
This part isn’t essential and lots of people have a different structure but this is the way I like to do it:
# mkdir -p /etc/apache/ssl/key # mkdir -p /etc/apache/ssl/crt # mkdir -p /root/CA
Creating your own Certificate Authority (CA)
For commercial sites you’ll want to use a proper CA but for Intranets and special purposes (i.e. you don’t wish to pay) you can generate a CA yourself.
First, change directory to /root/CA and complete the following:
# openssl genrsa -des3 -out ca.key 2048 (Enter a secure pass phrase when prompted) # openssl req -new -md5 -x509 -days 3650 -key ca.key -out ca.crt (enter the pass phrase you supplied above)
The second command will prompt you for several things. All of which are fairly obvious and there’s nothing that will catch you out.
You will now have a CA. Check it by running:
# openssl x509 -in ca.crt -text -noout
Key and certificate generation for the web server
You now have an X.509 certificate and the private key for the web server. You will now create a key and a certificate request and sign the certificate request using the CA key you’ve just made. This is instead of creating the certificate directly.
It should be noted that SSK private keys for web servers can only be 512 or 1024 bits – other key sizes are not supported.
# openssl genrsa -des3 -out server.key 1024 (Enter a secure pass phrase when prompted) # openssl req -new -key server.key -out server.csr (Enter the pass phrase you supplied above)
Once again the second command will prompt you for several attributes. But note this time when it asks you for the Common Name (CN) you must enter the web server’s FQDN that the SSL certificate will be running on.
”'[[ChrisAitken:|I recently set this up at work, and for the FQDN used *.domain.name so that it was valid for any subdomain/hosts within our domain. It appears to work, and even though IE/firefox/thunderbird throws up the box about the root CA not being trusted, I no longer get a box saying it is valid for a different host/subdomain.]]
When it asks you for the extra attributes, leave these blank.
Now you can sign the key using your CA:
# openssl x509 -req -in server.csr -out server.crt -md5 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
If all has gone well, it should tell you the signature is OK and prompt you for the CA private key pass phrase (the one provided when generating the CA). You can test everything is OK by using:
# openssl x509 -in server.crt -text -noout
Apache and mod_ssl configuration
The certificate has been generated. You can now configure Apache and mod_ssl and get your SSL web server running. At this stage I’ll mention that it is not possible to have more than one certificate on any one server. This doesn’t mean SSL can’t be applied to a Virtual Host in Apache. It just means one certificate per-server.
Copy the keys and certificates in to our directory structure:
# cp /root/CA/server.crt /etc/apache/ssl/crt/ # cp /root/CA/server.key /etc/apache/ssl/key/ # cp /root/CA/ca.crt /etc/apache/ssl/crt/
Now it’s time to configure Apache. If you look in httpd.conf you should have a line like:
[[LoadModule]] ssl_module /usr/lib/apache/1.3/mod_ssl.so
If you don’t, you need to work out what it needs to be and add it.
Once again, there are several different ways of configuring Apache for SSL but this is the way I prefer to do things. In /etc/apache create a file called ssl.conf and in that file put:
[[SSLCipherSuite]] HIGH:MEDIUM SSLProtocol all -SSLv2 [[SSLCertificateChainFile]] /etc/apache/ssl/crt/ca.crt [[SSLCACertificateFile]] /etc/apache/ssl/crt/ca.crt
This will tell Apache where the CA is located. It also disables SSLv2 from being used. Just like SSHv1 it’s flawed and shouldn’t be used if you’re serious about security.
Now in httpd.conf you need to include ssl.conf with a simple Include ssl.conf
The final stage is to now “activate” the SSL key for the Virtual Host or entire server. I have mine running on a Virtual Host (secure.domain.com). To do this the following lines need to appear in the [[VirtualHost]] directive:
SSLEngine On [[SSLCertificateFile]] /etc/apache/ssl/crt/server.crt [[SSLCertificateKeyFile]] /etc/apache/ssl/key/server.key
Testing
At this stage you need to stop Apache and then start it again – I found restarting didn’t do the job.
# apachectl stop # apachectl start
You will notice it will ask you for the pass-phrase (this is for the server key). Enter it and Apache should start if everything has been configured correctly. Now browse to the SSL host (http://secure.domain.com) or whatever the FQDN was). It should give you a security warning as do all SSL sites. View the certificate and check to see everything is OK and proceed.
That’s all there is to it!
Stopping Apache asking for the pass phrase
You may find Apache asking for the pass phrase annoying, especially if the box gets rebooted remotely etc. (as init will hang waiting for the pass phrase to be entered). It is possible to remove the pass phrase though if you so wish.
# cd /etc/apache/ssl/key/ # cp server.key server.key.orig # openssl rsa -in server.key.orig -out server.key # apachectl reload
Apache should no longer ask for the pass-phrase. Test as required.
Variables you can change
There are several variables you can change.
When creating the CA, you can specify a key of either 512, 1024 or 2048 bits. 2048 is recommended.
There is a variable defined by the -days option with openssl. In this article it’s 3650 days (10 years). You can change this to whatever you like. Some people use 1 year.
The filenames don’t need to be ca.*, server.* etc. You can use something more distinctive if you so wish. For example ca-hants.lug.org.uk.* and secure.hants.lug.org.uk.key etc.
Security
Try to get in the habbit of chmod’ing the files to 400 (owned by root and group root). Make a backup of /root/CA and store it somewhere safe (CD-R for example). You may need it if you lose all your data.
The pass phrase should literally be a “phrase”, not just a standard password. Although this doesn’t matter it’s more secure.
Conclusion
You should have a working SSL web server using an X.509 certificate with MD5 1024bit encryption.
If you make a mistake you can always
rm -rf /root/CA
and start again until you get it right.
Leave a Reply
You must be logged in to post a comment.