Setting up SSL for Apache HTTPD: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
Line 65: Line 65:


Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then "sign" the certificate request with the CA key we made in Step 1. You can make keys for multiple web servers this way. One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers.
Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then "sign" the certificate request with the CA key we made in Step 1. You can make keys for multiple web servers this way. One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers.
  [root]# openssl genrsa -des3 -out mars-server.key 1024
  Generating RSA private key, 1024 bit long modulus
  ..................++++++
  .................++++++
  e is 65537 (0x10001)
  Enter pass phrase for mars-server.key:
  Verifying - Enter pass phrase for mars-server.key:
  [root]# openssl req -new -key mars-server.key -out mars-server.csr
  Enter pass phrase for mars-server.key:
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:TW
  State or Province Name (full name) [Berkshire]:Taipei County
  Locality Name (eg, city) [Newbury]:Nankang
  Organization Name (eg, company) [My Company Ltd]:d3xt3r01.tk
  Organizational Unit Name (eg, section) []:Web Services
  Common Name (eg, your name or your server's hostname) []:d3xt3r01.tk <=== This must be the real  FQDN of your server!!!
  Email Address []:hostmaster@d3xt3r01.tk
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
[root]# openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
  Signature ok
  subject=/C=TW/ST=Taipei County/L=Nankang/O=d3xt3r01.tk/OU=Web Services/CN=d3xt3r01.tk/Email=hostmaster@d3xt3r01.tk
  Getting CA Private Key
  Enter pass phrase for my-ca.key:
  [root]# openssl x509 -in mars-server.crt -text -noout
Make sure that your server name is the same as the FQDN that your clients will use when connecting to your site. Also, let's get in the habit of protecting our keys with appropriate permissions:
  [root]# chmod 0400 *.key
Now, we need to move the new keys and certs into the proper directories in the /etc/httpd hierarchy:
  [root]# cp mars-server.crt /etc/httpd/conf/ssl.crt
  [root]# cp mars-server.key /etc/httpd/conf/ssl.key
  [root]# cp my-ca.crt /etc/httpd/conf/ssl.crt
==Step 3: Create directories and files for the secure web service==
I do not want the secure branch of my webserver directory tree to be part of my "insecure" branch that serves unencrypted files. My normal web root directory is /var/www/html . The document root for the secure web server will be located at /var/www/SSL .
  [root]# mkdir /var/www/SSL
  [root]# chmod 0775 /var/www/SSL
  [root]# cd /var/www/SSL
  [root]# mkdir Passneeded
  [root]# mkdir Certneeded
  [root]# mkdir PassAndCert
For testing purposes, I added a very simple test SSL index file into /var/www/SSL . Save it as index.html . Copy some JPEG files and text files into each directory, so that there will be something to look at/retrieve in each directory.
==Step 4: Configure the Apache web server==

Revision as of 22:18, 13 October 2009

Introduction

I recently had a need to setup a private directory on my web server that could only be accessed by a handful of selected people. The content also needed to be encrypted in transit. This mini-HOWTO details how I did this on a CentOS 5.3/Apache 2.2.3 server using mod_ssl and OpenSSL (0.9.8e and higher). Here are the goals of this small project:

  • Require HIGH or MEDIUM level SSL/TLS encryption at the transport (TCP) layer
  • Browser must use SSLv3 or TLSv1, not SSLv2
  • Require username/password authentication for some subdirectories
  • Learn about TLS certificates
  • Be a mini-CA (Certificate Authority)
  • Use a non-standard port to keep most of the port-scanning riffraff away
  • Create client certificates, and require them for specific directories

The key to this whole system is the SSL/TLS protocol. SSL stands for Secure Sockets Layer, and it was developed by Netscape to enable secure transactions over the Web. It operates between the TCP layer and the HTTP application layer. TLSv1 is the IETF standard implementation, based on SSLv3. TLS stands for Transport Layer Security.

Assumptions/Prerequisites

First and foremost, this document assumes that you are using some flavor of Linux, Apache 2.2.x, (with mod_ssl) and that you have OpenSSL installed. These particular instructions were generated using CentOS 5.3. You should also check out the excellent documentation at [httpd.Apache.Org]. Other assumptions:

  • This will be used over the Internet
  • Your DNS configuration is correct (hostname=FQDN, PTR records O.K., etc.)
  • Your firewall is setup to allow connections on the chosen https:// port
  • You have a second machine with Mozilla or another modern browser for testing purposes
  • In these examples, my FQDN and hostname is: d3xt3r01.tk

Most client tests were performed with the Mozilla web browser. Mozilla is the "reference platform".

Step 1: Setup your own CA (Certificate Authority)

In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For a commercial web site, you will probably want to purchase a certificate signed by a well-known root CA. For Intranet or special-purpose uses like this, you can be your own CA. This is done with the OpenSSL tools.

Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys:

 [root]# mkdir /root/CA
 [root]# chmod 0770 /root/CA
 [root]# cd /root/CA
 [root]# openssl genrsa -des3 -out my-ca.key 2048
 Generating RSA private key, 2048 bit long modulus
 ..........................................................................+++
 ............+++
 e is 65537 (0x10001)
 Enter pass phrase for my-ca.key:
 Verifying - Enter pass phrase for my-ca.key:
 
 [root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
 Enter pass phrase for my-ca.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:RO
 State or Province Name (full name) [Berkshire]:Dolj
 Locality Name (eg, city) [Newbury]:Craiova
 Organization Name (eg, company) [My Company Ltd]:d3xt3r01.tk
 Organizational Unit Name (eg, section) []:IT
 Common Name (eg, your name or your server's hostname) []:d3xt3r01.tk
 Email Address []:dexter@d3xt3r01.tk
 [root]# openssl x509 -in my-ca.crt -text -noout

Notes: The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime. The third command lets you view the completed certificate. Make sure that you keep the password in a safe place, you will need this every time you sign another certificate! You will probably also want to make backups of the cert and key and lock them in a safe place.

Step 2: Make a key and a certificate for the web server

Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then "sign" the certificate request with the CA key we made in Step 1. You can make keys for multiple web servers this way. One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers.

 [root]# openssl genrsa -des3 -out mars-server.key 1024
 Generating RSA private key, 1024 bit long modulus
 ..................++++++
 .................++++++
 e is 65537 (0x10001)
 Enter pass phrase for mars-server.key:
 Verifying - Enter pass phrase for mars-server.key:
 [root]# openssl req -new -key mars-server.key -out mars-server.csr
 Enter pass phrase for mars-server.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:TW
 State or Province Name (full name) [Berkshire]:Taipei County
 Locality Name (eg, city) [Newbury]:Nankang
 Organization Name (eg, company) [My Company Ltd]:d3xt3r01.tk
 Organizational Unit Name (eg, section) []:Web Services
 Common Name (eg, your name or your server's hostname) []:d3xt3r01.tk <=== This must be the real  FQDN of your server!!!
 Email Address []:hostmaster@d3xt3r01.tk
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
[root]# openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
 Signature ok
 subject=/C=TW/ST=Taipei County/L=Nankang/O=d3xt3r01.tk/OU=Web Services/CN=d3xt3r01.tk/Email=hostmaster@d3xt3r01.tk
 Getting CA Private Key
 Enter pass phrase for my-ca.key:
 [root]# openssl x509 -in mars-server.crt -text -noout

Make sure that your server name is the same as the FQDN that your clients will use when connecting to your site. Also, let's get in the habit of protecting our keys with appropriate permissions:

 [root]# chmod 0400 *.key

Now, we need to move the new keys and certs into the proper directories in the /etc/httpd hierarchy:

 [root]# cp mars-server.crt /etc/httpd/conf/ssl.crt
 [root]# cp mars-server.key /etc/httpd/conf/ssl.key
 [root]# cp my-ca.crt /etc/httpd/conf/ssl.crt

Step 3: Create directories and files for the secure web service

I do not want the secure branch of my webserver directory tree to be part of my "insecure" branch that serves unencrypted files. My normal web root directory is /var/www/html . The document root for the secure web server will be located at /var/www/SSL .

 [root]# mkdir /var/www/SSL
 [root]# chmod 0775 /var/www/SSL
 [root]# cd /var/www/SSL
 [root]# mkdir Passneeded
 [root]# mkdir Certneeded
 [root]# mkdir PassAndCert

For testing purposes, I added a very simple test SSL index file into /var/www/SSL . Save it as index.html . Copy some JPEG files and text files into each directory, so that there will be something to look at/retrieve in each directory.

Step 4: Configure the Apache web server