Requirements
Under Debian, the following packages have to be installed via apt-get:
* apache-ssl
* openssl
* libapache-mod-ssl (will automatically be installed by apache-ssl)
The SSL certification process consists of three basic steps:
* If not done already, create a certificate authority (CA), which we will use to sign our own
certificate.
* Create a new certificate request
* Sign the request with our CA to obtain a valid certificate.
Create a certificate authority
The OpenSSL package comes with a default openssl.cnf file under /usr/lib/ssl/openssl.cnf.
We will edit the default values slightly, ie. we change the default path from demoCA to
ourCA. To do so, copy /usr/lib/ssl/openssl.cnf to /etc/ssl/openssl.cnf and change the line
dir = ./demoCA
To
dir = /etc/ssl/ourCA
For security reasons, you will have to create the necessary file and directory structure
manually. In particular, you have to create the following folders and files:
* /etc/ssl/ourCA/
* /etc/ssl/ourCA/index.txt (empty file)
* /etc/ssl/ourCA/newcerts/
* /etc/ssl/ourCA/private/
* /etc/ssl/ourCA/serial (file containing "01" as the first and only line)
We can now tell openssl to create a new certification authority for us:
#openssl req -new -x509 -keyout /etc/ssl/ourCA/private/cakey.pem -out
/etc/ssl/ourCA/cacert.pem -config /etc/ssl/openssl.cnf
You will be asked a few questions about the new CA. Just enter information that makes sense
and is valid. Also, choose a good passphrase, since you'll have to remember it every time
you want to validate and sign a new certificate request.
Issue a certificate request
We are now ready for the interesting part of this tutorial. To create a certificate request, execute
#openssl req -new -keyout newkey.pem -out newreq.pem -days 365
OpenSSL will again ask you a few questions. Make sure that you enter the hostname of your SSL
server as "Common Name". This is very important and things will break if you don't do it.
If everything went fine, this will give you two new files in the directory where you ran this
command. The first is our certificate private key and the second file (newreq.pem) is the c
ertificate request for the CA.
There is one obstacle with the private key in the current form: It requires a passphrase to be
used. That means, if you want Apache to use this SSL key, you'll have to supply the passphrase
at Apache's startup. This is not very handy, for sure. We can however, remove the passphrase by
running:
#openssl rsa -in newkey.pem -out nopwkey.pem
You will be asked for the private's key passphrase. If things went right, you will have a new
private key called nopwkey.pem, which is not passphrase protected anymore.
To let a CA sign a certificate request, they need both, our private key and the certificate
request. We can combine both into one file by cat'ing them together:
#cat newreq.pem nopwkey.pem > new.pem
Signing the certificate
The last step consists of the actual signing process. Just issue
#openssl ca -policy policy_anything -out newcert.pem -config /etc/ssl/openssl.cnf
-infiles new.pem
in the same directory where your certification request files are stored. You will first be asked for the CA passphrase (now you know why it is important to remember it!) and you can then either sign or reject the certificate.
You should now copy newcert.pem and nopwkey.pem to some convenient place, since Apache will only need those two files to operate in SSL mode.
Apache-SSL configuration
Under Debian, the SSL enabled Apache version has its own configuration file, available under /etc/apache-ssl/httpd.conf. Edit and change or add the following lines:
SLCertificateFile /path/to/newcert.pem //This is our signed certificate
SSLCertificateKeyFile /path/to/nopwkey.pem //This is our unencrypted private key.
Start Apache-SSL by executing,
#/etc/init.d/apache-ssl start
No comments:
Post a Comment