Tuesday, June 3, 2008

Apache-ssl and CA


Under Debian, the following packages have to be installed via apt-get:

* apache-ssl

* openssl

* libapache-mod-ssl (will automatically be installed by apache-ssl)

The SSL certification process consists of three basic steps:

* If not done already, create a certificate authority (CA), which we will use to sign our own


* Create a new certificate request

* Sign the request with our CA to obtain a valid certificate.

Create a certificate authority

The OpenSSL package comes with a default openssl.cnf file under /usr/lib/ssl/openssl.cnf.

We will edit the default values slightly, ie. we change the default path from demoCA to

ourCA. To do so, copy /usr/lib/ssl/openssl.cnf to /etc/ssl/openssl.cnf and change the line

dir = ./demoCA


dir = /etc/ssl/ourCA

For security reasons, you will have to create the necessary file and directory structure

manually. In particular, you have to create the following folders and files:

* /etc/ssl/ourCA/

* /etc/ssl/ourCA/index.txt (empty file)

* /etc/ssl/ourCA/newcerts/

* /etc/ssl/ourCA/private/

* /etc/ssl/ourCA/serial (file containing "01" as the first and only line)

We can now tell openssl to create a new certification authority for us:

#openssl req -new -x509 -keyout /etc/ssl/ourCA/private/cakey.pem -out

/etc/ssl/ourCA/cacert.pem -config /etc/ssl/openssl.cnf

You will be asked a few questions about the new CA. Just enter information that makes sense

and is valid. Also, choose a good passphrase, since you'll have to remember it every time

you want to validate and sign a new certificate request.

Issue a certificate request

We are now ready for the interesting part of this tutorial. To create a certificate request, execute

#openssl req -new -keyout newkey.pem -out newreq.pem -days 365

OpenSSL will again ask you a few questions. Make sure that you enter the hostname of your SSL

server as "Common Name". This is very important and things will break if you don't do it.

If everything went fine, this will give you two new files in the directory where you ran this

command. The first is our certificate private key and the second file (newreq.pem) is the c

ertificate request for the CA.

There is one obstacle with the private key in the current form: It requires a passphrase to be

used. That means, if you want Apache to use this SSL key, you'll have to supply the passphrase

at Apache's startup. This is not very handy, for sure. We can however, remove the passphrase by


#openssl rsa -in newkey.pem -out nopwkey.pem

You will be asked for the private's key passphrase. If things went right, you will have a new

private key called nopwkey.pem, which is not passphrase protected anymore.

To let a CA sign a certificate request, they need both, our private key and the certificate

request. We can combine both into one file by cat'ing them together:

#cat newreq.pem nopwkey.pem > new.pem

Signing the certificate

The last step consists of the actual signing process. Just issue

#openssl ca -policy policy_anything -out newcert.pem -config /etc/ssl/openssl.cnf

-infiles new.pem

in the same directory where your certification request files are stored. You will first be asked for the CA passphrase (now you know why it is important to remember it!) and you can then either sign or reject the certificate.

You should now copy newcert.pem and nopwkey.pem to some convenient place, since Apache will only need those two files to operate in SSL mode.

Apache-SSL configuration

Under Debian, the SSL enabled Apache version has its own configuration file, available under /etc/apache-ssl/httpd.conf. Edit and change or add the following lines:

SLCertificateFile /path/to/newcert.pem //This is our signed certificate

SSLCertificateKeyFile /path/to/nopwkey.pem //This is our unencrypted private key.

Start Apache-SSL by executing,

#/etc/init.d/apache-ssl start

No comments: