Hello Mat, At 2000-03-28 21:35, you wrote:
Hello can some me please tell me how to install and configure the ssl option on apache so that all the pages access from the server are ssl secured
best regards Mat
I posted this step-by-step procedure a while ago:
---cut---
o Configuring SSL - properly and create your own Certificate Authority (CA)
Become root and change to some empty work directory.
- First create your own Certificate Authority (CA) signing key.
Create a RSA private key for your CA (will be Triple-DES encrypted and
PEM formatted):
# openssl genrsa -des3 -out ca.key 1024
Create a self-signed CA Certificate (X509 structure) with the RSA key of
the CA (output will be PEM formatted). Important: you should simply use
your own name (or formalized, like 'CA John Doe', 'CA Officer') in the
CN (Common Name) field for the CA key, which we are self-signing now,
but _not_ for the web server key (use the FQDN there), but we will come
to that later!
Enter a secret password in lieu of "CA-XXXX", and write it down on a
floppy sticker, too (validity of one (1) year):
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase: CA-XXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MV
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization
Organizational Unit Name (eg, section) []:CA Your section
Common Name (eg, YOUR name) []:CA Your Name
Email Address []:ca@yourdomain
- Secondly, create a RSA private key for the web server itself.
Create a RSA private key for your Apache server (will be Triple-DES
encrypted and PEM formatted):
# openssl genrsa -des3 -out server.key 1024
Create a Certificate Signing Request (CSR) with the web server RSA
private key (output will be PEM formatted). Important: you must use
the FQDN of the web server and NOT your own name in the CN (Common Name)
field (as contrasted to the CA key, where we did use our own name)!
Enter secret (challenge) passwords in lieu of "SERVER-XXXX" and
"CHAL-XXXX", and write it down on the floppy sticker, too:
# openssl req -new -key server.key -out server.csr
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase:SERVER-XXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MV
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization
Organizational Unit Name (eg, section) []:Your section
Common Name (eg, YOUR name) []:yourhost.yourdomain
Email Address []:webmaster@yourhost.yourdomain
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:CHAL-XXXX
An optional company name []:Your Organization/Section: www.yourdomain
- Thirdly, and finally, CA sign the server key's signing request.
Sign the server key's signing request with your own CA key (validity of
one (1) year); create a serial number in the form of the ISO 8601 date
(http://www.cl.cam.ac.uk/~mgk25/iso-time.html) if the serial file is not
already there (bourne shell assumed):
# [ ! -f ca.ser ] && date '+%Y%m%d' > ca.ser
# openssl x509 -days 365 \
-CA ca.crt -CAkey ca.key -CAserial ca.ser \
-in server.csr -req -out server.crt
Getting CA Private Key
Enter PEM pass phrase:CA-XXXX
You now have these files (file sizes and dates will probably differ!):
# ls -lrt
-rw-r--r-- 1 root root 963 Feb 16 14:01 ca.key
-rw-r--r-- 1 root root 1533 Feb 16 14:06 ca.crt
-rw-r--r-- 1 root root 963 Feb 16 14:08 server.key
-rw-r--r-- 1 root root 915 Feb 16 14:14 server.csr
-rw-r--r-- 1 root root 1123 Feb 16 14:14 server.crt
-rw-r--r-- 1 root root 9 Feb 16 14:14 ca.ser
Verify that the web server public key MD5 hashes are the same
(web server key, SERVER-XXXX, necessary for second command):
# openssl x509 -noout -modulus -in server.crt | openssl md5
# openssl rsa -noout -modulus -in server.key | openssl md5
Remove the signing request file and serial file (if you are not
generating more keys today), fix permissions and put files in place
(you might also want to save them on a floppy and store securely):
# rm server.csr ca.ser
# chmod 0400 ca.crt ca.key server.crt server.key
# mv ca.key server.key /etc/httpd/ssl.key/.
# mv ca.crt server.crt /etc/httpd/ssl.crt/.
To enable SSL, edit the Apache configuration file and set the SSL
related tags, and ServerName and ServerAdmin (if not already done):
ServerName yourhost.yourdomain
ServerAdmin webmaster@yourhost.yourdomain
SSLEngine on
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCACertificatePath /etc/httpd/ssl.crt
Because we use SSLCACertificatePath (and not SSLCACertificateFile),
the hash symlinks must be updated:
# cd /etc/httpd/ssl.crt && make clean && make
Restart the web server, monitor log files and check both the
unsecure (http) and secure (https) page.
# rcapache restart
# tail -f /var/log/httpd.error_log
# tail -f /var/log/ssl_engine_log
# lynx http://www.yourdomain/
# lynx https://www.yourdomain/
You might want to keep the ca and server keys and certs on a floppy
and store them in a secure place.
---cut---
Good luck,
Eric Maryniak
--
Eric Maryniak