At 2000-04-05 20:43, Mat wrote:
hellö
a gentlemen on this site was kind enought to give send me step by step instructions on installing and using ssl on suse 6.3 unfortunatelly i was a litle clumsy and accidentally deleted the msgs so i ask if it would be possible to send me those instructions again
thank you in advance Mat
That was me, and sorry for my not regularly reading of suse-linux-e
(i usually read suse-linux-e in the after-hours every other day or so,
i do have a day-job ;-)
Please note that users of your SSLed web server will have to import
your cert the first time. If you don't like this, you'll have to get
a cert from one of the (commercial) "built-in" ca's in Netscape/IExplorer,
ie. eg. VeriSign or Thawte (www.verisign.com, www.thawte.com), but the
principle stays the same. Thawte seems to be the most well-know and economic
for small to medium scaled organizations that want a simple web cert only,
but there may be other (better) CA's I'm not aware of.
Good luck, bye-bye, Eric Maryniak
---cut---
o Configuring SSL - properly and create your own Certificate Authority (CA)
Become root and change to some empty work directory.
- First create your own Certificate Authority (CA) signing key.
Create a RSA private key for your CA (will be Triple-DES encrypted and
PEM formatted):
# openssl genrsa -des3 -out ca.key 1024
Create a self-signed CA Certificate (X509 structure) with the RSA key of
the CA (output will be PEM formatted). Important: you should simply use
your own name (or formalized, like 'CA John Doe', 'CA Officer') in the
CN (Common Name) field for the CA key, which we are self-signing now,
but _not_ for the web server key (use the FQDN there), but we will come
to that later!
Enter a secret password in lieu of "CA-XXXX", and write it down on a
floppy sticker, too (validity of one (1) year):
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase: CA-XXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MV
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization
Organizational Unit Name (eg, section) []:CA Your section
Common Name (eg, YOUR name) []:CA Your Name
Email Address []:ca@yourdomain
- Secondly, create a RSA private key for the web server itself.
Create a RSA private key for your Apache server (will be Triple-DES
encrypted and PEM formatted):
# openssl genrsa -des3 -out server.key 1024
Create a Certificate Signing Request (CSR) with the web server RSA
private key (output will be PEM formatted). Important: you must use
the FQDN of the web server and NOT your own name in the CN (Common Name)
field (as contrasted to the CA key, where we did use our own name)!
Enter secret (challenge) passwords in lieu of "SERVER-XXXX" and
"CHAL-XXXX", and write it down on the floppy sticker, too:
# openssl req -new -key server.key -out server.csr
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase:SERVER-XXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MV
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization
Organizational Unit Name (eg, section) []:Your section
Common Name (eg, YOUR name) []:yourhost.yourdomain
Email Address []:webmaster@yourhost.yourdomain
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:CHAL-XXXX
An optional company name []:Your Organization/Section: www.yourdomain
- Thirdly, and finally, CA sign the server key's signing request.
Sign the server key's signing request with your own CA key (validity of
one (1) year); create a serial number in the form of the ISO 8601 date
(http://www.cl.cam.ac.uk/~mgk25/iso-time.html) if the serial file is not
already there (bourne shell assumed):
# [ ! -f ca.ser ] && date '+%Y%m%d' > ca.ser
# openssl x509 -days 365 \
-CA ca.crt -CAkey ca.key -CAserial ca.ser \
-in server.csr -req -out server.crt
Getting CA Private Key
Enter PEM pass phrase:CA-XXXX
You now have these files (file sizes and dates will probably differ!):
# ls -lrt
-rw-r--r-- 1 root root 963 Feb 16 14:01 ca.key
-rw-r--r-- 1 root root 1533 Feb 16 14:06 ca.crt
-rw-r--r-- 1 root root 963 Feb 16 14:08 server.key
-rw-r--r-- 1 root root 915 Feb 16 14:14 server.csr
-rw-r--r-- 1 root root 1123 Feb 16 14:14 server.crt
-rw-r--r-- 1 root root 9 Feb 16 14:14 ca.ser
Verify that the web server public key MD5 hashes are the same
(web server key, SERVER-XXXX, necessary for second command):
# openssl x509 -noout -modulus -in server.crt | openssl md5
# openssl rsa -noout -modulus -in server.key | openssl md5
Remove the signing request file and serial file (if you are not
generating more keys today), fix permissions and put files in place
(you might also want to save them on a floppy and store securely):
# rm server.csr ca.ser
# chmod 0400 ca.crt ca.key server.crt server.key
# mv ca.key server.key /etc/httpd/ssl.key/.
# mv ca.crt server.crt /etc/httpd/ssl.crt/.
To enable SSL, edit the Apache configuration file and set the SSL
related tags, and ServerName and ServerAdmin (if not already done):
ServerName yourhost.yourdomain
ServerAdmin webmaster@yourhost.yourdomain
SSLEngine on
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
SSLCACertificatePath /etc/httpd/ssl.crt
Because we use SSLCACertificatePath (and not SSLCACertificateFile),
the hash symlinks must be updated:
# cd /etc/httpd/ssl.crt && make clean && make
Restart the web server, monitor log files and check both the
unsecure (http) and secure (https) page.
# rcapache restart
# tail -f /var/log/httpd.error_log
# tail -f /var/log/ssl_engine_log
# lynx http://www.yourdomain/
# lynx https://www.yourdomain/
You might want to keep the ca and server keys and certs on a floppy
and store them in a secure place.
During a machine reboot, you will be asked for the server key pass-phrase.
There is a short time-out, and usually the server therefore won't start.
The solution is to remove the encryption from the server key. See question
"How can I get rid of the pass-phrase dialog at Apache startup time?" in
the mod_ssl faq for more on the security aspects. Here's what you do:
# cd /etc/httpd/ssl.key
# cp -p server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key
# chmod 0400 server.key server.key.orig
# chown root server.key server.key.orig
---cut---
--
Eric Maryniak