SSL Howto

From Edgar BV Wiki
Revision as of 10:38, 4 February 2015 by Red (talk | contribs)
Jump to navigation Jump to search

The Debian way /usr/share/doc/apache2.2-common/README.Debian

Creating self-signed certificates
---------------------------------

If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts or
DNS to give the correct hostname) as user root with:

        make-ssl-cert generate-default-snakeoil --force-overwrite

To create more certificates with different host names, you can use

        make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt

This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the Apache config (you don't need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .


Put key files in /etc/ssl/private

put crt and pem files in /etc/ssl/certs


This is set up in three parts, each of which does about the same. The first is the only method to create a .pem file.

==============================================
1. This part is general - for configuration. See parts 2 and beyond for apache configuration
==============================================

              HowTo make your own Self-Signed SSL Certificate

server setup: combined private key and cert
==================================================================================

### Create server key
 openssl genrsa -out ./server.key 1024

### Create certificate request
 openssl req -new -key server.key -out server.csr
     FQDN:        Common Name: foo.example.com
     or Wildcard: Common Name: *.example.con

### self sign key (increment the serial number "N" for each new cert)

 openssl x509 -req -days 365 -set_serial N -in server.csr -signkey server.key -out server.crt

### combine the key and cert in one PEM file for simplicity
 cat server.key server.crt > combined.pem

### view the details of the cert you just made
 openssl x509 -in combined.pem -noout -text

### copy cert into place
 cp combined.pem /etc/ssl/certs/

apache specific:
--------------------------------------------------
edit httpd.conf and/or ssl.conf
SSLCertificateFile /etc/ssl/certs/combined.pem

bin/apachectl startssl

============================================
2. Create a CA setup to sign client certs with
============================================


CA set up... for client certs not server cert... donno who
==================================================================================

### create CA key
openssl genrsa -out ./ca.key 1024
### create CA request
openssl req -new -key ca.key -out ca.csr
### self-sign CA request - > CA cert
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert
### install it in apache
cp ca.crt /usr/local/apache/conf/ssl.crt/ca.crt
### edit httpd.conf
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt


========================================
3. Setup clients for each site
=======================================
client setup
==================================================================================

### create client key
openssl genrsa -des3 -out client.key 1024

### request client cert
openssl req -new -key client.key -out client.csr

##Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a
 website which will be later accessed via https://www.foo.dom/

#### sign client cert with CA key!
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key
 -CAcreateserial -in client.csr -out client.crt

### covert to opera/sn/ie format (key and cert in 1 file)
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

### test it
openssl s_client -host example.com -port 443 -key client.key -cert client.crt

### print out cert contents
openssl x509 -noout -text -in client.crt

### print out key contents (useless?)
openssl rsa -noout -text -in client.key


If you want to unencrypt the server key (which it needs to start up apache - and you don't want it with a password) then in /opt/httpd/conf/ssl.keys/ do

mv server.key server.key.pass
openssl rsa < server.key.pass > server.key


another source:

http://www.pseudonym.org/ssl/ssl_ca.html

==================================
4. Apache2.2 general configurarion options - put them in a seperate file (eg. httpd-ssl.conf) and include them in apache2.conf
=================================

SSLMutex default
SSLSessionCache none
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache        shmcb:/var/log/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 15
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL
SSLCACertificateFile /etc/ssl/certs/tripsoapca.crt
CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c"

=====================================
5. Apache 2.2 client
=====================================

Add the following lines to the virtualhost file in /etc/apache2/ssl-sites-enabled/client.conf

SSLEngine On
SSLCertificateFile /etc/ssl/certs/client.crt
SSLCertificateKeyFile /etc/ssl/private/client.key

========================================
6. Weird errors
========================================

Make sure every virtualhost configuration file has the lines

NameVirtualHost 123.123.123.123:80 or NameVirtualHost 123.123.123.123:443 (if SSL)
VirtualHost <123.123.123.123:80> or VirtualHost <123.123.123.123:443>

in them

These are no longer global server directives!
You can of course also set up two default 'catch all' sites with

NameVirtualHost *:80 or NameVirtualHost *:443 (if SSL)
VirtualHost <*:80> or VirtualHost <*:443>

in the configuration files.

Otherwise you'll get errors like

[error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)

or

[error] VirtualHost 82.94.91.76:80 mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

testing

to read the contents of the .pem file

openssl x509 -text -in cert.pem

Simple test for a certificate

openssl s_server -cert mycert.pem -key mykey.key

If the server starts it'll work.

Verify a key

openssl verify cert.pem

Great site with many infos