https://www.slackwiki.com/api.php?action=feedcontributions&user=Krakanut&feedformat=atomSlackWiki - User contributions [en]2024-03-28T22:08:40ZUser contributionsMediaWiki 1.40.0https://www.slackwiki.com/index.php?title=SSL&diff=993SSL2017-05-28T13:29:00Z<p>Krakanut: </p>
<hr />
<div>[[Category:Tutorials]]<br />
= openSSL 0.9.8e =<br />
'''IMPORTANT: Since this version has a [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html bug in the blowfish encryption] it is recommended not to use blowfish since it is incompatible with all other openSSL versions!'''<br />
<br />
<br>Everything you read here was tested on Slackware 12<br><br />
<br />
; wikipedia says about openSSL:<br />
: ''OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.''<br />
<br />
There are many ways to use openSSL. This just covers certificates for use with httpd. You can also use easy-rsa that comes with the openVPN package and can be found in ''/usr/doc/openvpn-2.0.9/easy-rsa/''. For more information read the included ''README'' or look here: [http://openvpn.net/easyrsa.html A Guide to basic RSA Key Management].<br />
Normally you will make a ''Certificate Signing Request (CSR)'' and send this one to a ''Certifying Authority (CA)'' to be signed. But since we don't wanna pay for this and only want to use it for our own special purpose, we don't need to do that and sign everything ourself.<br />
<br />
= openSSL + httpd =<br />
Switch to ''/etc/ssl''<br />
<pre><br />
cd /etc/ssl<br />
</pre><br />
<br />
In this directory you should see the following listing. One some non-Slackware linuxes, or if OpenSSL was installed from source, the appropriate directory might be ''/etc/openssl''.<br />
<pre><br />
root@pecan:/etc/ssl# ls -l<br />
total 24<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 certs/<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 misc/<br />
-rw-r--r-- 1 root root 9374 2007-06-13 12:40 openssl.cnf<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 private/<br />
root@pecan:/etc/ssl# <br />
</pre><br />
<br />
We need to generate a private and public RSA key file.<br />
The public key is used to encrypt messages to you and is distributed with your certificate.<br />
<br />
== Creating a Self-Signed ''Certificate'' (CRT) ==<br />
<br />
=== openssl.cnf + openSSL DB ===<br />
(You should still do this step even if you are buying a commercial certificate.) First things first, so we gotta edit this file, mainly the ''[ CA_default ]'' section.<br />
The <br />
<pre><br />
[ CA_default ]<br />
<br />
dir = ./demoCA # Where everything is kept<br />
...<br />
certificate = $dir/cacert.pem # The CA certificate<br />
...<br />
crl = $dir/crl.pem # The current CRL<br />
private_key = $dir/private/cakey.pem# The private key<br />
...<br />
</pre><br />
to<br />
<pre><br />
[ CA_default ]<br />
<br />
dir = /etc/ssl # Where everything is kept<br />
...<br />
certificate = $dir/certs/ca.crt # The CA certificate<br />
...<br />
crl = $dir/crl/ca.crl # The current CRL<br />
private_key = $dir/private/ca.key # The private key<br />
...<br />
</pre><br />
You can even change more options in this file but be aware what you are doing.<br><br />
openSSL has a database for storing information such as ''Certificate Revocation Lists'' (CRL). Since these files don't exist on startup and we don't use the ''CA.sh'' or ''CA.pl'' scripts we got to create them ourself:<br />
<pre><br />
mkdir newcerts certs crl private<br />
touch serial index.txt crlnumber crl/ca.crl<br />
echo 01 | tee serial | tee crlnumber | Tee crl/ca.crl<br />
</pre><br />
Thanks to ''alienBOB''. Hail to tee king! :p<br />
<br />
You will need to create your CRL file in correct PEM format<br />
<br />
<pre><br />
openssl ca -config /etc/ssl/openssl.cnf -gencrl -out /etc/ssl/crl/ca.crl<br />
</pre><br />
<br />
You can test that the crl file is correct with the command:<br />
<br />
<pre><br />
openssl crl -text -in /etc/ssl/crl/ca.crl -noout<br />
</pre><br />
<br />
=== Becoming a ''Certification Authority'' (CA) ===<br />
(Skip this step if you are buying a certificate from a commercial certificate authority such as GoDaddy.) Before you can create and sign your own certificates, you first have to establish yourself as a "Certificate Authority".<br />
To do so, we first create our key file (with a public and a private key) and use it to create our "master certificate" to use when signing other certificates.<br />
<br />
; Generate the CA RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/ca.key 4096</pre><br />
; Create the CA CRT with the CA RSA Key<br />
: <pre>openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt</pre><br />
<br />
=== Create Server CRT ===<br />
A CRT contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that CRT, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.<br />
The next step is to create a Server RSA key, generate a ''Certificate Signing Request'' (CSR) out of it and sign it with our CA CRT to get a working SSL CRT for our server.<br />
A CSR is a digital file which contains your public key and your name. Normally you would send the CSR to a CA, who will convert it into a real certificate, by signing it.<br />
<br />
; Generate the Server RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/server.key 1024</pre><br />
; Create the Server CSR using the Server RSA Key<br />
: '''When asked for the CommonName (CN) enter your domain!'''<br />
: <pre>openssl req -new -key private/server.key -out private/server.csr</pre><br />
; Sign the CSR with our CA CRT<br />
: <pre>openssl ca -in private/server.csr -out certs/server.crt</pre><br />
<br />
You can now delete ''server.csr'' if you want, because it is no longer needed.<br />
<br />
(If you are using a commercially signed certificate from a place such as GoDaddy, do the first two commands above but not the last. Then do ''cat private/server.csr'' to get the text of the certificate request, which you will paste into GoDaddy's web interface to get the certificate. GoDaddy will then email the email address listed in the ''whois'' information for that domain (Make sure you haven't put in a fake address there to avoid spam!), and after the link in that email is clicked, GoDaddy will email another link to you from which you download a zip file.<br />
<br />
The zip file will contain two .crt files, and you should put both of them in /etc/ssl/certs. Other commerical certificate authorities follow a very similar procedure.)<br />
<br />
== Setup httpd ==<br />
=== Edit httpd.conf ===<br />
The whole httpd config is located in ''/etc/httpd''. Fire up your preferred text editor and simply change this at Line 459:<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
#Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to this<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to enable SSL support.<br />
<br />
You may also have to uncomment the line that starts ''LoadModule ssl_module''.<br />
<br />
=== Edit extra/httpd-ssl.conf ===<br />
Now we're going into the guts of the httpd SSL config. Search for ''SSLCertificateFile'' and ''SSLCertificateKeyFile'' change the path to our newly created CRT:<br />
<pre><br />
...<br />
SSLCertificateFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCertificateKeyFile /etc/ssl/private/server.key<br />
...<br />
SSLCertificateChainFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCACertificatePath /etc/ssl/certs<br />
SSLCACertificateFile /etc/ssl/certs/ca.crt<br />
...<br />
SSLCARevocationPath /etc/ssl/crl<br />
SSLCARevocationFile /etc/ssl/crl/ca.crl<br />
...<br />
</pre><br />
<br />
(If you have purchased a certificate from a commercial authority, the SSLCertificateFile will be one of the two files you receive from the CA (GoDaddy or VeriSign or whomever), and the SSLCACertificateFile will be the other. The files will be named such that you can tell which is which -- the SSLCertificateFile will probably be something like ''www.yourdomainname.com.crt'' and the SSLCACertificateFile will be something like ''nameofca-bundle.crt''.)<br />
<br />
== Pass-phrase on httpd startup ==<br />
The reason this dialog pops up at startup and every re-start is that the RSA private key inside your ''server.key'' file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!<br />
<ol><br />
<li><br />
Remove the encryption from the RSA private key (while keeping a backup copy of the original file):<br />
<pre><br />
cd /etc/ssl<br />
mv private/server.key private/server.key.org<br />
cd private<br />
openssl rsa -in server.key.org -out server.key<br />
</pre><br />
</li><br />
<li><br />
Make sure the server.key file is only readable by root since it is decrypted:<br />
<pre><br />
cd /etc/ssl<br />
chmod 0400 private/server.key<br />
</pre><br />
</li></ol><br />
Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).<br />
<br />
As an alternative approach you can use the ''SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.<br />
<br />
== Verifying and debugging ==<br />
If you simply want to see every information on a CRT:<br />
<pre>openssl x509 -noout -text -in XXX.crt</pre><br />
<br />
=== Verifying ===<br />
; Verify that a private key matches its Certificate<br />
: Generate a MD5 out of the public key/CRT and compare<br />
: <pre>openssl x509 -noout -modulus -in private/XXX.crt | openssl md5 && openssl rsa -noout -modulus -in private/XXX.key | openssl md5</pre><br />
<br />
=== Debugging ===<br />
; s_server - Debugging clients<br />
: <pre>openssl s_server -accept 443 -www</pre><br />
; s_client - Debugging servers<br />
: <pre>openssl s_client -connect localhost:443</pre> or <pre>openssl s_client -connect localhost:443 -state -debug</pre><br />
<br />
== Security ==<br />
All the files expect the CRTs are only for your eyes, so we change the permissons:<br />
<pre>chmod 0400 private/*.key</pre><br />
<br />
=== Client Revokation ===<br />
This is only needed if your server certificate is compromised (eg. someone hacked your server and stole your server.key).<br />
<pre><br />
openssl ca -gencrl -keyfile private/ca.key -cert certs/ca.crt -out crl/ca.crl<br />
</pre><br />
That generated us the needed files which we use when we want to revoke a CRT.<br />
<br><br><br />
Now that we got a compromised CRT, we got to get rid of it:<br />
<pre>openssl ca -revoke certs/server.crt -keyfile private/ca.key -cert certs/ca.crt</pre><br />
<br />
== Other ==<br />
<br />
=== Change the pass-phrase ===<br />
<pre><br />
openssl rsa -des3 -in server.key -out server.key.new<br />
mv server.key.new server.key<br />
</pre><br />
The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.<br />
<br />
=== CRT for Clients ===<br />
Ok.. i won't write anything on this, and simply just C/P:<br />
<pre><br />
openssl genrsa -des3 -out private/client1_priv.key 2048<br />
openssl genrsa -des3 -out private/client2_priv.key 2048<br />
# and so on... depends on how much clients you wanna serv...<br />
openssl req -new -key private/client1_priv.key -out private/client1.csr<br />
openssl req -new -key private/client2_priv.key -out private/client2.csr<br />
# and so on...<br />
openssl ca -in private/client1.csr -out private/client1.crt<br />
openssl ca -in private/client2.csr -out private/client2.crt<br />
cp private/client1.crt private/client1_preconv.crt <br />
cat private/client1.key >> private/client1_preconv.crt<br />
openssl pkcs12 -export -in private/client1_preconv.crt -out private/client1_postconv.p12 <br />
</pre><br />
Install in the clients browser... and change httpd.conf:<br />
<pre><br />
SSLCACertificateFile PATH/TO/server.crt<br />
SSLVerifyClient require<br />
SSLVerifyDepth 1<br />
</pre><br />
<br />
=== Convert CRT from PEM to DER format ===<br />
Normally all CRTs are stored in the PEM format.<br />
<pre>openssl x509 -in ca.crt -out ca.crt.der -outform DER</pre><br />
<br />
== Testing the CRT ==<br />
If you have live web sites, you might wish to test your configuration before restarting apache, to avoid having that panicy few minutes of downtime while you scramble to see what you can do faster, fix the problem or copy back your backup configs. Test like this:<br />
<pre>httpd -t</pre><br />
Look at the error messages it prints out, or the error_log as explained below, if it doesn't work.<br />
<br />
Restart your httpd:<br />
<pre>/etc/rc.d/rc.httpd restart</pre><br />
Take a look at the httpd ''error_log'' and scroll to the end of the file:<br />
<pre>jed /var/log/httpd/error_log</pre><br />
If your getting an error like this:<br />
<pre>[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]</pre><br />
... then you should take a look at ''Pass-phrase on httpd startup'' ...<br />
<br />
= openSSL + openVPN =<br />
$foo ... maybe next month...<br />
<br />
= External Links =<br />
* [http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html SSL/TLS Strong Encryption: FAQ @ httpd.apache.org]<br />
* [http://www.tc.umn.edu/~brams006/selfsign.html Creating a self-signed SSL certificate]<br />
* [http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]<br />
* [http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certificates OpenSSL Quick Reference]<br />
* [http://www.opensourcehowto.org/how-to/apache/setup-apache2-with-openssl.html Setup Apache2 with OpenSSL]<br />
* [http://www.marschke.info/admin/ap_opssl_https.html Apache2, OpenSSL und HTTPS: Server- und Client-Authentifizierung mit Zertifikaten über verschlüsselte Internet-Verbindungen]<br />
* [http://www.online-tutorials.net/security/openssl-tutorial/tutorials-t-69-207.html openSSL / openVPN.. comming soon]</div>Krakanuthttps://www.slackwiki.com/index.php?title=SSL&diff=992SSL2017-05-28T13:26:23Z<p>Krakanut: </p>
<hr />
<div>[[Category:Tutorials]]<br />
= openSSL 0.9.8e =<br />
'''IMPORTANT: Since this version has a [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html bug in the blowfish encryption] it is recommended not to use blowfish since it is incompatible with all other openSSL versions!'''<br />
<br />
<br>Everything you read here was tested on Slackware 12<br><br />
<br />
; wikipedia says about openSSL:<br />
: ''OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.''<br />
<br />
There are many ways to use openSSL. This just covers certificates for use with httpd. You can also use easy-rsa that comes with the openVPN package and can be found in ''/usr/doc/openvpn-2.0.9/easy-rsa/''. For more information read the included ''README'' or look here: [http://openvpn.net/easyrsa.html A Guide to basic RSA Key Management].<br />
Normally you will make a ''Certificate Signing Request (CSR)'' and send this one to a ''Certifying Authority (CA)'' to be signed. But since we don't wanna pay for this and only want to use it for our own special purpose, we don't need to do that and sign everything ourself.<br />
<br />
= openSSL + httpd =<br />
Switch to ''/etc/ssl''<br />
<pre><br />
cd /etc/ssl<br />
</pre><br />
<br />
In this directory you should see the following listing. One some non-Slackware linuxes, or if OpenSSL was installed from source, the appropriate directory might be ''/etc/openssl''.<br />
<pre><br />
root@pecan:/etc/ssl# ls -l<br />
total 24<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 certs/<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 misc/<br />
-rw-r--r-- 1 root root 9374 2007-06-13 12:40 openssl.cnf<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 private/<br />
root@pecan:/etc/ssl# <br />
</pre><br />
<br />
We need to generate a private and public RSA key file.<br />
The public key is used to encrypt messages to you and is distributed with your certificate.<br />
<br />
== Creating a Self-Signed ''Certificate'' (CRT) ==<br />
<br />
=== openssl.cnf + openSSL DB ===<br />
(You should still do this step even if you are buying a commercial certificate.) First things first, so we gotta edit this file, mainly the ''[ CA_default ]'' section.<br />
The <br />
<pre><br />
[ CA_default ]<br />
<br />
dir = ./demoCA # Where everything is kept<br />
...<br />
certificate = $dir/cacert.pem # The CA certificate<br />
...<br />
crl = $dir/crl.pem # The current CRL<br />
private_key = $dir/private/cakey.pem# The private key<br />
...<br />
</pre><br />
to<br />
<pre><br />
[ CA_default ]<br />
<br />
dir = /etc/ssl # Where everything is kept<br />
...<br />
certificate = $dir/certs/ca.crt # The CA certificate<br />
...<br />
crl = $dir/crl/ca.crl # The current CRL<br />
private_key = $dir/private/ca.key # The private key<br />
...<br />
</pre><br />
You can even change more options in this file but be aware what you are doing.<br><br />
openSSL has a database for storing information such as ''Certificate Revocation Lists'' (CRL). Since these files don't exist on startup and we don't use the ''CA.sh'' or ''CA.pl'' scripts we got to create them ourself:<br />
<pre><br />
mkdir newcerts certs crl private<br />
touch serial index.txt crlnumber crl/ca.crl<br />
echo 01 | tee serial | tee crlnumber | Tee crl/ca.crl<br />
</pre><br />
Thanks to ''alienBOB''. Hail to tee king! :p<br />
<br />
You will need to create your CRL file in correct PEM format<br />
<br />
<pre><br />
openssl ca -config etc/ssl/openssl.cnf -gencrl -out /etc/ssl/crl/ca.crl<br />
</pre><br />
<br />
=== Becoming a ''Certification Authority'' (CA) ===<br />
(Skip this step if you are buying a certificate from a commercial certificate authority such as GoDaddy.) Before you can create and sign your own certificates, you first have to establish yourself as a "Certificate Authority".<br />
To do so, we first create our key file (with a public and a private key) and use it to create our "master certificate" to use when signing other certificates.<br />
<br />
; Generate the CA RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/ca.key 4096</pre><br />
; Create the CA CRT with the CA RSA Key<br />
: <pre>openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt</pre><br />
<br />
=== Create Server CRT ===<br />
A CRT contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that CRT, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.<br />
The next step is to create a Server RSA key, generate a ''Certificate Signing Request'' (CSR) out of it and sign it with our CA CRT to get a working SSL CRT for our server.<br />
A CSR is a digital file which contains your public key and your name. Normally you would send the CSR to a CA, who will convert it into a real certificate, by signing it.<br />
<br />
; Generate the Server RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/server.key 1024</pre><br />
; Create the Server CSR using the Server RSA Key<br />
: '''When asked for the CommonName (CN) enter your domain!'''<br />
: <pre>openssl req -new -key private/server.key -out private/server.csr</pre><br />
; Sign the CSR with our CA CRT<br />
: <pre>openssl ca -in private/server.csr -out certs/server.crt</pre><br />
<br />
You can now delete ''server.csr'' if you want, because it is no longer needed.<br />
<br />
(If you are using a commercially signed certificate from a place such as GoDaddy, do the first two commands above but not the last. Then do ''cat private/server.csr'' to get the text of the certificate request, which you will paste into GoDaddy's web interface to get the certificate. GoDaddy will then email the email address listed in the ''whois'' information for that domain (Make sure you haven't put in a fake address there to avoid spam!), and after the link in that email is clicked, GoDaddy will email another link to you from which you download a zip file.<br />
<br />
The zip file will contain two .crt files, and you should put both of them in /etc/ssl/certs. Other commerical certificate authorities follow a very similar procedure.)<br />
<br />
== Setup httpd ==<br />
=== Edit httpd.conf ===<br />
The whole httpd config is located in ''/etc/httpd''. Fire up your preferred text editor and simply change this at Line 459:<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
#Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to this<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to enable SSL support.<br />
<br />
You may also have to uncomment the line that starts ''LoadModule ssl_module''.<br />
<br />
=== Edit extra/httpd-ssl.conf ===<br />
Now we're going into the guts of the httpd SSL config. Search for ''SSLCertificateFile'' and ''SSLCertificateKeyFile'' change the path to our newly created CRT:<br />
<pre><br />
...<br />
SSLCertificateFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCertificateKeyFile /etc/ssl/private/server.key<br />
...<br />
SSLCertificateChainFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCACertificatePath /etc/ssl/certs<br />
SSLCACertificateFile /etc/ssl/certs/ca.crt<br />
...<br />
SSLCARevocationPath /etc/ssl/crl<br />
SSLCARevocationFile /etc/ssl/crl/ca.crl<br />
...<br />
</pre><br />
<br />
(If you have purchased a certificate from a commercial authority, the SSLCertificateFile will be one of the two files you receive from the CA (GoDaddy or VeriSign or whomever), and the SSLCACertificateFile will be the other. The files will be named such that you can tell which is which -- the SSLCertificateFile will probably be something like ''www.yourdomainname.com.crt'' and the SSLCACertificateFile will be something like ''nameofca-bundle.crt''.)<br />
<br />
== Pass-phrase on httpd startup ==<br />
The reason this dialog pops up at startup and every re-start is that the RSA private key inside your ''server.key'' file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!<br />
<ol><br />
<li><br />
Remove the encryption from the RSA private key (while keeping a backup copy of the original file):<br />
<pre><br />
cd /etc/ssl<br />
mv private/server.key private/server.key.org<br />
cd private<br />
openssl rsa -in server.key.org -out server.key<br />
</pre><br />
</li><br />
<li><br />
Make sure the server.key file is only readable by root since it is decrypted:<br />
<pre><br />
cd /etc/ssl<br />
chmod 0400 private/server.key<br />
</pre><br />
</li></ol><br />
Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).<br />
<br />
As an alternative approach you can use the ''SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.<br />
<br />
== Verifying and debugging ==<br />
If you simply want to see every information on a CRT:<br />
<pre>openssl x509 -noout -text -in XXX.crt</pre><br />
<br />
=== Verifying ===<br />
; Verify that a private key matches its Certificate<br />
: Generate a MD5 out of the public key/CRT and compare<br />
: <pre>openssl x509 -noout -modulus -in private/XXX.crt | openssl md5 && openssl rsa -noout -modulus -in private/XXX.key | openssl md5</pre><br />
<br />
=== Debugging ===<br />
; s_server - Debugging clients<br />
: <pre>openssl s_server -accept 443 -www</pre><br />
; s_client - Debugging servers<br />
: <pre>openssl s_client -connect localhost:443</pre> or <pre>openssl s_client -connect localhost:443 -state -debug</pre><br />
<br />
== Security ==<br />
All the files expect the CRTs are only for your eyes, so we change the permissons:<br />
<pre>chmod 0400 private/*.key</pre><br />
<br />
=== Client Revokation ===<br />
This is only needed if your server certificate is compromised (eg. someone hacked your server and stole your server.key).<br />
<pre><br />
openssl ca -gencrl -keyfile private/ca.key -cert certs/ca.crt -out crl/ca.crl<br />
</pre><br />
That generated us the needed files which we use when we want to revoke a CRT.<br />
<br><br><br />
Now that we got a compromised CRT, we got to get rid of it:<br />
<pre>openssl ca -revoke certs/server.crt -keyfile private/ca.key -cert certs/ca.crt</pre><br />
<br />
== Other ==<br />
<br />
=== Change the pass-phrase ===<br />
<pre><br />
openssl rsa -des3 -in server.key -out server.key.new<br />
mv server.key.new server.key<br />
</pre><br />
The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.<br />
<br />
=== CRT for Clients ===<br />
Ok.. i won't write anything on this, and simply just C/P:<br />
<pre><br />
openssl genrsa -des3 -out private/client1_priv.key 2048<br />
openssl genrsa -des3 -out private/client2_priv.key 2048<br />
# and so on... depends on how much clients you wanna serv...<br />
openssl req -new -key private/client1_priv.key -out private/client1.csr<br />
openssl req -new -key private/client2_priv.key -out private/client2.csr<br />
# and so on...<br />
openssl ca -in private/client1.csr -out private/client1.crt<br />
openssl ca -in private/client2.csr -out private/client2.crt<br />
cp private/client1.crt private/client1_preconv.crt <br />
cat private/client1.key >> private/client1_preconv.crt<br />
openssl pkcs12 -export -in private/client1_preconv.crt -out private/client1_postconv.p12 <br />
</pre><br />
Install in the clients browser... and change httpd.conf:<br />
<pre><br />
SSLCACertificateFile PATH/TO/server.crt<br />
SSLVerifyClient require<br />
SSLVerifyDepth 1<br />
</pre><br />
<br />
=== Convert CRT from PEM to DER format ===<br />
Normally all CRTs are stored in the PEM format.<br />
<pre>openssl x509 -in ca.crt -out ca.crt.der -outform DER</pre><br />
<br />
== Testing the CRT ==<br />
If you have live web sites, you might wish to test your configuration before restarting apache, to avoid having that panicy few minutes of downtime while you scramble to see what you can do faster, fix the problem or copy back your backup configs. Test like this:<br />
<pre>httpd -t</pre><br />
Look at the error messages it prints out, or the error_log as explained below, if it doesn't work.<br />
<br />
Restart your httpd:<br />
<pre>/etc/rc.d/rc.httpd restart</pre><br />
Take a look at the httpd ''error_log'' and scroll to the end of the file:<br />
<pre>jed /var/log/httpd/error_log</pre><br />
If your getting an error like this:<br />
<pre>[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]</pre><br />
... then you should take a look at ''Pass-phrase on httpd startup'' ...<br />
<br />
= openSSL + openVPN =<br />
$foo ... maybe next month...<br />
<br />
= External Links =<br />
* [http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html SSL/TLS Strong Encryption: FAQ @ httpd.apache.org]<br />
* [http://www.tc.umn.edu/~brams006/selfsign.html Creating a self-signed SSL certificate]<br />
* [http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]<br />
* [http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certificates OpenSSL Quick Reference]<br />
* [http://www.opensourcehowto.org/how-to/apache/setup-apache2-with-openssl.html Setup Apache2 with OpenSSL]<br />
* [http://www.marschke.info/admin/ap_opssl_https.html Apache2, OpenSSL und HTTPS: Server- und Client-Authentifizierung mit Zertifikaten über verschlüsselte Internet-Verbindungen]<br />
* [http://www.online-tutorials.net/security/openssl-tutorial/tutorials-t-69-207.html openSSL / openVPN.. comming soon]</div>Krakanuthttps://www.slackwiki.com/index.php?title=SSL&diff=991SSL2017-05-28T13:25:44Z<p>Krakanut: </p>
<hr />
<div>[[Category:Tutorials]]<br />
= openSSL 0.9.8e =<br />
'''IMPORTANT: Since this version has a [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html bug in the blowfish encryption] it is recommended not to use blowfish since it is incompatible with all other openSSL versions!'''<br />
<br />
<br>Everything you read here was tested on Slackware 12<br><br />
<br />
; wikipedia says about openSSL:<br />
: ''OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.''<br />
<br />
There are many ways to use openSSL. This just covers certificates for use with httpd. You can also use easy-rsa that comes with the openVPN package and can be found in ''/usr/doc/openvpn-2.0.9/easy-rsa/''. For more information read the included ''README'' or look here: [http://openvpn.net/easyrsa.html A Guide to basic RSA Key Management].<br />
Normally you will make a ''Certificate Signing Request (CSR)'' and send this one to a ''Certifying Authority (CA)'' to be signed. But since we don't wanna pay for this and only want to use it for our own special purpose, we don't need to do that and sign everything ourself.<br />
<br />
= openSSL + httpd =<br />
Switch to ''/etc/ssl''<br />
<pre><br />
cd /etc/ssl<br />
</pre><br />
<br />
In this directory you should see the following listing. One some non-Slackware linuxes, or if OpenSSL was installed from source, the appropriate directory might be ''/etc/openssl''.<br />
<pre><br />
root@pecan:/etc/ssl# ls -l<br />
total 24<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 certs/<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 misc/<br />
-rw-r--r-- 1 root root 9374 2007-06-13 12:40 openssl.cnf<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 private/<br />
root@pecan:/etc/ssl# <br />
</pre><br />
<br />
We need to generate a private and public RSA key file.<br />
The public key is used to encrypt messages to you and is distributed with your certificate.<br />
<br />
== Creating a Self-Signed ''Certificate'' (CRT) ==<br />
<br />
=== openssl.cnf + openSSL DB ===<br />
(You should still do this step even if you are buying a commercial certificate.) First things first, so we gotta edit this file, mainly the ''[ CA_default ]'' section.<br />
The <br />
<pre><br />
[ CA_default ]<br />
<br />
dir = ./demoCA # Where everything is kept<br />
...<br />
certificate = $dir/cacert.pem # The CA certificate<br />
...<br />
crl = $dir/crl.pem # The current CRL<br />
private_key = $dir/private/cakey.pem# The private key<br />
...<br />
</pre><br />
to<br />
<pre><br />
[ CA_default ]<br />
<br />
dir = /etc/ssl # Where everything is kept<br />
...<br />
certificate = $dir/certs/ca.crt # The CA certificate<br />
...<br />
crl = $dir/crl/ca.crl # The current CRL<br />
private_key = $dir/private/ca.key # The private key<br />
...<br />
</pre><br />
You can even change more options in this file but be aware what you are doing.<br><br />
openSSL has a database for storing information such as ''Certificate Revocation Lists'' (CRL). Since these files don't exist on startup and we don't use the ''CA.sh'' or ''CA.pl'' scripts we got to create them ourself:<br />
<pre><br />
mkdir newcerts certs crl private<br />
touch serial index.txt crlnumber crl/ca.crl<br />
echo 01 | tee serial | tee crlnumber | Tee crl/ca.crl<br />
</pre><br />
Thanks to ''alienBOB''. Hail to tee king! :p<br />
<br />
You will want to create your CRL file in correct PEM format<br />
<br />
<pre><br />
openssl ca -config etc/ssl/openssl.cnf -gencrl -out /etc/ssl/crl/ca.crl<br />
</pre><br />
<br />
=== Becoming a ''Certification Authority'' (CA) ===<br />
(Skip this step if you are buying a certificate from a commercial certificate authority such as GoDaddy.) Before you can create and sign your own certificates, you first have to establish yourself as a "Certificate Authority".<br />
To do so, we first create our key file (with a public and a private key) and use it to create our "master certificate" to use when signing other certificates.<br />
<br />
; Generate the CA RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/ca.key 4096</pre><br />
; Create the CA CRT with the CA RSA Key<br />
: <pre>openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt</pre><br />
<br />
=== Create Server CRT ===<br />
A CRT contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that CRT, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.<br />
The next step is to create a Server RSA key, generate a ''Certificate Signing Request'' (CSR) out of it and sign it with our CA CRT to get a working SSL CRT for our server.<br />
A CSR is a digital file which contains your public key and your name. Normally you would send the CSR to a CA, who will convert it into a real certificate, by signing it.<br />
<br />
; Generate the Server RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/server.key 1024</pre><br />
; Create the Server CSR using the Server RSA Key<br />
: '''When asked for the CommonName (CN) enter your domain!'''<br />
: <pre>openssl req -new -key private/server.key -out private/server.csr</pre><br />
; Sign the CSR with our CA CRT<br />
: <pre>openssl ca -in private/server.csr -out certs/server.crt</pre><br />
<br />
You can now delete ''server.csr'' if you want, because it is no longer needed.<br />
<br />
(If you are using a commercially signed certificate from a place such as GoDaddy, do the first two commands above but not the last. Then do ''cat private/server.csr'' to get the text of the certificate request, which you will paste into GoDaddy's web interface to get the certificate. GoDaddy will then email the email address listed in the ''whois'' information for that domain (Make sure you haven't put in a fake address there to avoid spam!), and after the link in that email is clicked, GoDaddy will email another link to you from which you download a zip file.<br />
<br />
The zip file will contain two .crt files, and you should put both of them in /etc/ssl/certs. Other commerical certificate authorities follow a very similar procedure.)<br />
<br />
== Setup httpd ==<br />
=== Edit httpd.conf ===<br />
The whole httpd config is located in ''/etc/httpd''. Fire up your preferred text editor and simply change this at Line 459:<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
#Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to this<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to enable SSL support.<br />
<br />
You may also have to uncomment the line that starts ''LoadModule ssl_module''.<br />
<br />
=== Edit extra/httpd-ssl.conf ===<br />
Now we're going into the guts of the httpd SSL config. Search for ''SSLCertificateFile'' and ''SSLCertificateKeyFile'' change the path to our newly created CRT:<br />
<pre><br />
...<br />
SSLCertificateFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCertificateKeyFile /etc/ssl/private/server.key<br />
...<br />
SSLCertificateChainFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCACertificatePath /etc/ssl/certs<br />
SSLCACertificateFile /etc/ssl/certs/ca.crt<br />
...<br />
SSLCARevocationPath /etc/ssl/crl<br />
SSLCARevocationFile /etc/ssl/crl/ca.crl<br />
...<br />
</pre><br />
<br />
(If you have purchased a certificate from a commercial authority, the SSLCertificateFile will be one of the two files you receive from the CA (GoDaddy or VeriSign or whomever), and the SSLCACertificateFile will be the other. The files will be named such that you can tell which is which -- the SSLCertificateFile will probably be something like ''www.yourdomainname.com.crt'' and the SSLCACertificateFile will be something like ''nameofca-bundle.crt''.)<br />
<br />
== Pass-phrase on httpd startup ==<br />
The reason this dialog pops up at startup and every re-start is that the RSA private key inside your ''server.key'' file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!<br />
<ol><br />
<li><br />
Remove the encryption from the RSA private key (while keeping a backup copy of the original file):<br />
<pre><br />
cd /etc/ssl<br />
mv private/server.key private/server.key.org<br />
cd private<br />
openssl rsa -in server.key.org -out server.key<br />
</pre><br />
</li><br />
<li><br />
Make sure the server.key file is only readable by root since it is decrypted:<br />
<pre><br />
cd /etc/ssl<br />
chmod 0400 private/server.key<br />
</pre><br />
</li></ol><br />
Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).<br />
<br />
As an alternative approach you can use the ''SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.<br />
<br />
== Verifying and debugging ==<br />
If you simply want to see every information on a CRT:<br />
<pre>openssl x509 -noout -text -in XXX.crt</pre><br />
<br />
=== Verifying ===<br />
; Verify that a private key matches its Certificate<br />
: Generate a MD5 out of the public key/CRT and compare<br />
: <pre>openssl x509 -noout -modulus -in private/XXX.crt | openssl md5 && openssl rsa -noout -modulus -in private/XXX.key | openssl md5</pre><br />
<br />
=== Debugging ===<br />
; s_server - Debugging clients<br />
: <pre>openssl s_server -accept 443 -www</pre><br />
; s_client - Debugging servers<br />
: <pre>openssl s_client -connect localhost:443</pre> or <pre>openssl s_client -connect localhost:443 -state -debug</pre><br />
<br />
== Security ==<br />
All the files expect the CRTs are only for your eyes, so we change the permissons:<br />
<pre>chmod 0400 private/*.key</pre><br />
<br />
=== Client Revokation ===<br />
This is only needed if your server certificate is compromised (eg. someone hacked your server and stole your server.key).<br />
<pre><br />
openssl ca -gencrl -keyfile private/ca.key -cert certs/ca.crt -out crl/ca.crl<br />
</pre><br />
That generated us the needed files which we use when we want to revoke a CRT.<br />
<br><br><br />
Now that we got a compromised CRT, we got to get rid of it:<br />
<pre>openssl ca -revoke certs/server.crt -keyfile private/ca.key -cert certs/ca.crt</pre><br />
<br />
== Other ==<br />
<br />
=== Change the pass-phrase ===<br />
<pre><br />
openssl rsa -des3 -in server.key -out server.key.new<br />
mv server.key.new server.key<br />
</pre><br />
The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.<br />
<br />
=== CRT for Clients ===<br />
Ok.. i won't write anything on this, and simply just C/P:<br />
<pre><br />
openssl genrsa -des3 -out private/client1_priv.key 2048<br />
openssl genrsa -des3 -out private/client2_priv.key 2048<br />
# and so on... depends on how much clients you wanna serv...<br />
openssl req -new -key private/client1_priv.key -out private/client1.csr<br />
openssl req -new -key private/client2_priv.key -out private/client2.csr<br />
# and so on...<br />
openssl ca -in private/client1.csr -out private/client1.crt<br />
openssl ca -in private/client2.csr -out private/client2.crt<br />
cp private/client1.crt private/client1_preconv.crt <br />
cat private/client1.key >> private/client1_preconv.crt<br />
openssl pkcs12 -export -in private/client1_preconv.crt -out private/client1_postconv.p12 <br />
</pre><br />
Install in the clients browser... and change httpd.conf:<br />
<pre><br />
SSLCACertificateFile PATH/TO/server.crt<br />
SSLVerifyClient require<br />
SSLVerifyDepth 1<br />
</pre><br />
<br />
=== Convert CRT from PEM to DER format ===<br />
Normally all CRTs are stored in the PEM format.<br />
<pre>openssl x509 -in ca.crt -out ca.crt.der -outform DER</pre><br />
<br />
== Testing the CRT ==<br />
If you have live web sites, you might wish to test your configuration before restarting apache, to avoid having that panicy few minutes of downtime while you scramble to see what you can do faster, fix the problem or copy back your backup configs. Test like this:<br />
<pre>httpd -t</pre><br />
Look at the error messages it prints out, or the error_log as explained below, if it doesn't work.<br />
<br />
Restart your httpd:<br />
<pre>/etc/rc.d/rc.httpd restart</pre><br />
Take a look at the httpd ''error_log'' and scroll to the end of the file:<br />
<pre>jed /var/log/httpd/error_log</pre><br />
If your getting an error like this:<br />
<pre>[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]</pre><br />
... then you should take a look at ''Pass-phrase on httpd startup'' ...<br />
<br />
= openSSL + openVPN =<br />
$foo ... maybe next month...<br />
<br />
= External Links =<br />
* [http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html SSL/TLS Strong Encryption: FAQ @ httpd.apache.org]<br />
* [http://www.tc.umn.edu/~brams006/selfsign.html Creating a self-signed SSL certificate]<br />
* [http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]<br />
* [http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certificates OpenSSL Quick Reference]<br />
* [http://www.opensourcehowto.org/how-to/apache/setup-apache2-with-openssl.html Setup Apache2 with OpenSSL]<br />
* [http://www.marschke.info/admin/ap_opssl_https.html Apache2, OpenSSL und HTTPS: Server- und Client-Authentifizierung mit Zertifikaten über verschlüsselte Internet-Verbindungen]<br />
* [http://www.online-tutorials.net/security/openssl-tutorial/tutorials-t-69-207.html openSSL / openVPN.. comming soon]</div>Krakanuthttps://www.slackwiki.com/index.php?title=SSL&diff=990SSL2017-05-28T13:23:55Z<p>Krakanut: </p>
<hr />
<div>[[Category:Tutorials]]<br />
= openSSL 0.9.8e =<br />
'''IMPORTANT: Since this version has a [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html bug in the blowfish encryption] it is recommended not to use blowfish since it is incompatible with all other openSSL versions!'''<br />
<br />
<br>Everything you read here was tested on Slackware 12<br><br />
<br />
; wikipedia says about openSSL:<br />
: ''OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.''<br />
<br />
There are many ways to use openSSL. This just covers certificates for use with httpd. You can also use easy-rsa that comes with the openVPN package and can be found in ''/usr/doc/openvpn-2.0.9/easy-rsa/''. For more information read the included ''README'' or look here: [http://openvpn.net/easyrsa.html A Guide to basic RSA Key Management].<br />
Normally you will make a ''Certificate Signing Request (CSR)'' and send this one to a ''Certifying Authority (CA)'' to be signed. But since we don't wanna pay for this and only want to use it for our own special purpose, we don't need to do that and sign everything ourself.<br />
<br />
= openSSL + httpd =<br />
Switch to ''/etc/ssl''<br />
<pre><br />
cd /etc/ssl<br />
</pre><br />
<br />
In this directory you should see the following listing. One some non-Slackware linuxes, or if OpenSSL was installed from source, the appropriate directory might be ''/etc/openssl''.<br />
<pre><br />
root@pecan:/etc/ssl# ls -l<br />
total 24<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 certs/<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 misc/<br />
-rw-r--r-- 1 root root 9374 2007-06-13 12:40 openssl.cnf<br />
drwxr-xr-x 2 root root 4096 2007-06-13 12:40 private/<br />
root@pecan:/etc/ssl# <br />
</pre><br />
<br />
We need to generate a private and public RSA key file.<br />
The public key is used to encrypt messages to you and is distributed with your certificate.<br />
<br />
== Creating a Self-Signed ''Certificate'' (CRT) ==<br />
<br />
=== openssl.cnf + openSSL DB ===<br />
(You should still do this step even if you are buying a commercial certificate.) First things first, so we gotta edit this file, mainly the ''[ CA_default ]'' section.<br />
The <br />
<pre><br />
[ CA_default ]<br />
<br />
dir = ./demoCA # Where everything is kept<br />
...<br />
certificate = $dir/cacert.pem # The CA certificate<br />
...<br />
crl = $dir/crl.pem # The current CRL<br />
private_key = $dir/private/cakey.pem# The private key<br />
...<br />
</pre><br />
to<br />
<pre><br />
[ CA_default ]<br />
<br />
dir = /etc/ssl # Where everything is kept<br />
...<br />
certificate = $dir/certs/ca.crt # The CA certificate<br />
...<br />
crl = $dir/crl/ca.crl # The current CRL<br />
private_key = $dir/private/ca.key # The private key<br />
...<br />
</pre><br />
You can even change more options in this file but be aware what you are doing.<br><br />
openSSL has a database for storing information such as ''Certificate Revocation Lists'' (CRL). Since these files don't exist on startup and we don't use the ''CA.sh'' or ''CA.pl'' scripts we got to create them ourself:<br />
<pre><br />
mkdir newcerts certs crl private<br />
touch serial index.txt crlnumber crl/ca.crl<br />
echo 01 | tee serial | tee crlnumber | Tee crl/ca.crl<br />
</pre><br />
Thanks to ''alienBOB''. Hail to tee king! :p<br />
<br />
You will want to create your CRL file in correct PEM format - you can use the command "openssl ca -config etc/ssl/openssl.cnf \<br />
-gencrl -out /etc/ssl/crl/ca.crl"<br />
<br />
=== Becoming a ''Certification Authority'' (CA) ===<br />
(Skip this step if you are buying a certificate from a commercial certificate authority such as GoDaddy.) Before you can create and sign your own certificates, you first have to establish yourself as a "Certificate Authority".<br />
To do so, we first create our key file (with a public and a private key) and use it to create our "master certificate" to use when signing other certificates.<br />
<br />
; Generate the CA RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/ca.key 4096</pre><br />
; Create the CA CRT with the CA RSA Key<br />
: <pre>openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt</pre><br />
<br />
=== Create Server CRT ===<br />
A CRT contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that CRT, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.<br />
The next step is to create a Server RSA key, generate a ''Certificate Signing Request'' (CSR) out of it and sign it with our CA CRT to get a working SSL CRT for our server.<br />
A CSR is a digital file which contains your public key and your name. Normally you would send the CSR to a CA, who will convert it into a real certificate, by signing it.<br />
<br />
; Generate the Server RSA Key (Triple-DES encrypted and PEM formatted)<br />
: <pre>openssl genrsa -des3 -out private/server.key 1024</pre><br />
; Create the Server CSR using the Server RSA Key<br />
: '''When asked for the CommonName (CN) enter your domain!'''<br />
: <pre>openssl req -new -key private/server.key -out private/server.csr</pre><br />
; Sign the CSR with our CA CRT<br />
: <pre>openssl ca -in private/server.csr -out certs/server.crt</pre><br />
<br />
You can now delete ''server.csr'' if you want, because it is no longer needed.<br />
<br />
(If you are using a commercially signed certificate from a place such as GoDaddy, do the first two commands above but not the last. Then do ''cat private/server.csr'' to get the text of the certificate request, which you will paste into GoDaddy's web interface to get the certificate. GoDaddy will then email the email address listed in the ''whois'' information for that domain (Make sure you haven't put in a fake address there to avoid spam!), and after the link in that email is clicked, GoDaddy will email another link to you from which you download a zip file.<br />
<br />
The zip file will contain two .crt files, and you should put both of them in /etc/ssl/certs. Other commerical certificate authorities follow a very similar procedure.)<br />
<br />
== Setup httpd ==<br />
=== Edit httpd.conf ===<br />
The whole httpd config is located in ''/etc/httpd''. Fire up your preferred text editor and simply change this at Line 459:<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
#Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to this<br />
<pre><br />
# Secure (SSL/TLS) connections<br />
Include /etc/httpd/extra/httpd-ssl.conf<br />
</pre><br />
to enable SSL support.<br />
<br />
You may also have to uncomment the line that starts ''LoadModule ssl_module''.<br />
<br />
=== Edit extra/httpd-ssl.conf ===<br />
Now we're going into the guts of the httpd SSL config. Search for ''SSLCertificateFile'' and ''SSLCertificateKeyFile'' change the path to our newly created CRT:<br />
<pre><br />
...<br />
SSLCertificateFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCertificateKeyFile /etc/ssl/private/server.key<br />
...<br />
SSLCertificateChainFile /etc/ssl/certs/server.crt<br />
...<br />
SSLCACertificatePath /etc/ssl/certs<br />
SSLCACertificateFile /etc/ssl/certs/ca.crt<br />
...<br />
SSLCARevocationPath /etc/ssl/crl<br />
SSLCARevocationFile /etc/ssl/crl/ca.crl<br />
...<br />
</pre><br />
<br />
(If you have purchased a certificate from a commercial authority, the SSLCertificateFile will be one of the two files you receive from the CA (GoDaddy or VeriSign or whomever), and the SSLCACertificateFile will be the other. The files will be named such that you can tell which is which -- the SSLCertificateFile will probably be something like ''www.yourdomainname.com.crt'' and the SSLCACertificateFile will be something like ''nameofca-bundle.crt''.)<br />
<br />
== Pass-phrase on httpd startup ==<br />
The reason this dialog pops up at startup and every re-start is that the RSA private key inside your ''server.key'' file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!<br />
<ol><br />
<li><br />
Remove the encryption from the RSA private key (while keeping a backup copy of the original file):<br />
<pre><br />
cd /etc/ssl<br />
mv private/server.key private/server.key.org<br />
cd private<br />
openssl rsa -in server.key.org -out server.key<br />
</pre><br />
</li><br />
<li><br />
Make sure the server.key file is only readable by root since it is decrypted:<br />
<pre><br />
cd /etc/ssl<br />
chmod 0400 private/server.key<br />
</pre><br />
</li></ol><br />
Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).<br />
<br />
As an alternative approach you can use the ''SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.<br />
<br />
== Verifying and debugging ==<br />
If you simply want to see every information on a CRT:<br />
<pre>openssl x509 -noout -text -in XXX.crt</pre><br />
<br />
=== Verifying ===<br />
; Verify that a private key matches its Certificate<br />
: Generate a MD5 out of the public key/CRT and compare<br />
: <pre>openssl x509 -noout -modulus -in private/XXX.crt | openssl md5 && openssl rsa -noout -modulus -in private/XXX.key | openssl md5</pre><br />
<br />
=== Debugging ===<br />
; s_server - Debugging clients<br />
: <pre>openssl s_server -accept 443 -www</pre><br />
; s_client - Debugging servers<br />
: <pre>openssl s_client -connect localhost:443</pre> or <pre>openssl s_client -connect localhost:443 -state -debug</pre><br />
<br />
== Security ==<br />
All the files expect the CRTs are only for your eyes, so we change the permissons:<br />
<pre>chmod 0400 private/*.key</pre><br />
<br />
=== Client Revokation ===<br />
This is only needed if your server certificate is compromised (eg. someone hacked your server and stole your server.key).<br />
<pre><br />
openssl ca -gencrl -keyfile private/ca.key -cert certs/ca.crt -out crl/ca.crl<br />
</pre><br />
That generated us the needed files which we use when we want to revoke a CRT.<br />
<br><br><br />
Now that we got a compromised CRT, we got to get rid of it:<br />
<pre>openssl ca -revoke certs/server.crt -keyfile private/ca.key -cert certs/ca.crt</pre><br />
<br />
== Other ==<br />
<br />
=== Change the pass-phrase ===<br />
<pre><br />
openssl rsa -des3 -in server.key -out server.key.new<br />
mv server.key.new server.key<br />
</pre><br />
The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.<br />
<br />
=== CRT for Clients ===<br />
Ok.. i won't write anything on this, and simply just C/P:<br />
<pre><br />
openssl genrsa -des3 -out private/client1_priv.key 2048<br />
openssl genrsa -des3 -out private/client2_priv.key 2048<br />
# and so on... depends on how much clients you wanna serv...<br />
openssl req -new -key private/client1_priv.key -out private/client1.csr<br />
openssl req -new -key private/client2_priv.key -out private/client2.csr<br />
# and so on...<br />
openssl ca -in private/client1.csr -out private/client1.crt<br />
openssl ca -in private/client2.csr -out private/client2.crt<br />
cp private/client1.crt private/client1_preconv.crt <br />
cat private/client1.key >> private/client1_preconv.crt<br />
openssl pkcs12 -export -in private/client1_preconv.crt -out private/client1_postconv.p12 <br />
</pre><br />
Install in the clients browser... and change httpd.conf:<br />
<pre><br />
SSLCACertificateFile PATH/TO/server.crt<br />
SSLVerifyClient require<br />
SSLVerifyDepth 1<br />
</pre><br />
<br />
=== Convert CRT from PEM to DER format ===<br />
Normally all CRTs are stored in the PEM format.<br />
<pre>openssl x509 -in ca.crt -out ca.crt.der -outform DER</pre><br />
<br />
== Testing the CRT ==<br />
If you have live web sites, you might wish to test your configuration before restarting apache, to avoid having that panicy few minutes of downtime while you scramble to see what you can do faster, fix the problem or copy back your backup configs. Test like this:<br />
<pre>httpd -t</pre><br />
Look at the error messages it prints out, or the error_log as explained below, if it doesn't work.<br />
<br />
Restart your httpd:<br />
<pre>/etc/rc.d/rc.httpd restart</pre><br />
Take a look at the httpd ''error_log'' and scroll to the end of the file:<br />
<pre>jed /var/log/httpd/error_log</pre><br />
If your getting an error like this:<br />
<pre>[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]</pre><br />
... then you should take a look at ''Pass-phrase on httpd startup'' ...<br />
<br />
= openSSL + openVPN =<br />
$foo ... maybe next month...<br />
<br />
= External Links =<br />
* [http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html SSL/TLS Strong Encryption: FAQ @ httpd.apache.org]<br />
* [http://www.tc.umn.edu/~brams006/selfsign.html Creating a self-signed SSL certificate]<br />
* [http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]<br />
* [http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certificates OpenSSL Quick Reference]<br />
* [http://www.opensourcehowto.org/how-to/apache/setup-apache2-with-openssl.html Setup Apache2 with OpenSSL]<br />
* [http://www.marschke.info/admin/ap_opssl_https.html Apache2, OpenSSL und HTTPS: Server- und Client-Authentifizierung mit Zertifikaten über verschlüsselte Internet-Verbindungen]<br />
* [http://www.online-tutorials.net/security/openssl-tutorial/tutorials-t-69-207.html openSSL / openVPN.. comming soon]</div>Krakanut