UniServer CA2: Introduction

From The Uniform Server Wiki
Jump to navigation Jump to search

 

Uniform Server 5.5-Nano
CA Demo

Portable CA (Certificate Authority)

This plugin is slightly unusual it starts off as a Uniform Server plugin where you can install a CA and server certificate including a server key to the Apache server. After completion the entire plugin is transferred to a USB memory stick enhancing security by removing the CA’s key from your PC.

Once transferred to a USB memory stick the CA is portable, you can generate personal (client) certificates as and when required. I must stress this is for use on a personal web server or intranet. Never use this for e-commerce, always use a commercial payment system and let the experts take the strain.

Most write-ups are Unix/Linux oriented they have been using secure servers since year dot. This write-up addresses the balance a little. UniServer portable CA is specifically designed for Windows.

Open SSL provides all the tools required for creating a CA, they are command line tool and inherently portable (Unix parentage) these factors make it ideal for batch file control allowing certificate and key generation to be semi-automated.

This step-by-step guide covers UniServer portable CA installation, how to use provided batch files for creating CA, server and personal (client) certificates. This is followed by a detailed description of command lines used and how they are integrated into these files to produce the portable CA. Concludes with some examples for using personal certificates with Apache.

Top

Download and Install

Options 1:

  1. Unpack a new copy of Uniform Server 5.5-Nano.
  2. Download file V55_UniServer_CA_1.0.exe from Sourceforge
  3. To extract files, double click on file V55_UniServer_CA_1.0.exe, no need to change the path.
  4. If you wish to save space delete V55_UniServer_CA_1.0.exe

Options 2:

  1. Unpack a new copy of Uniform Server 5.5-Nano.
  2. Download file V55_UniServer_CA_1.0.zip from Sourceforge
  3. Save to any folder (e.g. temp1)
  4. Extract files, navigate to folder UniServer_CA
  5. Copy UniServer_CA to the installed Uniform Server folder UniServer\plugins.
  6. If you wish to save space delete temp1


Folders and files

Folder UniServer\plugins\UniServer_CA contains the following files and folders:

Clean.bat – Reverts back to a default installation
Create_CA.bat – Creates a CA and folders
Server.bat – Creates a new server certificate and key signed by CA
Client.bat – Creates client (personal) certificates
Revoke.bat – Revoke client (personal) certificates
  • CA - Folder - Content
libeay32.dll - Function libraries
openssl.cnf – Open SSL configuration file
openssl.exe – Open SSL program
ssleay32.dll - Function libraries
zlib1.dll - Function libraries

Top

Batch file overview

This portable CA has been designed to prevent silly mistakes (comment aimed at me), for example you are allowed to create only a single CA, rerunning Create_CA.bat produces a warning message and execution terminates. Likewise only a single server certificate and key can be generated. Rerunning Server.bat again produces a warning and execution stops in both cases no action is performed.

Until a CA is created running either Server.bat or Client.bat produces a warning no operations are performed.

Experiment:

Run the batch files and get a feel for what they do, when finished run Clean.bat this reverts the CA to a default installation. When run, Clean.bat requires confirmation (twice) to make sure you really want to delete all certificates and keys.

Install options:

Initially the CA is installed as a plugin this allows certificates and key to be automatically copied to the server. After this the folder UniServer_CA should be copied to a different location ideally to a USB memory stick. This protects the all important CA key

If you decide not to initially install as a plugin, V55_UniServer_CA_1.0.exe may be extracted to another folder or a USB memory stick and run from there, in this situation certificates and key need to be manually copied to the server.

Remainder of this write-up looks at the process and batch files in more detail.

Top

Quick Guide

The following procedure creates a localhost test certificate signed by your CA (for a test run just accept the defaults).

Before issuing personal certificates run through the process a least once. This will allow you to understand what inputs are required and what outputs to expect.

Note: For the initial run you can use the defaults, to accept defaults press enter when prompted for input.

Top

Enable SSL

Uniform Server has been pre-configured for SSL operation however a default installation has this function disabled. Before running the servers enable the appropriate line in httpd.conf as follows:

Top

Edit httpd.conf

Skip this if you have already enabled SSL (Automatically enabled when server certificate created via Apanel or UniTray).

Edit file UniServer\udrive\usr\local\apache2\conf\httpd.conf locate line:

#LoadModule ssl_module modules/mod_ssl.so

To enale SSL remove the hash "#" asshown belo:

#LoadModule ssl_module modules/mod_ssl.so

Top

Run Batch Files

To create your personal CA and server certificate run the following two batch files:

Run Create_CA.bat

To create the CA's flie structure and certificate ca.crt and key ca.key run Create_CA.bat .

You will be prompted for the following information:

 O  Organisation Name (eg, company) [UniServer CA]:
 OU Organisation Unit (eg, section) [Secure Demo CA]:

Its your CA enter something appropriate for your server the defaults are shown in square brackets.

At the following prompt:

Enter PEM pass phrase

Enter a memorable pass phrase (e.g. fred) this is requested twice.

The pass phrase is important it is required for signing and revoking certificates hence write it down somewhere safe.

Run Server.bat

Next we create a server certificate (server.crt) and key (server.key) by running Server.bat

You will be prompted for the following information:

 CN Common Name. Your full domain name [localhost]:
 O  Organisation Name (eg, company)    [UniServer]:
 OU Organisation Unit (eg, section)  [Secure Demo]:

With the exception of CN you can enter anything you like make it appropriate for your site defaults are shown in square brackets.

Common name (CN) is the only requirement for creating a server certificate. It must be your fully qualified domain name, this is what a user types into their browser to access your site (not including the https:// bit). For example if your site is accessed using https://my_domain.com you would enter my_domain.com for the common name.

Note: If you wish to run more than one site under the same domain name you can create a wild card certificate. For the common name (CN) enter *.my_domain.com Mod SSL does not support name based virtual hosts on the same port hence when running more than a signal virtual host you must use a different port (standard port is 443).

After entering the above:

  • When prompted enter the pass phrase you used to create the CA (fred)
  • Type "y" to sign certificate
  • Type "y" to commit - Creates certificate and adds serial number.

The following certificates and key are copied to the server:

  • File CA\server\ca.crt copied to folder \usr\local\apache2\conf\ssl.crt
  • File CA\server\server.crt copied to folder \usr\local\apache2\conf\ssl.crt
  • File CA\server\server.key copied to folder \usr\local\apache2\conf\ssl.key

Note 1: If CA not installed as a plugin you are informed to manually copy the above files.

Note 2: The CA certificate ca.crt although copied is not required for a secure server. It will be used later for personal (client) certificate authentication see Client Certificates.

Top

Run Clean.bat

This batch file is provided for convenience it allows you to restore the plugin to a default installation.

After testing run this batch file to clean out any certificates and keys. You can rerun the above two batch files and enter real values matching your site.

Note: Once you have issued certificates never run this batch file its draconian and deletes everything.

Test

Testing is straight forward I make no apologies for using Firefox (Download portable Firefox).

  1. Start the servers and type https://localhost/ into your rowser address bar.
  2. You are informed the certificate is suspect (Firefox)
  3. Click link Or you can add an exception…
  4. Click link Add Exception (opens new pop-up)
  5. Click link Get Certificate (top right)
  6. Box bottom left Permanently store this exception Un-Check this box
  7. Click view certificate details shown right:
  8. Click link Confirm Security Exception
  9. The secure website index page is displayed.

Certificate details:

Certificate values shown are defaults. Intended to show what is displayed by a browser.

Issued To  
Common Name (CN) localhost
Organisation(O) UniServer
Organisation Unit(OU) Secure Demo
Serial Number 01
Issued By  
Common Name (CN) <Not Part Of Certificate>
Organisation(O) UniServer CA
Organisation Unit(OU) Secure Demo CA

Every signed certificate is unique and issued with a serial number this is automatically added by the CA. A common name (CN) must match your server. You can enter anything you like for the other certificate values.

I have assumed you accepted the defaults for testing at this stage you can rerun the above batch files to do this first run Clean.bat. Create a CA and server certificate and key, enter real values for your site.

Top

Optional change defaults

If you wish, change the batch file defaults as follows:

1) Edit file: UniServer\udrive\plugins\UniServer_CA\Create_CA.bat Locate these lines:

set unitO=UniServer CA
set unitOU=Secure Demo CA

It's your CA replace "UniServer CA" and "Secure Demo CA" with something more appropriate.


2) Edit file: UniServer\plugins\UniServer_CA\Server.bat Locate these lines:

set unitCN=localhost
set unitO=UniServer
set unitOU=Secure Demo

Replace localhost with what a user would type into a browser to view your site (do not include the https:// bit)
Replace "UniServer" and "Secure Demo" with something appropriate to your site.

Top

CA Root Certificate

The CA's private key (ca.key) should be protected by a hard to guess pass phrase I tend to keep it short and violate this directive. Instead at this stage I move folder UniSrver_CA and all its content to a USB memory stick hence the ca.key is removed from the PC.

Once a CA is created it is a one time event and should be valid for a much longer period of time than regular certificates hence has been set to 30 years. Since this is a personal server also extend the time for the server certificate again I use 30 years.

Top

Install CA Root

The CA's root certificate "ca.crt" should be published (e.g. located in folder UniServer\www) on Intranet web pages allowing users to download and install to their browser. Alternatively if file ca.crt is located on a users PC it can be imported.

Top

Firefox (3.0.15)

Option 1: Download from server

  1. Start servers
  2. Type the following into your browser http://localhost/ca.crt
  3. A pop-up is displayed(see image on right)
  4. (A) Select as a minimum Trust this CA to identify web sites
  5. (B) Click OK

Option 2: Import file. I have assumed the file is located in folder UniServer\udrive\www

  1. Start browser
  2. Select Tools > Options
  3. Select Advanced (top right)
  4. Select Encryption Tab
  5. Click View Certificates button
  6. Select Authorities TAB click Import button
  7. Navigate to folder UniServer\www and select ca.crt
  8. A pop-up is displayed (see image on right)
  9. (A) Select as a minimum Trust this CA to identify web sites
  10. (B) Click OK

 

Uniserver CA 1.gif

Top

IE (7)

Option 1: Download from server

  1. Start servers
  2. Type the following into your browser http://localhost/ca.crt
  3. Pop-up displayed
  4. Click Open button
  5. Pop-up Certificate information click Install Certificate button
  6. Follow theWizard instructions

Option 2: Import file. I have assumed the file is located in folder UniServer\www

  1. Start browser
  2. Tools > Internet Options
  3. Select Content tab
  4. Click Certificate button
  5. Select Trusted Root Certificate Authorities tab
  6. Click Import button
  7. Import Wizzaed starts Click Next
  8. Navigate to folder UniServer\udrive\www and select ca.crt and open
  9. Click Next button
  10. Place, make sure Trusted Root Certificate Authorities selected Click Next
  11. Click Finish
  12. Click Yes to save

Top

Summary

The CA root certificate must be installed on every user's browser that wants to access your server this provents the anoying browser warning pop-ups.

The real power of running your own CA is the ability to sign certificates this opens up a new world when it comes to authentication. You can restrict access to your server using personal (client) certificates covered on the next page.

Top