SSL Part 1: Key & Certificate: Difference between revisions

From The Uniform Server Wiki
Jump to navigation Jump to search
(New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 1: Home | [[...)
 
 
Line 197: Line 197:
My mod_ssl template gives you the opportunity to explore and learn about certificates and keys. One limitation because of protocols and layers you are limited to securing one website per fixed IP address. Strictly not true for a personal server if you are happy to accept some limitations.
My mod_ssl template gives you the opportunity to explore and learn about certificates and keys. One limitation because of protocols and layers you are limited to securing one website per fixed IP address. Strictly not true for a personal server if you are happy to accept some limitations.


I thought for completeness I would add a few extra pages starting with securing multi-websites using virtual hosts on a single IP address.
I thought for completeness I would add a few extra pages starting with [[SSL Part 1: Multi-Websites 1 |securing multi-websites]] using virtual hosts on a single IP address.


'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''

Latest revision as of 17:49, 9 June 2008

MPG UniCenter

SSL Part 1: Home | Apache Upgrade | mod_ssl Install | httpd.conf | ssl.conf | Key & Certificate |

mod_ssl Server Key and Certificate
Uniform Server 3.5-Apollo

Before going live with your secure server it is imperative you generate a new certificate and server key. The process is extremely easy, first shut down both servers and follow the instructions below.

Creating a key and certificate summary

To create a Key and Certificate you can use a command line and navigate to the folder where openssl.exe is located. Type the commands as shown below however to ease this process I have included three batch files that save all this typing. The batch files are run from explorer just double click each batch file in turn. I cover each batch file in detail later.

These batch files create two files named "server.key" and "server.crt". I have show each batch file and should you wish to use a command line prompt I have shown the corresponding Openssl commands.

mpg1.bat

Create a private key and a CSR (Certificate Signing Request)

openssl req -config openssl.cnf -new -out server.csr -keyout server.pem


mpg2.bat

Remove Passphrase from Key file created above

openssl rsa -in server.pem -out server.key


mpg3.bat

Create a Self-Signed Certificate (personal server use only)

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650


Top

Using the batch files

The files are located in folder *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen using windows explorer navigate to this folder. To create the server certificate and key run each of these files in turn.

  1. clean.bat
  2. mpg1.bat
  3. mpg2.bat
  4. mpg3.bat

Top

clean.bat

Before creating a new certificate and key all old files must be deleted. Running clean.bat to removes these files:

  • .rnd
  • server.pem
  • server.csr
  • server.key
  • server.crt

Top

mpg1.bat - openssl req -config openssl.cnf -new -out server.csr -keyout server.pem

The openssl req command prompts you for additional information in order to create and process a certificate requests. The format is defined in the configuration file openssl.cnf. After the completion of this command you will have a certificate signing request and a private key.

Note 1: Pass Phrase is a password however it can be several words in length hence a phrase. You need to supply one although we will remove it later so I suggest keep it short for example “fred”.

Note 2: When prompted for a "Common Name” provide the domain name of your web server (e.g. unicenter.gotdns.org). The certificate belongs to this server hence was the reason why on the previous page our browser complained in test 5b the server did not match the certificate.

The batch file when run looks similar to this:

Screen output Comments

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
.............................................++++++
writing new private key to 'server.pem'
Enter PEM pass phrase:fred
Verifying - Enter PEM pass phrase:fred
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Enter a pass phrase e.g.fred

This will not be displayed.

Remember keep it short will be removed later

Country Name (2 letter code) [GB]:
State or Province Name or County (full name) [Cambridgeshire]:
Locality Name (eg, city or town) [Cambridge]:
Organization Name (eg, company) [Unicenter]:
Organizational Unit Name (eg, section) [Demo Example Mike Gleaves]:
Common Name (eg, your websites domain name) []:unicenter.gotdns.org
Email Address []:

Press enter to accept each default
or enter your information

You must enter a common name

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

Not used Press enter

Three files are created .rnd, server.csr and server.pem

Top

mpg2.bat - openssl rsa -in server.pem -out server.key

The openssl rsa command with the attributes shown removes the pass phrase from the RSA private key.

In a commercial environment you would not remove this pass phrase however for a personal web server it is desirable to do so. With it in place each time you start up the Apache Server a pop-up dialog is displayed prompting you to enter the pass phrase. This would be a problem if you set your server to auto-reboot after a system crash, you need to be around to enter it hence the reason for its removable.

Action: When requested enter pass phrase fred. Note this will not be displayed.

Result: Creates the server keyfile server.key

Top

mpg3.bat - openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

The openssl x509 command is a multi purpose certificate utility. With it you can display certificate information, convert certificates to various forms, sign certificate requests or edit certificate settings.

The openssl x509 command with the attributes shown creates a self-signed certificate that expires after ten years (-days 3650) if you prefer to have a shorter time change the batch file to reflect the value you want.

Action: No action required.

Result: Creates the server certificate file server.crt

Top

Copy Certificate and Key to server

The two files are created in folder *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen these need copying to their appropriate locations as follows:

Copy file server.key to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key

Copy file server.crt to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt

Top

Test

You now have a secure server with a self-signed certificate. A quick test, run the following using your domain name:

Test Result
 1) Start the servers using Server_Start.bat   Normal server operation with apanel displayed.
 2) Type http://unicenter.gotdns.org/  Displays Site 1 home page
 3) Type http://news.unicenter.gotdns.org/  Displays Site 2 home page
 4) Type http://cars.unicenter.gotdns.org/  Displays unsecured default page
 5) Type https://unicenter.gotdns.org/

 a) Pop-up displays Website Certified by an Unknown Authority - Click Accept temporarily this session 
 b) (If enabled) Authentication Required - Type in name and password - click Ok
 c) Padlock closed and page Site 3 home page displayed

Top

Conclusion

That concludes this write-up I have shown is how easy it is to produce a secure personal server using mod_ssl. If you have read my Stunnel implementation you now have two choices for securing a personal server.

My mod_ssl template gives you the opportunity to explore and learn about certificates and keys. One limitation because of protocols and layers you are limited to securing one website per fixed IP address. Strictly not true for a personal server if you are happy to accept some limitations.

I thought for completeness I would add a few extra pages starting with securing multi-websites using virtual hosts on a single IP address.

Top


Ric