SSL Part 1: Key & Certificate
mod_ssl Server Key and Certificate
Before going live with your secure server it is imperative you generate a new certificate and server key. The process is extremely easy, first shut down both servers and follow the instructions below.
Creating a key and certificate summary
To create a Key and Certificate you can use a command line and navigate to the folder where openssl.exe is located. Type the commands as shown below however to ease this process I have included three batch files that save all this typing. The batch files are run from explorer just double click each batch file in turn. I cover each batch file in detail later.
These batch files create two files named "server.key" and "server.crt". I have show each batch file and should you wish to use a command line prompt I have shown the corresponding Openssl commands.
Create a private key and a CSR (Certificate Signing Request)
openssl req -config openssl.cnf -new -out server.csr -keyout server.pem
Remove Passphrase from Key file created above
openssl rsa -in server.pem -out server.key
Create a Self-Signed Certificate (personal server use only)
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Using the batch files
The files are located in folder *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen using windows explorer navigate to this folder. To create the server certificate and key run each of these files in turn.
Before creating a new certificate and key all old files must be deleted. Running clean.bat to removes these files:
mpg1.bat - openssl req -config openssl.cnf -new -out server.csr -keyout server.pem
The openssl req command prompts you for additional information in order to create and process a certificate requests. The format is defined in the configuration file openssl.cnf. After the completion of this command you will have a certificate signing request and a private key.
Note 1: Pass Phrase is a password however it can be several words in length hence a phrase. You need to supply one although we will remove it later so I suggest keep it short for example “fred”.
Note 2: When prompted for a "Common Name” provide the domain name of your web server (e.g. unicenter.gotdns.org). The certificate belongs to this server hence was the reason why on the previous page our browser complained in test 5b the server did not match the certificate.
The batch file when run looks similar to this:
Loading 'screen' into random state - done
Enter a pass phrase e.g.fred
This will not be displayed.
Remember keep it short will be removed later
Country Name (2 letter code) [GB]:
Press enter to accept each default
You must enter a common name
Please enter the following 'extra' attributes
Not used Press enter
Three files are created .rnd, server.csr and server.pem
mpg2.bat - openssl rsa -in server.pem -out server.key
The openssl rsa command with the attributes shown removes the pass phrase from the RSA private key.
In a commercial environment you would not remove this pass phrase however for a personal web server it is desirable to do so. With it in place each time you start up the Apache Server a pop-up dialog is displayed prompting you to enter the pass phrase. This would be a problem if you set your server to auto-reboot after a system crash, you need to be around to enter it hence the reason for its removable.
Action: When requested enter pass phrase fred. Note this will not be displayed.
Result: Creates the server keyfile server.key
mpg3.bat - openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
The openssl x509 command is a multi purpose certificate utility. With it you can display certificate information, convert certificates to various forms, sign certificate requests or edit certificate settings.
The openssl x509 command with the attributes shown creates a self-signed certificate that expires after ten years (-days 3650) if you prefer to have a shorter time change the batch file to reflect the value you want.
Action: No action required.
Result: Creates the server certificate file server.crt
Copy Certificate and Key to server
The two files are created in folder *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen these need copying to their appropriate locations as follows:
Copy file server.key to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key
Copy file server.crt to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt
You now have a secure server with a self-signed certificate. A quick test, run the following using your domain name:
|1) Start the servers using Server_Start.bat||Normal server operation with apanel displayed.|
|2) Type http://unicenter.gotdns.org/||Displays Site 1 home page|
|3) Type http://news.unicenter.gotdns.org/||Displays Site 2 home page|
|4) Type http://cars.unicenter.gotdns.org/||Displays unsecured default page|
|5) Type https://unicenter.gotdns.org/||
a) Pop-up displays Website Certified by an Unknown Authority - Click Accept temporarily this session
That concludes this write-up I have shown is how easy it is to produce a secure personal server using mod_ssl. If you have read my Stunnel implementation you now have two choices for securing a personal server.
My mod_ssl template gives you the opportunity to explore and learn about certificates and keys. One limitation because of protocols and layers you are limited to securing one website per fixed IP address. Strictly not true for a personal server if you are happy to accept some limitations.
I thought for completeness I would add a few extra pages starting with securing multi-websites using virtual hosts on a single IP address.