Apache and Setting Up SSL |
Server Training - Web Server |
The self-signed certificate is a certificate that you can create yourself that will provide SSL encryption but without the verification of your website from an outside source. The outside verification does cost money. In other words, you can get the protection you need, encryption by doing it yourself. One thing to note, if you are taking people's credit card information then you will need to get a signed certificate as a warning appears when you are using self-signed certificates. When to use self-signed certificates. You can use self-signed certificates whenever you are using the encryption for your own company or when you have the opportunity to explain to users why the certificate is self-signed. You cannot use a self-signed certificate when you are working with the public as you will lose credibility with the public if you do.
Intro to SSL SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing. SSL is a protocol that uses TCP/IP on behalf of the higher-level protocols like HTTP. This protocol allows a SSL-enabled server to authenticate itself to a SSL-enabled client. In order to use SSL the client must request a connection on port 443 instead of the typical port 80 used by a web browser. What the Process of SSL Provides 1. SSL Provides - Authentication - the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs. 2. SSL Provides Verification of the User - the user is verified in the process in the same way as the server and using the same methods as the server verification. 3. SSL Provides Encryption - the entire communication between the client and the server is encrypted. SSL Communication At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser. In order to use SSL a key must be generated that will allow encrypted communication. Both ends of the encrypted communication must be able to understand the algorithm that is used to create the encryption. Unsigned or Self-Signed SSL Certificate You can run SSL without a signed certificate. However, each time a user tries to use your certificate they will be notified that the certificate is not authentic and that there may be a problem. This certainly does not install confidence in your customer. Creating an SSL Certificate When SSL is used with the Apache via the mod_ssl module, it will create an encrypted RSA file which has two components a private file which is kept secure on the server and a public file which is placed in the Certificate file and is thus used by users when they connect to the server. Users will be able to communicate secure then using the encryption that results in this kind of communication. In order to create a real certificate a Certificate Signing Request (CSR) must be created that contains the public key with identification of who owns the server. The CSR must be sent to a Certifying Authority (CA) who will then convert the certificate into a real Certificate which can be placed on the server with the signature of the signing authority.
Move into the /etc/pki/tls/certs/ directory. 1. Create a Certificate OpenSSL should be installed on the server as this will be used to create the keys. Install on a CentOS server with: yum install mod_ssl Create a RSA private key for the server: # openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: # openssl rsa -noout -text -in server.key Create a Certificate Signing Request with the server’s RSA private key # openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Montana Locality Name (eg, city) [Newbury]:Trout Creek Organization Name (eg, company) [My Company Ltd]:My Company Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ns.example.com Email Address []:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Mu75Rdes43 An optional company name []: # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=US/ST=Montana/L=Trout Creek/O=My Company/CN=ns.example.com/emailAddress= This e-mail address is being protected from spambots. You need JavaScript enabled to view it Getting Private key Enter pass phrase for server.key: # cp server.crt /etc/pki/tls/certs/ # cp server.key /etc/pki/tls/private/
# cp server.csr /etc/pki/tls/private
# chmod go-rwx /etc/pki/tls/certs/server.crt # chmod go-rwx /etc/pki/tls/private/server.key
Edit your httpd.conf (CentOS) and add these lines:
Verify that the server is now listening on port 443. netstat -aunt Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN Use https:// to access the web page instead of http:// When you access the webpage you will see the request to accept the self-signed certificate. If you are not asked to accept a certificate go back and review your setup.
|