Hi Folks: I would like public commentary on the accuracy and validity of the attached document.
This document purports to give a hand holding walkthru on how to implement SSL and client authentication certificates into Apache. All comments will be considers, flames will route to /dev/null Thanks! -- Ron Gage - Owner, Linux Network Services - Saginaw, Michigan - 989-274-8088 Your one-stop source for Reliable, Secure and Affordable Networking Solutions ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
Website SSL Mini-Walkthru. Copyright 2002, Ronald R. Gage Saginaw, Michigan 48602 Introduction: This guide is intended to help the average website operator in implementing SSL services. The instructions here are provided as is and with absolutely no warranty. While the instructions below worked for me, they may end up erasing your harddrive and chewing up all of your available bandwidth. You have been warned. These instructions were developed with Apache 1.3.20 and Mozilla 0.9.8 in mind. I also presume that you already have OpenSSL installed from the OpenSSL website (http://www.openssl.org). I also presume that you know how to edit a text file, and that you have root access to your machine. 1. File Preparation You will need to copy a few files to "accessable" locations, for ease of use sake. You need to be root to do this. cp /openssl-0.9.6b/apps/openssl /usr/local/bin chmod 700 /usr/local/bin/openssl cp /openssl-0.9.6b/apps/sign.sh /usr/local/sbin chmod 700 /usr/local/sbin/sign.sh Next, decide on what directory you want your certificate depository to be located in. mkdir /certs Next, edit /usr/local/sbin/sigh.sh to point to your choice for the certificate depository. The places to change include all the "if [ -f" statements at the beginning of the file, their corresponding commands, the "dir =" line, and (at the end) the "openssl verify" line. Make absolutely certain that the certificate depository is only accessable by root. chmod 700 /certs Finally, you need to edit the openssl configuration file - /usr/local/ssl/openssl.cnf - and uncomment (remove the leading "#") the line that reads: # nsCertType = client, email, objsign 2. Create your own Certificate Authority Certificate (CACert) You only need to do this step if you intend to use "self-signed" certificates. If you are using certificated signed by a recognized certificate authority (Thawte, Verisign, etc...), this section may be ignored. The following commands will create your CACert. cd /certs openssl genrsa -des3 -out ca.key 1024 openssl req -new -x509 -days 1825 -key ca.key -out ca.crt There will be a few questions that you will need to answer to "fill out" the certificate. The questions should be self-explainatory. That's it, the ca.crt is your new certificate. The -days 1825 gives the certificate a 5 year life. This certificate will be what you use to sign your other certificates (SSL, email, client, etc...) 3. Create your own SSL Certificate (SSLCert) This will create an SSL certificate for your web server. It assumes a CACert has been created using the above method. This method will create a non-password protected server key. This is fairly important unless you want to enter the server key password every time you restart apache. If you want to enter that password everytime you start up apache, just add the -des3 command to the genrsa line below. cd /certs openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr sign.sh server.csr During the questions for the req section, the important one to get right is the "Common Name". This needs to be the website address (e.g. www.rongage.org). If this is not set correctly, then web browsers will complain about the certificate being owned by one name, but being served by another. This should produce a final server.crt file - your SSL certificate for your web server. An important note for those of you running virtual name based servers (several websites, one IP address): Due to the way that SSL handles the negotiation process, name-based virtual serving will NOT work for your SSL sites. You will need to use a seperate IP address for each SSL server you host. Your first SSL server can use the same IP you use for your other virtual hosts, but any subsequent SSL server must have a different IP address. The symptom of this problem hitting you is that regardless of what SSL server you try to access, only the first server listed in your httpd.conf file comes up. Finally, to integrate the SSL certificates, you will need to copy them to a place readable by your web server. Assuming your webserver is located in /var/lib/apache (the old Slackware standard)... cp server.key /var/lib/apache/conf cp server.crt /var/lib/apache/conf cp ca.crt /var/lib/apache/conf Then in your httpd.conf file, you will need to add the following lines to the section that defines your virtual SSL host: SSLCertificateFile /var/lib/apache/conf/server.crt SSLCertificateKeyFile /var/lib/apache/conf/server.key Please remember to use the actual path to your httpd.conf file. Many systems use /etc/apache instead of /var/lib/apache/conf for the location so you may need to go hunting to find the httpd.conf file. Of course, once all of your changes are in place, you will need to restart the apache server to make the changes go live. apachectl stop apachectl start In my experience, once SSL is added to an apache setup, apachectl restart no long will function correctly. Your mileage may vary. 4. Creating a client authentication certificate. A client authentication certificate can be used to limit access to a web page based on possession of the certificate. This way, only those people with the certificate will be allowed to view the page in question and everyone else will only get error messages. Creating the client certificate is vary simular to creating a server certificate. cd /certs openssl genrsa -out ident.key 1024 openssl req -new -key ident.key -out ident.csr sign.sh ident.csr openssl pkcs12 -export -in ident.crt -inkey ident.key -certfile ca.key -out ident.p12 The last 2 lines are actually one long command line. This should create the pkcs12 format identity certificate file for importing into Mozilla and/or Netscape. You will need to download this file using an FTP protocol (use bin format, the file is not in ASCII) to the machine where your web browser is located. To import the key into Netscape: Click on the "padlock" icon in the lower left hand corner. Under "Certificates -> Yours", click on the "import a certificate" button, point the file dialog to the ident.p12 file you just created and downloaded, then click ok. It should import the identity certificate with no problems. To import the key into Mozilla: Click on Edit->Preferences. Then click on Privacy & Security->Certificates. Click the "Manage Certificates" button. Click on the Restore button under "Your Certificates". Point the file browser to the ident.p12 file you downloaded, then click ok. It should import your identity certificate with no problems. To utilize client authentication in your web server, place the following directives in your virtual server defination: SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf/ca.crt The trick here is that any identity certificate can be used, so long as it is signed by the CA file you specify. For more information on how to utilize client authentication, please refer to the excellent modssl howto at http://www.modssl.org/docs/2.8/ssl_howto.html, chapter 5. Ron Gage - Owner Linux Network Services Saginaw, Michigan
