A very current topic. As SSL 3.0 is now vulnerable, I will try not to use it in this assignment. If you have not yet disabled SSL 3.0 – check my last post and see how it’s done.
ASSIGNMENT:
- Goal: Virtual machine works as a CA. Create a server SSL -certificate and key. Configure Apache to use SSL – encryption.
- Two virtual machines, one works as Apache -server and the other as a normal desktop.
- Server machine: install OpenSSL. Create a certificate on the server and authenticate it.
- PKCS -certificate – so that th browser can recognise you as the CA. || work in progress
- Install ssl_mod, and configure the server
- Test that https – connection works.
Step 1. Configuring OpenSSL
After the machines have been created, we can start installing and configuring OpenSSL.
First, we need to install the shared libraries for OpenSSL, there are a lot of options, you’ll notice:
apt-cache search libssl | grep SSL
We want to install the shared libraries, so go on and install:
libssl0.9.8 - SSL shared libraries ## 0.9.8 most recent @16.10.2014
You can also run sudo apt-get install openssl
– this however, does not always guarantee the wanted results.
After installation you can check the version of OpenSSL with:
openssl version
Installation is done, now let’s create the CA.
Let’s start by making some directories for the certificates following the Ubuntu community guide.
cd && mkdir -p myCA/signedcerts && mkdir myCA/private
As the Ubuntu community guide puts it:
-
~/myCA : contains CA certificate, certificates database, generated certificates, keys, and requests
-
~/myCA/signedcerts : contains copies of each signed certificate
-
~/myCA/private : contains the private key
Next, create the initial DB in the myCA/ subdir using this command:
echo '01' > serial && touch index.txt
And then create the conf -file:
sudo nano ~/myCA/caconfig.cnf
Since I am using a text base Ubuntu Server, copy pasting the sample configuration file from Ubuntu community guide is challenging. I will instead use SSH to access the server machine from a desktop environment, to help out with the copy pasting. In order for this to work, set the virtual machines to “bridged” connection.
Now, copy pasta the conf -file found in Ubuntu community guide to the conf file you create.
Make sure to fix the <username> -tag in two locations:
This is a little less important, change root_ca_distinguished_name stuff, into something more suitable:
Then run the following commands:
export OPENSSL_CONF=~/myCA/caconfig.cnf openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
Enter PEM password and now your CA -Certificate Authority has been configured.
Step 2. Server Certificate
Similar as above, create a new conf file to you ~/myCA/
– folder.
cd ~/myCA/ sudo nano servercert.cnf
Then copy pasta the example .conf from Ubuntu community guide.
Fix the distinguished names and save. Run the commands:
export OPENSSL_CONF=~/myCA/servercert.cnf
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
Enter PEM password again. After this copy the temporary private key into an unencrypted key with this command:
openssl rsa < tempkey.pem > server_key.pem
As prompted, give it the same passphrase as given above.
Now we can SIGN the certificate!! Run these commands:
export OPENSSL_CONF=~/myCA/caconfig.cnf
And then sign the certificate with this command:
openssl ca -in tempreq.pem -out server_crt.pem
Remove the temporary certificate:
rm -f tempkey.pem && rm -f tempreq.pem
And there you have it, a signed certificate!
Step 3. Apache HTTPS Configuration
OpenSSL is now properly set up on our server machine. Next let’s conf Apache to accept out lord and savior, SSL.
This is done really easily, just run the following commands:
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart