OPENSSL & APACHE SSL -MODULE || ASSINGMENT

A very current topic. As SSL 3.0 is now vulnerable, I will try not to use it in this assignment. If you have not yet disabled SSL 3.0 – check my last post and see how it’s done.

ASSIGNMENT: 

  • Goal: Virtual machine works as a CA. Create a server SSL -certificate and key. Configure Apache to use SSL – encryption.
  • Two virtual machines, one works as Apache -server and the other as a normal desktop.
  • Server machine: install OpenSSL. Create a certificate on the server and authenticate it.
    • PKCS -certificate – so that th browser can recognise you as the CA. || work in progress
    • Install ssl_mod, and configure the server
  • Test that https – connection works.

Step 1. Configuring OpenSSL

After the machines have been created, we can start installing and configuring OpenSSL.
First, we need to install the shared libraries for OpenSSL, there are a lot of options, you’ll notice:

apt-cache search libssl | grep SSL

We want to install the shared libraries, so go on and install:

libssl0.9.8 - SSL shared libraries ## 0.9.8 most recent @16.10.2014

You can also run sudo apt-get install openssl – this however, does not always guarantee the wanted results.

After installation you can check the version of OpenSSL with:

openssl version

versio

Installation is done, now let’s create the CA.

Let’s start by making some directories for the certificates following the Ubuntu community guide.

cd && mkdir -p myCA/signedcerts && mkdir myCA/private

mkdir

As  the Ubuntu community guide puts it:

  • ~/myCA : contains CA certificate, certificates database, generated certificates, keys, and requests

  • ~/myCA/signedcerts : contains copies of each signed certificate

  • ~/myCA/private : contains the private key

Next, create the initial DB in the  myCA/ subdir using this command:

echo '01' > serial  && touch index.txt
initialdb

And then create the conf -file:

sudo nano ~/myCA/caconfig.cnf

Since I am using a text base Ubuntu Server, copy pasting the sample configuration file from Ubuntu community guide is challenging. I will instead use SSH to access the server machine from a desktop environment, to help out with the copy pasting. In order for this to work, set the virtual machines to “bridged” connection.
ssh

Now, copy pasta the conf -file found in Ubuntu community guide to the conf file you create.
Make sure to fix the <username> -tag in two locations:
conf1 conf2
This is a little less important, change root_ca_distinguished_name stuff, into something more suitable:

distname

Then run the following commands:

export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825

Enter PEM password and now your CA -Certificate Authority has been configured.

Step 2. Server Certificate

Similar as above, create a new conf file to you ~/myCA/ – folder.

cd ~/myCA/ 
sudo nano servercert.cnf

Then copy pasta the example .conf from  Ubuntu community guide.
Fix the distinguished names and save. Run the commands:

export OPENSSL_CONF=~/myCA/servercert.cnf
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM

Enter PEM password again. After this copy the temporary private key into an unencrypted key with this command:

openssl rsa < tempkey.pem > server_key.pem

As prompted, give it the same passphrase as given above.

Now we can SIGN the certificate!! Run these commands:

export OPENSSL_CONF=~/myCA/caconfig.cnf

And then sign the certificate with this command:

openssl ca -in tempreq.pem -out server_crt.pem
signature

Remove the temporary certificate:

rm -f tempkey.pem && rm -f tempreq.pem

And there you have it, a signed certificate!

Step 3. Apache HTTPS Configuration

OpenSSL is now properly set up on our server machine. Next let’s conf Apache to accept out lord and savior, SSL.

This is done really easily, just run the following commands:

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart

		
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s