Name: OpenSSL
HomePage: http://www.openssl.org/
Function: developed for transmitting private documents via the Internet using cryptographic a system
Name: Apache
HomePage: http://www.apache.org/
Function: Webserver
1. Okay, firstly we need make the openssl directories
mkdir /etc/ssl/
2. Then we need to change into the directory
cd /etc/ssl
3. Make server SSL certificate
openssl genrsa -des3 -out server.key 1024
4. Create a Certificate Signing Request (CSR) with the server RSA private key
openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here.
5. Make CA certificate, Create a RSA private key for your CA
openssl genrsa -des3 -out ca.key 1024
6. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA .
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
7. Use the signcert script to sign the server cert as your own CA.
http://www.opensourcehowto.org/uploads/sign.sh
or copy the following code into a file and execute it
nano /tmp/sign.sh
sign.sh:
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat >ca.config <
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
#ssleay ca -config ca.config -out $CERT -infiles $CSR
# above commented out by kcl and substituted below
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
#ssleay verify -CAfile ca.crt $CERT
openssl verify -CAfile ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
8. Run the following command after you download the file
./sign.sh server.csr
9. Now we need to add the following lines to the httpd.conf
nano /etc/httpd/conf/httpd.conf
Code.conf:
DocumentRoot /var/www/html/
ServerName fedora.school.cathedral.qld.edu.au
allow from all
Options +Indexes
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
SSLEngine on
10. now we need to remove the default virtual host
nano /etc/httpd/conf.d/ssl.conf
comment out everything between
&
note: by 'comment out' i mean, add '#' infront of every line
11. Now start your apache server, you should be asked to enter a password, this is the password you enter above.
/etc/init.d/httpd start
12. When you can be sure that your server is secure enough you perform two steps, remove the encryption from the RSA private key (while preserving the original file):
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
13. Make sure the server.key file is now only readable by root:
chmod 400 server.key
No comments:
Post a Comment