|
You will be creating a private key to be used by the Apache server. You need to decide if you are willing to rely on Unix file system security to keep that file safe. I am going to do that in the following example, because the only way it could be violated would be either: I liberalize one specific file system permission while logged in as root, or someone breaks the root account. The first seems unlikely, and in the case of the second, I would have bigger things to worry about.
The alternative would require you to type a pass phrase every time you start the Apache web server process. No unattended reboots.
1.
Change to the SSL directory.
You can put this wherever you want, just make sure that
you adjust details of other steps accordingly:
# cd /etc/ssl
2.
Create a key for the server.
The following makes a 2048-bit RSA private key:
# openssl genrsa -out server.key 2048
3.
Create a Certificate Signing Request (CSR).
The following creates a request for a one-year (365 days)
certificate.
Answer the X.509v3 questions appropriately:
# openssl req -new -x509 -days 365 -key server.key.open -out server.csr
4. Make the files root-read-only:
# chmod 700 /etc/ssl # chmod 600 server.*
5. Verify things so far, if you want:
# openssl x509 -text -in server.csr -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c3:9c:81:c1:da:44:34:d1
Signature Algorithm: md5WithRSAEncryption
Issuer: C=us, ST=Indiana, L=West Lafayette,
O=Cromwell International, OU=Underground Lair,
CN=www.cromwell-intl.com/emailAddress=bob.cromwe11@comcast.net
Validity
Not Before: Apr 2 22:41:25 2009 GMT
Not After : Apr 2 22:41:25 2010 GMT
Subject: C=us, ST=Indiana, L=West Lafayette,
O=Cromwell International, OU=Underground Lair,
CN=www.cromwell-intl.com/emailAddress=bob.cromwe11@comcast.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a9:7b:09:ab:ef:43:93:39:4a:aa:5c:30:6d:2a:
da:0a:bf:5a:d7:8e:9b:9a:ce:db:e6:b7:83:82:6e:
8d:27:82:5e:29:62:84:a5:01:a8:c8:8b:ce:6b:1f:
79:ff:b5:54:af:09:2e:ca:c8:8a:88:5d:f6:e3:1d:
4c:8d:84:f1:fd:c5:20:94:ec:59:c0:b5:24:9f:43:
a3:c3:3a:54:e0:43:60:b3:34:aa:ed:80:db:8d:30:
ad:0c:68:e6:dd:a4:b6:a5:44:8a:21:be:c7:b1:2f:
55:e8:07:e7:92:b6:6d:7a:a3:29:bb:b9:7f:c8:9e:
a3:ce:be:c5:51:f9:01:04:93:d9:0c:48:aa:41:f4:
c2:48:38:4a:e7:78:41:8f:11:74:f5:f1:26:b3:fb:
27:63:53:43:f4:48:87:f8:40:50:ec:a6:d0:74:c6:
95:57:5c:e7:86:7f:d2:60:aa:fe:b2:63:2f:e9:7f:
87:6d:f9:89:2f:8c:8f:ca:5e:e3:cc:b6:6a:f5:9b:
0b:d8:2b:55:b5:74:bc:8a:1f:0a:ac:85:6f:02:e3:
09:71:92:75:00:5d:55:1a:cd:63:8b:2c:16:d0:8a:
4b:ba:84:a2:ed:79:bb:7d:e5:d5:5d:2f:29:37:8b:
fc:0b:e4:d4:ff:2e:36:e4:d4:cf:7b:fb:fb:51:e8:
68:43
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
23:8c:48:d8:a8:e4:f0:f3:2d:9e:5f:f1:51:0e:c1:ac:72:7c:
b0:85:57:4a:67:e5:f9:51:ff:65:5b:78:e6:54:e1:67:13:d1:
c5:45:ba:5e:78:b3:67:07:20:c4:b8:24:df:9b:96:36:9f:e2:
7a:a0:5e:13:c4:5d:ab:57:94:66:34:ad:06:34:d6:45:e4:92:
c2:5a:52:65:70:f1:59:29:a1:f6:c1:b1:4a:8e:3f:b7:d7:1d:
07:33:2c:8a:a2:ae:82:97:d8:26:fb:99:08:0c:ea:ae:29:5d:
e5:43:2d:32:7b:35:e2:12:10:1f:df:37:14:ba:db:18:07:11:
4d:8c:78:00:05:4b:e6:e8:bc:e2:04:ca:86:47:bb:a7:61:c5:
7d:73:53:e7:5a:7a:3b:a2:31:cc:51:31:d7:b6:ba:00:79:5e:
7c:3c:75:91:0c:bd:6c:e5:bb:50:41:1e:22:c6:0c:e2:d8:94:
b9:d5:c3:5d:cd:15:a8:ef:33:2b:d9:90:c3:d3:ea:b7:8e:2a:
a0:28:62:63:69:c9:17:01:2a:79:e7:11:8f:0c:aa:58:ef:23:
4d:47:2a:aa:5f:f4:da:ea:ff:92:23:99:9d:d2:9c:c7:e9:68:
5f:4c:a1:f2:4a:d7:cd:99:c1:c7:c1:9b:fc:f6:c2:c0:57:81:
70:09:ac:bf
5.
Send the Certificate Signing Request to your CA
(Certificate Authority) according to their procedure,
and wait patiently.
This is the file server.csr.
The CA will require you to prove that the CSR
is associated with your identity.
So, this might involve going to visit your CA while carrying
strong credentials of personal or corporate identity and
a USB storage device holding the file.
Or, more conveniently, if you already have some relationship
with your CA including possession of each other's PGP public
keys, sending the CSR as a signed attachment to an
encrypted e-mail.
6. When your CA provides your certificate, install it as /etc/ssl/server.crt
7. Edit /var/www/conf/httpd.conf and modify the following lines:
# Turn on SSL SSLEngine on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. SSLCertificateFile /etc/ssl/server.crt # Point SSLCertificateKeyFile at the private key. SSLCertificateKeyFile /etc/ssl/server.key # If your CA tells you that you need the Intermediate or Root # certificate, install and specify it as here: SSLCACertificateFile /etc/ssl/ca-bundle.crt
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Feb 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
