Create certificates for Apache2: Difference between revisions

From WickyWiki
← Older editNewer edit →
mNo edit summary
mNo edit summary
Line 3: Line 3:
[[Category:Ubuntu Guide]]
[[Category:Ubuntu Guide]]
[[Category:201111]]
[[Category:201111]]
Create and configure certificates for Apache2 webserver.
 
=General information=


Sources:
Sources:
Line 18: Line 19:
* https://bugzilla.mozilla.org/show_bug.cgi?id=403220
* https://bugzilla.mozilla.org/show_bug.cgi?id=403220


== Location ==
=Location=


These scripts are executed as root in the directory '/etc/apache2/ssl'. This directory will only be accessible with root privileges to protect the encryption keys:
These scripts are executed as root in the directory '/etc/apache2/ssl'. This directory will only be accessible with root privileges to protect the encryption keys:
Line 24: Line 25:
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
sudo -i
sudo -i
mkdir /etc/apache2/ssl
mkdir /root/apache2ssl
chown root:root /etc/apache2/ssl
chown root:root /root/apache2ssl
chmod 700 /etc/apache2/ssl
chmod 700 /root/apache2ssl
cd /etc/apache2/ssl
cd /root/apache2ssl
</syntaxhighlight>
</syntaxhighlight>


From here on we will continue with root privileges.
From here on we will continue with root privileges.


== Configuration file ==
=Configuration file=


Create certificate configuration file 'create_ssl.conf'. This is not mandatory but will simplify the process:
Create certificate configuration file 'create_ssl.conf'. This is not mandatory but will simplify the process:
Line 84: Line 85:
</blockquote>
</blockquote>


== Create CA certificate ==
=Create CA certificate=


Generate a self-signed certificate authority (CA) certificate, valid for 365 days. When prompted for a 'Common Name' enter your CA name, for example 'wilbertvolkers.dyndns.org CA':
Generate a self-signed certificate authority (CA) certificate, valid for 365 days. When prompted for a 'Common Name' enter your CA name, for example 'wilbertvolkers.dyndns.org CA':
Line 94: Line 95:
You will now have a file 'ca.key' with the private key of the CA and the file 'ca.cer' with its self-signed certificate. Next you need to generate a private SSL key for the server.
You will now have a file 'ca.key' with the private key of the CA and the file 'ca.cer' with its self-signed certificate. Next you need to generate a private SSL key for the server.


== Create server certificate ==
=Create server certificate=


Generate a private SSL key for the server:  
Generate a private SSL key for the server:  
Line 120: Line 121:
</syntaxhighlight>
</syntaxhighlight>


== Configure Apache2 SSL ==
=Configure Apache2 SSL=


Enable Apache2 SSL module:
Enable Apache2 SSL module:
Line 222: Line 223:
</syntaxhighlight>
</syntaxhighlight>


== How it works ==
=How it works=


Using the created keys, this is how the HTTPS session will be initiated:
Using the created keys, this is how the HTTPS session will be initiated:
Line 250: Line 251:
</pre>
</pre>


== Client certificate ==
=Client certificate=


To require a certificate on the client before allowing access we need to create a client certificate, preferably we create one for each client.
To require a certificate on the client before allowing access we need to create a client certificate, preferably we create one for each client.
Line 312: Line 313:
</syntaxhighlight>
</syntaxhighlight>


== Client certificate: add in your browser==
=Client certificate: add in your browser=


The client browser:
The client browser:
Line 320: Line 321:
* In Firefox go to Options -> Advanced -> Encryption -> View Certificates -> Your Certificates -> Import, and select the file 'client.p12'. You will need to enter the certificate password.
* In Firefox go to Options -> Advanced -> Encryption -> View Certificates -> Your Certificates -> Import, and select the file 'client.p12'. You will need to enter the certificate password.


== Force SSL when port 80 is accessed ==
=Force SSL when port 80 is accessed=


To force an SSL connection and redirect all traffic at port 80 to port 443 (HTTPS)
To force an SSL connection and redirect all traffic at port 80 to port 443 (HTTPS)

Revision as of 10:24, 15 September 2013


General information

Sources:

Also see:

Firefox seems not to allow exceptions for 2048 bit certificates saying they are invalid:

Location

These scripts are executed as root in the directory '/etc/apache2/ssl'. This directory will only be accessible with root privileges to protect the encryption keys: 

sudo -i
mkdir /root/apache2ssl
chown root:root /root/apache2ssl
chmod 700 /root/apache2ssl
cd /root/apache2ssl

From here on we will continue with root privileges.

Configuration file

Create certificate configuration file 'create_ssl.conf'. This is not mandatory but will simplify the process: 

gedit create_ssl.conf
[ req ]
default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = Netherlands
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = NB
organizationName = Organization
organizationName_default = wilbertvolkers
commonName = Common Name
commonName_default = wilbertvolkers.dyndns.org
commonName_max = 64

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl

[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
crlDistributionPoints = @crl

[ client ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client
crlDistributionPoints = @crl

[ crl ]
URI=http://wilbertvolkers.dyndns.org/ca.crl

Create CA certificate

Generate a self-signed certificate authority (CA) certificate, valid for 365 days. When prompted for a 'Common Name' enter your CA name, for example 'wilbertvolkers.dyndns.org CA': 

openssl req -config ./create_ssl.conf -newkey rsa:1024 -nodes -keyform PEM -keyout ca.key -x509 -days 365 -extensions certauth -outform PEM -out ca.cer

You will now have a file 'ca.key' with the private key of the CA and the file 'ca.cer' with its self-signed certificate. Next you need to generate a private SSL key for the server.

Create server certificate

Generate a private SSL key for the server: 

openssl genrsa -out server.key 1024

To generate a Certificate Signing Request in PKCS#10 use the following command, as 'Common Name' specify the host-name, for example 'wilbertvolkers.dyndns.org': 

openssl req -config ./create_ssl.conf -new -key server.key -out server.req

Now create a self-signed server certificate with serial number 100 (65 hexadecimal) as requested with file 'server.req': 

openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile create_ssl.conf -extensions server -days 365 -outform PEM -out server.cer

The file **'server.key'** contains the server's private key and the file **'server.cer'** is the certificate itself. Certificate Signing Request file 'server.req' is no longer needed. 

rm server.req

Configure Apache2 SSL

Enable Apache2 SSL module: 

sudo a2enmod ssl

Configure Apache2, httpd.conf: 

gedit /etc/apache2/httpd.conf

In my case: 

gedit /etc/apache2/sites-available/wilbertvolkers.dyndns.org
NameVirtualHost _default_:443

##Encryption randomization
## *http://www.modssl.org/docs/2.2/ssl_reference.html#ToC4
SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 
##prevents extra SSL handshakes and speeds up performance
## *http://www.modssl.org/docs/2.2/ssl_reference.html#ToC5
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm 
SSLSessionCacheTimeout 600 

<virtualhost _default_:443>
	ServerAdmin admin@localhost

	SSLEngine On
	SSLOptions +StrictRequire
	SSLProtocol -all +TLSv1 +SSLv3 
	## Support only for strong cryptography:
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 
	SSLProxyEngine off

	SSLCertificateFile    /etc/apache2/ssl/server.cer
	SSLCertificateKeyFile /etc/apache2/ssl/server.key

	DocumentRoot /var/www/
	<directory />
		SSLRequireSSL
		Options FollowSymLinks
		AllowOverride None
	</directory>

	<directory /var/www/>
		SSLRequireSSL
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
		# This directive allows us to have apache2's default start page
		# in /apache2-default/, but still have / go to the right place
		# Commented out for Ubuntu
		#RedirectMatch ^/$ /apache2-default/
	</directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<directory "/usr/lib/cgi-bin">
		SSLRequireSSL
		AllowOverride None
		Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</directory>

	##Possible values include: 
	## debug, info, notice, warn, error, crit, alert, emerg.
	LogLevel warn

	ErrorLog /var/log/apache2/error.log
	CustomLog /var/log/apache2/access.log combined
	ServerSignature On

	#mediawiki
	Alias /mediawiki/ "/var/www/mediawiki/"
	<directory "/var/www/mediawiki/">
		SSLRequireSSL
		Options Indexes MultiViews FollowSymLinks
		AllowOverride None
		Order deny,allow
		Deny from all
		Allow from 127.0.0.0/255.0.0.0 ::1/128
	</directory>
</virtualhost>

Restart Apache2: 

sudo service apache2 restart

How it works

Using the created keys, this is how the HTTPS session will be initiated:

  1. The client requests content from the Web Server using HTTPS.
  2. The web server responds with a Certificate which includes the server's public key (file 'server.cer')
  3. The client checks to see if the certificate has expired.
  4. The client checks if the Certificate Authority that signed the certificate, is a trusted authority listed in the browser.
  5. The client then checks to see if the Fully Qualified Domain Name (FQDN) of the web server matches the Comman Name (CN) on the certificate.
    • In the case of a self-signed certificate the client will give a warning and ask explicitly to accept or deny it.
  6. If everything is successful the SSL connection is initiated.
    • Data as send by the Web Server will be encrypted with the private key (file 'server.key') and can only be decrypted using the public key (file 'server.cer')
    • Vice versa, data send by the client will be encrypted with the public key (file 'server.cer') and can only be decrypted using the private key (file 'server.key')


WEB SERVER   <--- request ----  CLIENT

certificate  -- certificate ->  check certificate
			 
private key                     public key
       data  ----- data ----->  data 
 ENcryption                     DEcryption

private key                     public key
       data  <---- data ------  data 
 DEcryption                     ENcryption

Client certificate

To require a certificate on the client before allowing access we need to create a client certificate, preferably we create one for each client.

Generate private key for SSL client: 

openssl genrsa -out client.key 1024

You need to generate a Certificate Signing Request. You can use your clients full name as a Common Name: 

openssl req -config ./create_ssl.conf -new -key client.key -out client.req

Create a self-signed Certificate Authority client certificate with serial number 101 (66 hexadecimal): 

openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile create_ssl.conf -extensions client -days 365 -outform PEM -out client.cer

Package a client's private key and certificate into a PKCS#12 format. The certificate will be secured by a password which will be needed to import the certificate into the web browser: 

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

File 'client.p12' contains a private key and the client's certificate, the files 'client.key', 'client.cer' and 'client.req' are no longer needed: 

rm client.key client.cer client.req

Configure Apache2, add the following lines to httpd.conf: 

gedit /etc/apache2/httpd.conf
...
<virtualhost _default_:443>
	...
	##SSL
	...
	##require client authentication (two-way handshake)
	SSLVerifyClient require
	SSLVerifyDepth 1
	SSLCACertificateFile /etc/apache2/ssl/ca.cer	
	...
</virtualhost>

Restart Apache2: 

service apache2 restart

Client certificate: add in your browser

The client browser:

  • Add the webserver certificate by adding an exception.

In case of a client certificate you will have no access to the server just yet, import your client certificate into your browser:

  • In Firefox go to Options -> Advanced -> Encryption -> View Certificates -> Your Certificates -> Import, and select the file 'client.p12'. You will need to enter the certificate password.

Force SSL when port 80 is accessed

To force an SSL connection and redirect all traffic at port 80 to port 443 (HTTPS)

Enable module rewrite: 

a2enmod rewrite
gedit /etc/apache2/sites-available/default

Add the following within the virtual host at the end: 

<VirtualHost *:80>
	...
	##redirect port 80 to HTTPS
	RewriteEngine   on
	RewriteCond     %{SERVER_PORT} ^80$
	RewriteRule     ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Virtualhost>

Restart Apache2: 

sudo service apache2 restart
Retrieved from "https://wjv.duckdns.org/mediawiki/index.php?title=Create_certificates_for_Apache2&oldid=1989"