Penguin

SSL stands for Secure Socket Layer. Its used for secure communications between SSL-enabled clients and servers. Typical examples of its use include HTTPS, POPS, LDAPS, and so on. If you are doing any network-based authentication, you should be doing it over SSL. Ideally, you want all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :) (This is what DNSSEC is supposed to be for.)


A good tutorial for setting up a CertificationAuthority under Debian is at: http://www.debian-administration.org/articles/284


Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client, and the client then encrypts everything using this public key. The server then decrypts it using the private key.

Someone can add a better description if they want.


Tricky points to note:

apache-ssl has a ssl-certificate program which will generate a self-signed key for use. It expires a year after install, so you'll need to recreate it every year (using ssl-certificate --force), and its not signed by anything, so it'll generate an error every time a browser goes to it - the browser will complain about it not being signed. You can get around this by either creating your own CA and getting people to add it to the CA list in their browsers, or by finding someone else who has a CA and asking them to trust you.

Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :)

Note that the above workaround only works under mozilla, it seems. IE complains about the cert not matching.


Setting up a CA (Certificate Authority) isn't too hard:

On my Debian Woody (3.0) system:

 cd /etc/ssl
 openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem

And answer the questions asked - sensibly

NOTE: Make sure you keep your CA's private key private. :)

Also: Unless you tell it otherwise, it creates the key as valid for for one month. use -days n to make it valid for n days. -days 7000 is a good start.... :)


If all you want to do is create a self-signed certificate for apache, use ssl-certificate.


Setting up a key for apache and signing it against your CA generated above is also easy:

(again, Debian Woody system)

 openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem

And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem) Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for.

To sign:

 openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \
   -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365

This signs it against the cacert and key. It also specificies that it will expire in 365 days time.

And finally:

 cp apache-cert.pem /etc/apache-ssl/apache.pem
 cp apache-key.pem /etc/apache-ssl/apache-key.pem

If you have several websites under a single domain ie (site1.domain.com, site2.domain.com) you can create a single wildcard certificate that is valid for both of them. To do this simply make the CN of the certificate *.domain.com and then install the certificate as usal.

Remember you can't name virtual host SSL enabled sites.


To make a CA key available to Web browser users, add:

 !AddType? application/x-x509-ca-cert pem
 !AddType? application/x-x509-ca-cert der

to your httpd.conf or .htaccess file. This associates this MIME Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command:

 openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der

Then goto the URL for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). Mozilla will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done! For Internet Explorer you'll get a non-intuitive "save or open" dialog. Click Open, then click "Install Certificate" and you're done!

The difference between PEM and DER files, is that PEM files are base 64 encoded versions of the DER files and have a header and a footer.

As of mozilla 1.x, mozilla appears to support DER files, so perhaps skip putting a PEM file there, and just use the DER file which will work with IE and Mozilla. PEM is the nicer file format, so in general try and use PEM.


Most of the above was pulled from the Apache-SSL FAQ

The OpenSSL Cookbook was also pretty useful

Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example)

If you are running RedHat, check out RedHats HOWTO on the subject


another good site, http://certificate.nikhef.nl/info/CA_gymnastics.html


http://www.drh-consultancy.demon.co.uk/pkcs12faq.html has step-by-step instructions on how to create a key for use with Mozilla.


Study showing that users can't be bothered paying attention to warnings about insecure sites.


Part of CategorySecurity

lib/main.php:944: Notice: PageInfo: Cannot find action page

lib/main.php:839: Notice: PageInfo: Unknown action