version 26, including all changes.
.
| Rev |
Author |
# |
Line |
| 20 |
JohnMcPherson |
1 |
[SSL] stands for Secure Socket Layer. Its used for secure communications between SSL-enabled clients and servers. Typical examples of its use |
| 26 |
LawrenceDoliveiro |
2 |
include [HTTPS], [POP|POP3]S, [LDAP]S, and so on. If you are doing any network-based authentication, you should be doing it over SSL. Ideally, you want |
| |
|
3 |
all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :) (This is what [DNSSEC] is supposed to be for.) |
| 17 |
JohnMcPherson |
4 |
|
| 23 |
MattBrown |
5 |
---- |
| |
|
6 |
A good tutorial for setting up a CertificationAuthority under Debian is at: http://www.debian-administration.org/articles/284 |
| 17 |
JohnMcPherson |
7 |
---- |
| |
|
8 |
|
| |
|
9 |
Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is |
| |
|
10 |
signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client, |
| |
|
11 |
and the client then encrypts everything using this public key. The server then decrypts it using the private key. |
| |
|
12 |
|
| |
|
13 |
Someone can add a better description if they want. |
| |
|
14 |
|
| |
|
15 |
---- |
| |
|
16 |
Tricky points to note: |
| |
|
17 |
|
| |
|
18 |
apache-ssl has a ssl-certificate program which will generate a self-signed key for use. It expires a year after install, so you'll need to recreate it |
| |
|
19 |
every year (using ssl-certificate --force), and its not signed by anything, so it'll generate an error every time a browser goes to it - the browser will |
| |
|
20 |
complain about it not being signed. You can get around this by either creating your own CA and getting people to add it to the CA list in their browsers, |
| |
|
21 |
or by finding someone else who has a CA and asking them to trust you. |
| |
|
22 |
|
| |
|
23 |
Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :) |
| |
|
24 |
|
| |
|
25 |
Note that the above workaround only works under mozilla, it seems. IE complains about the cert not matching. |
| |
|
26 |
|
| |
|
27 |
---- |
| |
|
28 |
|
| |
|
29 |
Setting up a CA (Certificate Authority) isn't too hard: |
| |
|
30 |
|
| |
|
31 |
On my Debian Woody (3.0) system: |
| |
|
32 |
|
| 25 |
DanielLawson |
33 |
<pre> |
| 17 |
JohnMcPherson |
34 |
cd /etc/ssl |
| |
|
35 |
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem |
| 25 |
DanielLawson |
36 |
</pre> |
| 17 |
JohnMcPherson |
37 |
|
| |
|
38 |
And answer the questions asked - sensibly |
| |
|
39 |
|
| |
|
40 |
NOTE: Make sure you keep your CA's private key *private*. :) |
| |
|
41 |
|
| |
|
42 |
Also: Unless you tell it otherwise, it creates the key as valid for for one month. use -days n to make it valid for n days. -days 7000 is a good start.... :) |
| |
|
43 |
|
| |
|
44 |
---- |
| |
|
45 |
|
| |
|
46 |
If all you want to do is create a self-signed certificate for apache, use ssl-certificate. |
| |
|
47 |
|
| |
|
48 |
---- |
| |
|
49 |
|
| |
|
50 |
Setting up a key for apache and signing it against your CA generated above is also easy: |
| |
|
51 |
|
| |
|
52 |
(again, Debian Woody system) |
| |
|
53 |
|
| 25 |
DanielLawson |
54 |
<pre> |
| 17 |
JohnMcPherson |
55 |
openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem |
| 25 |
DanielLawson |
56 |
</pre> |
| 17 |
JohnMcPherson |
57 |
|
| |
|
58 |
And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem) |
| |
|
59 |
Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for. |
| |
|
60 |
|
| |
|
61 |
To sign: |
| |
|
62 |
|
| 25 |
DanielLawson |
63 |
<pre> |
| 17 |
JohnMcPherson |
64 |
openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \ |
| |
|
65 |
-CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 |
| 25 |
DanielLawson |
66 |
</pre> |
| 17 |
JohnMcPherson |
67 |
|
| |
|
68 |
This signs it against the cacert and key. It also specificies that it will expire in 365 days time. |
| |
|
69 |
|
| |
|
70 |
And finally: |
| |
|
71 |
|
| 25 |
DanielLawson |
72 |
<pre> |
| 17 |
JohnMcPherson |
73 |
cp apache-cert.pem /etc/apache-ssl/apache.pem |
| |
|
74 |
cp apache-key.pem /etc/apache-ssl/apache-key.pem |
| 25 |
DanielLawson |
75 |
</pre> |
| 19 |
MattBrown |
76 |
---- |
| |
|
77 |
If you have several websites under a single domain ie (site1.domain.com, site2.domain.com) you can create a single wildcard certificate that is valid for both of them. To do this simply make the CN of the certificate *.domain.com and then install the certificate as usal. |
| |
|
78 |
|
| |
|
79 |
Remember you can't name virtual host SSL enabled sites. |
| 17 |
JohnMcPherson |
80 |
---- |
| 22 |
AlexDery |
81 |
To make a CA key available to Web browser users, add: |
| 25 |
DanielLawson |
82 |
<pre> |
| 17 |
JohnMcPherson |
83 |
!AddType application/x-x509-ca-cert pem |
| |
|
84 |
!AddType application/x-x509-ca-cert der |
| 25 |
DanielLawson |
85 |
</pre> |
| 17 |
JohnMcPherson |
86 |
to your httpd.conf or .htaccess file. This associates this [MIME] Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command: |
| 25 |
DanielLawson |
87 |
<pre> |
| 17 |
JohnMcPherson |
88 |
openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der |
| 25 |
DanielLawson |
89 |
</pre> |
| 24 |
MattBrown |
90 |
Then goto the [URL] for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). Mozilla will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done! For Internet Explorer you'll get a non-intuitive "save or open" dialog. Click Open, then click "Install Certificate" and you're done! |
| 17 |
JohnMcPherson |
91 |
|
| |
|
92 |
The difference between [PEM] and [DER] files, is that [PEM] files are base 64 encoded versions of the [DER] files and have a header and a footer. |
| |
|
93 |
|
| |
|
94 |
As of mozilla 1.x, mozilla appears to support [DER] files, so perhaps skip putting a [PEM] file there, and just use the [DER] file which will work with IE and Mozilla. [PEM] is the nicer file format, so in general try and use [PEM]. |
| |
|
95 |
---- |
| |
|
96 |
|
| |
|
97 |
Most of the above was pulled from the [Apache-SSL FAQ|http://www.apache-ssl.org/#FAQ] |
| |
|
98 |
|
| |
|
99 |
The [OpenSSL Cookbook|http://www.pseudonym.org/ssl/ssl_cook.html] was also pretty useful |
| |
|
100 |
|
| |
|
101 |
Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example) |
| |
|
102 |
|
| |
|
103 |
If you are running RedHat, check out [RedHats HOWTO|http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html] on the subject |
| |
|
104 |
|
| |
|
105 |
---- |
| |
|
106 |
another good site, http://certificate.nikhef.nl/info/CA_gymnastics.html |
| 18 |
JonPurvis |
107 |
|
| |
|
108 |
---- |
| |
|
109 |
http://www.drh-consultancy.demon.co.uk/pkcs12faq.html has step-by-step instructions on how to create a key for use with Mozilla. |
| 26 |
LawrenceDoliveiro |
110 |
|
| |
|
111 |
---- |
| |
|
112 |
|
| |
|
113 |
[Study|http://www.darkreading.com/document.asp?doc_id=121758&f_src=darkreading_informationweek] showing that users can't be bothered paying attention to warnings about insecure sites. |
| 17 |
JohnMcPherson |
114 |
|
| |
|
115 |
---- |
| |
|
116 |
Part of CategorySecurity |
