Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
SSLNotes
Edit
PageHistory
Diff
Info
LikePages
[SSL] stands for Secure Socket Layer. Its used for secure communications between SSL-enabled clients and servers. Typical examples of its use include [HTTPS], [POP|POP3]S, [LDAP]S, and so on. If you are doing any network-based authentication, you should be doing it over SSL. Ideally, you want all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :) (This is what [DNSSEC] is supposed to be for.) ---- A good tutorial for setting up a CertificationAuthority under Debian is at: http://www.debian-administration.org/articles/284 ---- Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client, and the client then encrypts everything using this public key. The server then decrypts it using the private key. Someone can add a better description if they want. ---- Tricky points to note: apache-ssl has a ssl-certificate program which will generate a self-signed key for use. It expires a year after install, so you'll need to recreate it every year (using ssl-certificate --force), and its not signed by anything, so it'll generate an error every time a browser goes to it - the browser will complain about it not being signed. You can get around this by either creating your own CA and getting people to add it to the CA list in their browsers, or by finding someone else who has a CA and asking them to trust you. Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :) Note that the above workaround only works under mozilla, it seems. IE complains about the cert not matching. ---- Setting up a CA (Certificate Authority) isn't too hard: On my Debian Woody (3.0) system: <pre> cd /etc/ssl openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem </pre> And answer the questions asked - sensibly NOTE: Make sure you keep your CA's private key *private*. :) Also: Unless you tell it otherwise, it creates the key as valid for for one month. use -days n to make it valid for n days. -days 7000 is a good start.... :) ---- If all you want to do is create a self-signed certificate for apache, use ssl-certificate. ---- Setting up a key for apache and signing it against your CA generated above is also easy: (again, Debian Woody system) <pre> openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem </pre> And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem) Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for. To sign: <pre> openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \ -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 </pre> This signs it against the cacert and key. It also specificies that it will expire in 365 days time. And finally: <pre> cp apache-cert.pem /etc/apache-ssl/apache.pem cp apache-key.pem /etc/apache-ssl/apache-key.pem </pre> ---- If you have several websites under a single domain ie (site1.domain.com, site2.domain.com) you can create a single wildcard certificate that is valid for both of them. To do this simply make the CN of the certificate *.domain.com and then install the certificate as usal. Remember you can't name virtual host SSL enabled sites. ---- To make a CA key available to Web browser users, add: <pre> !AddType application/x-x509-ca-cert pem !AddType application/x-x509-ca-cert der </pre> to your httpd.conf or .htaccess file. This associates this [MIME] Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command: <pre> openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der </pre> Then goto the [URL] for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). Mozilla will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done! For Internet Explorer you'll get a non-intuitive "save or open" dialog. Click Open, then click "Install Certificate" and you're done! The difference between [PEM] and [DER] files, is that [PEM] files are base 64 encoded versions of the [DER] files and have a header and a footer. As of mozilla 1.x, mozilla appears to support [DER] files, so perhaps skip putting a [PEM] file there, and just use the [DER] file which will work with IE and Mozilla. [PEM] is the nicer file format, so in general try and use [PEM]. ---- Most of the above was pulled from the [Apache-SSL FAQ|http://www.apache-ssl.org/#FAQ] The [OpenSSL Cookbook|http://www.pseudonym.org/ssl/ssl_cook.html] was also pretty useful Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example) If you are running RedHat, check out [RedHats HOWTO|http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html] on the subject ---- another good site, http://certificate.nikhef.nl/info/CA_gymnastics.html ---- http://www.drh-consultancy.demon.co.uk/pkcs12faq.html has step-by-step instructions on how to create a key for use with Mozilla. ---- [Study|http://www.darkreading.com/document.asp?doc_id=121758&f_src=darkreading_informationweek] showing that users can't be bothered paying attention to warnings about insecure sites. ---- Part of CategorySecurity
2 pages link to
SSLNotes
:
UserSubmittedNotes
LDAPNotes