Personal tools
You are here: Home User Contributed Files Apache SSL Certificates
Document Actions

Apache SSL Certificates

by Neil Schneider last modified 2008-11-30 16:44

Brian Manning's presentation on generating and installing SSL certificates for Apache Webserver, using OpenSSL.

Outline of presentation given by Brian Manning at December 2002 KPLUG

References

  • mod_ssl documentation ( http://www.modssl.org/docs/2.8/, also installed locally in the htdocs directory, in Apache's ServerRoot)
  • ssltap documentation on Mozilla's website (http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html)
    • ssltap -f -s logan5.cerf.net:443 > ssltap.out

Background

An SSL certificate is a public key that has been signed by a trusted third party. The act of the trusted third party (Certificate Authority) signing your public key (SSL certificate) is to give the person who is viewing your SSL-protected web site some peace of mind that you are who your SSL Certificate is saying you are. You can, however, use SSL Certificates without ever dealing with the trusted third party; but in that case, it's up to the end user to decide whether or not to trust you. Basics

  • show how to get openssl version (openssl shell)
  • generate a key
  • create an un-password protected key ( optional, for scripted restarts )
  • generate a CSR
  • send in the CSR to a CA to get it signed (use Verisign's test signature service; http://www.verisign.com/products/srv/trial/step1.html ), and become your own CA and sign your own certificates. When signing your own cert, describe how to change the signing length, using the openssl.cnf file
  • install the key and certificate files in apache by editing the httpd.conf file
  • check apache by using the configtest target
  • restart apache, but enter the password wrong, to show what the output looks like
  • check apache using ps
  • check things in a browser

SSL in Mozilla

  • Edit -> Preferences
  • Privacy & Security
    • SSL ( client SSL ciphers can be selected and de-selected here )
    • Certificates + Web Sites - view all of the non-CA signed SSL certificates

Chain loading in SSL v3.0

From the mod_ssl documentation:

"One of the benefits in SSL 3.0 is that it adds support of certificate chain loading. This feature allows a server to pass a server certificate along with issuer certificates to the browser. Chain loading also permits the browser to validate the server certificate, even if Certificate Authority certificates are not installed for the intermediate issuers, since they are included in the certificate chain."

Step-by-step procedure

The person applying for the certificate from a third party CA will need following information:

  • Country Name [The two letter ISO code; for example, the United States is 'US']
  • State or Province Name [Full State Name]
  • Locality [The city your company is in]
  • Organization name [IMPORTANT: This must be the same as what's listed with the your DUNS number. If this is wrong, the Certificate Signing Request (CSR) will be REJECTED by the Certificate Authority (CA)]
  • Organizational Unit Name [What part of your company is requesting the certificate; Web Team works if you don't have anything specific]
  • Common name [This is what the server will be called on the internet, it's URL or www address. Example: 'www.widgets.com']
  • E-mail address [Your contact e-mail address, in case the CA wants to contact you]
  • Phone Number [Your phone number in case the CA wants to contact you]

More information on certificate signing requests can be found here: http://www.thawte.com/getinfo/products/server/overview.html#4.

Enrollment Instructions

Ensure you have openssl installed on your system:

which openssl

Make the Apache server key (NOTE: -rand option below is only for Solaris)

'[logan5]'[root /usr/local/apache/conf]$ openssl \ > genrsa -des3 -out kplug.key 1024 \ > -rand

/var/log/authlog:/var/adm/messages.0:/var/adm/messages

Generating RSA private key, 1024 bit long modulus

............................................ ....++++++

........................................++++ ++

e is 65537 (0x10001)

Enter PEM pass phrase: (SSL key password here)

Verifying password - Enter PEM pass phrase: (SSL key password again to verify)

You can see the details of your private key if you issue the following command:

'[logan5]'[root /usr/local/apache/conf]$ openssl rsa -noout -text -in kplug.key

Now create a CSR. You will be entering in your information when creating the CSR. Be sure to have the correct domain name and company name! The "Organization Name" should match what is listed with your DUNS number, if you have one. If you do have a DUNS number, and misspell your Company name in your CSR, Verisign will reject the CSR request. The "Common Name" is the URL that will be used for SSL. Leave the challenge password and optional company name blank.

'[logan5]'[root /usr/local/openssl/bin]$ openssl req -new -key kplug.key -out kplug.csr

Using configuration from /usr/local/apache/ssl/ssl/openssl.cnf

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ., the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:California

Locality Name (eg, city) []:San Diego

'Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kernel Panic User's Group'

Organizational Unit Name (eg, section) []:KPLUG Admins

Common Name (eg, YOUR name) []:www.kernel-panic.org

Email Address []:webmaster@kernel-panic.org

Please enter the following extra attributes to be sent with your certificate request

A challenge password []:(Hit enter)

An optional company name []:(Hit enter)

The resulting CSR will look like:

-----BEGIN CERTIFICATE REQUEST----- MIIB4DCCAUkCAQAwgZ8xCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGll Z28xETAPBgNVBAoUCEFUJlQgRU5TMRQwEgYDVQQLEwtX ZWIgU3VwcG9ydDEXMBUGA1UEAxMOd3d3LmF0dGVucy5j b20xJTAjBgkqhkiG9w0BCQEWFndlYi1zdXBwb3J0QGF0 dGVucy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBANWWuDc1SA9d1kFBXOfRVYtBapiKfQp5Uk/egp5d BSKh84o0wt6SsTTst200fp4opIzsrpKL54vohg2ne6cS e03BxG/iBj1gklSlU+PhrN1ScwvMSsSZ8qhVksLqK4ah msHdyoTbtgN+SGNP8GgtZ1c/QFlOPJlIB7wSKw9xpHUb AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQCTfF9sy9Ic Uk06/zIuX/JVBX+dmLt8Muaq2OAiEBe8XGp/oYkP9Q0i d2AFLRXX+TLzxpART76eEfFI+iOsdp2m4X53IS5RqNxl +jbdrPYU1WHpjpQNUu7jtukQKiRGkfeEsh3eHoMBm6cV Ltcaq/wrIQ4QIhPAfhVsCI5j7EFXUw== -----END CERTIFICATE REQUEST-----

You can view the details of your CSR with:

'[logan5]'[root /usr/local/apache/conf]$ openssl req -noout -text -in kplug.csr

Take this CSR to Verisign and obtain a certificate. When selecting the Server Software Vendor, they should choose the "Apache Freeware with SSLeay" option. The resulting certificate should look like the CSR, but without the "REQUEST" part of the header and footer. Then copy the files:

cp kplug.key /usr/local/apache/conf/ssl.key/kplug.key

cp kplug.crt /usr/local/apache/conf/ssl.crt/kplug.crt

Enable the new key/certificate pair by editing the Apache httpd.conf file:

cd /usr/local/apache/conf

cp httpd.conf httpd.conf.DATE (where DATE is the date, eg 072700)

In the following two lines, change "server" to "kplug":

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

Test the configuration:

/usr/local/apache/bin/apachectl configtest

Restart Apache:

/usr/local/apache/bin/apachectl restart

Immeditately check to verify that Apache is running:

'ps aux | grep http

Check the website in a browser:

http://server/index.html

And the now enabled SSL site:

https://server/index.html

If Apache does not like the certificate, immediately change the httpd.conf back and restart Apache. Removing the SSL key password

To remove the passphrase on the SSL key (recommended), issue the following command:

openssl rsa -in kplug.key -out kplug.key

Then just hit when prompted for a new passphrase.

Becoming your own CA

  • Create a RSA private key for your CA (will be Triple-DES encrypted and
  • PEM formatted):

    $ openssl genrsa -des3 -out ca.key 1024

  • You can see the details of this RSA private key via the command

    $ openssl rsa -noout -text -in ca.key

  • And you can create a decrypted PEM version (not recommended) of this private key via:

    $ openssl rsa -in ca.key -out ca.key.unsecure

  • Create a self-signed CA Certificate (X509 structure) with the RSA key of the
  • CA (output will be PEM formatted):

    $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

  • sign the CSR with sign.sh (from mod_ssl source, in pkg.contrib directory)

    $ sign.sh kplug.csr

Verisign test certificate e-mail

YOUR ORDER NUMBER: 117119290

Dear VeriSign Customer:

Congratulations! Your Trial SSL Server Digital ID, issued to:

CN: WWW.TESTCOMPANY.COM

O: TEST COMPANY

OU: TESTERS

can be installed by following the instructions below.

Before using your Trial SSL Server ID, install the Test CA Root in each browser you plan to use as part of your test of SSL.

***********************************************************

  • To download the Test CA Root, go to:

http://www.verisign.com/server/trial/faq/index.html

and follow the instructions there.

  • To install your Trial SSL Server ID, go to:

http://www.verisign.com/support/install/index.html#trial

and follow the instructions there.

***********************************************************

After testing your Trial SSL Server ID, you will need to purchase a full service Server ID, available as part of VeriSign's trust solutions. Follow these easy steps to continue benefiting from VeriSign SSL Server IDs:

  • Step 1 - Visit: http://www.verisign.com/products/site/

Here you can familiarize yourself with the full range of available VeriSign Secure Site services, with packages including:

  • VeriSign Secure Site Pro and Commerce Site Pro solutions with Global IDs that enable 128-bit SSL encryption--the world's strongest--with all Microsoft and Netscape browsers.
  • VeriSign Commerce Site and Commerce Site Pro ID's bundled with VeriSign's payment processing solution, Payflow Pro. These e-commerce solutions are available at: http://www.verisign.com/products/site/commerce/
  • Additional VeriSign e-commerce services, such as the widely-recognized Secure Site Seal to post on your site as a symbol of trust. VeriSign also offers up to $250,000 of NetSure protection and Network Security auditing by Qualys. Learn more about all of VeriSign's trust solutions at: http://www.verisign.com/products/site/
  • Step 2 - Order VeriSign SSL Server IDs at:

http://www.verisign.com/products/site/secure

***********************************************************

It's that easy! If you have any questions about installing or using your Trial SSL Server ID, please contact us at 650-426-3400.

Thank you for your interest in VeriSign products!

Customer Support Department

VeriSign, Inc.

The Value of Trust (sm)

E-mail: support@verisign.com

Web: http://www.verisign.com

For sales call (650)426-5112

Fax: (650)961-8870

  1. S. During testing of your VeriSign Trial SSL ID, you can receive additional technical information by downloading our new white paper on implementing SSL and payment processing solutions at: http://www.verisign.com/rsc/gd/pmt/ecomm-tech/

    -----BEGIN CERTIFICATE----- MIIDPDCCAuagAwIBAgIQe7urYs00sDHxrKwg3XobmzANBgkqhkiG9w0BAQUFADCB qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDIxMjExMDAwMDAwWhcNMDIx MjI1MjM1OTU5WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQWxhYmFtYTEUMBIG A1UEBxQLV2lkZ2V0dmlsbGUxFTATBgNVBAoUDFRlc3QgQ29tcGFueTEQMA4GA1UE CxQHVGVzdGVyczEcMBoGA1UEAxQTd3d3LnRlc3Rjb21wYW55LmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAsg2MYFZDIseRNYChO9LNuJCLv1q8Q5tfovQU RmscZYmr2YT6WfxfM7XVu5n6+vEe7PaCUOPiP2s4SNJlcqGngTeTraTLE5ex75GU cbTOKcXYa9rO7+vZsw+eDS9YPEuWIPqq9xs9ZOciRISDVW0oxdAXfAkUrnTN65Xk YksZCmUCAwEAAaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBCBgNVHR8E OzA5MDegNaAzhjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVTZXJ2ZXJU ZXN0aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYGCCsGAQUF BwIBFipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA0EA r5V2zbzdzSqmjVh4LI+V1NGkhS187Tu0m+aOQS0qQOxB96/UGBp63kwu8pb7SeOS b02FAaY0vTZWQd7TKhRqNQ== -----END CERTIFICATE-----

SSLTap Output

Connected to logan5.cerf.net:443 --> [

(98 bytes of 93)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 22 (handshake)

version = { 3,1 }

length = 93 (0x5d)

handshake {

type = 1 (client_hello)

length = 89 (0x000059)
ClientHelloV3 {

client_version = {3, 1}

random = {...}

session ID = {

length = 32

contents = {..}

}

cipher_suites[9] = {

(0x0004) SSL3/RSA/RC4-128/MD5

(0xfeff) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA

(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA

(0xfefe) SSL3/RSA-FIPS/DES56-CBC/SHA

(0x0009) SSL3/RSA/DES56-CBC/SHA

(0x0064) TLS/RSA_EXPORT1024/RC4-56/SHA

(0x0062) TLS/RSA_EXPORT1024/DES56_CBC/SHA

(0x0003) SSL3/RSA/RC4-40/MD5

(0x0006) SSL3/RSA/RC2CBC40/MD5

}

}

}

}

]

<-- [

(122 bytes of 74, with 43 left over)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 22 (handshake)

version = { 3,1 }

length = 74 (0x4a)

handshake {

type = 2 (server_hello)

length = 70 (0x000046)
ServerHello {

server_version = {3, 1}

random = {...}

session ID = {

length = 32

contents = {..}

}

cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5

}

}

}

(122 bytes of 1, with 37 left over)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 20 (change_cipher_spec)

version = { 3,1 }

length = 1 (0x1)

}

(122 bytes of 32)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 22 (handshake)

version = { 3,1 }

length = 32 (0x20)

< encrypted >

}

]

--> [

(634 bytes of 1, with 628 left over)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 20 (change_cipher_spec)

version = { 3,1 }

length = 1 (0x1)

}

(634 bytes of 32, with 591 left over)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 22 (handshake)

version = { 3,1 }

length = 32 (0x20)

< encrypted >

}

(634 bytes of 586)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 23 (application_data)

version = { 3,1 }

length = 586 (0x24a)

< encrypted >

}

]

<-- [

(243 bytes of 238)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 23 (application_data)

version = { 3,1 }

length = 238 (0xee)

< encrypted >

}

]

--> [

(554 bytes of 549)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 23 (application_data)

version = { 3,1 }

length = 549 (0x225)

< encrypted >

}

]

<-- [

(244 bytes of 239)

SSLRecord { [Wed Dec 11 17:15:55 2002]

type = 23 (application_data)

version = { 3,1 }

length = 239 (0xef)

< encrypted >

}

]

« March 2019 »
Su Mo Tu We Th Fr Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
 

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: