How to set ssl certificate

how to set ssl certificate

Step 2: Creating The Server CA

Now we must create the server's CA. You should still be in the /etc/pki/tls directory, if you are not sure just run a quick pwd to find out. We now need to make sure that we have no other certificates in the system:

# rm -rf. /../CA

Once that is done, we will use the shell scripts OpenSSL comes with to create a new CA:

# misc/CA -newca

A dialog will appear saying:

Go ahead and press enter. At this point the program will begin generating the CA. During this process you will be asked to enter a PEM pass phrase, create one and write it down! Once you have entered the PEM and verified it you will be asked some questions about the Distinguished Name (DN). A lot of the questions will have the correct values in them by default since we edited the openssl.cnf file. So press enter until it asks for the Common Name. When asked for the common name you should put down the server's hostname. It should look like this:

CA certificate filename (or enter to create)

Making CA certificate.

Generating a 1024 bit RSA private key

writing new private key to '../../CA/private/./cakey.pem'

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

Organization Name (eg, company) [My Secure Website Company]:

Common Name (eg, your name or your server's hostname) []:hostname

The CA for the server has been created and placed in the /etc/CA/private/cakey.pem file.

Step 3: Creating A Server Certificate Request

Now that we have the CA established, we need to make a request to create the certificate. Once again, using the shell scripts included with OpenSSL we want to run this command:

# misc/CA -newreq

Once the command has been entered, the program will being generating the request. When asked for the PEM, go ahead and enter it and press enter. Once again you will be asked the same questions about the Distinguished Name (DN). Everything should be the same, except this time when asked for the common name you should enter the complete address of the site you wish to secure (not just the hostname as this will cause internet browsers to see a conflict!). Once you have entered the Common Name you will be asked to create a Challenge Password, create one and write it down. This process should look like this:

Generating a 1024 bit RSA private key

writing new private key to 'newkey.pem'

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

State or Province Name (full name) [Berkshire]:

Locality Name (eg, city) [Berkshire Hills]:

Organization Name (eg, company) [My Secure Website Company]:

Organizational Unit Name (eg, section) [Your IT Department]:

A challenge password []:

An optional company name []:

Request is in newreq.pem, private key is in newkey.pem

The certificate request has now been created and placed in the file /etc/pki/tls/newreq.pem and the private key is in /etc/pki/tls/newkey.pem .

Step 4: Signing The Certificate

Before you move on to the next step you need to consider which of the two routes you are going to take - the self-signed certificate or trusted third-party signed certificate. The choice is entirely up to you. If your website is not for commercial use, you can probably get away with using a self-signed certificate, however, most web browsers will not recognize it as a "trusted website" right away since it does not have the signature of a trusted CA. Alternatively to both the self-signed or purchased methods, I recommend looking into using CACert.org. CACert.org is a completely public, community driven, and FREE CA that is growing.

If you want to create a Self-Signed certificate go to Step 4A.

If you want to create a Trusted certificate thru a third party go to Step 4B.

Step 4A - The Self Signed Certificate

This is a fairly simple process. Using the shell scripts we can sign our own certificate with ease by running the following command

Once executed the program loads the configuration file from the openssl.cnf file. Once it opens the CA key information you will be prompted for the PEM pass phrase, go ahead and enter it. Once the pass phrase is entered the program then verifies the integrity and validity of the data. Once it is done checking, it will ask if you want to sign the certificate, enter "y" and continue. The whole result should

look something like this:

Serial Number: 1 (0x1)

Netscape Comment:

OpenSSL Generated Certificate

Serial Number: 1 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, ST=Berkshire, O=My Secure Website Company, OU=Your IT Department,

Not Before: Dec 22 18:52:38 2006 GMT

Not After. Dec 22 18:52:38 2007 GMT

Subject: C=US, ST=Berkshire, L=Berkshire Hills, O=My Secure Website Company,

OU=Your IT Department, CN=hostname.yourdomain.com/emailAddress=[email protected]

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:cc:91:db:ea:95:c6:d3:03:75:cd:74:b5:58:28:

b7:df:e5:33:4b:82:53:90:b0:98:5f:14:0b:d1:1a:

44:e4:41:0b:e8:59:f6:f9:d1:26:6a:d9:25:a5:ac:

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

CA:D9:9B:01:D2:9C:15:39:96:62:53:29:D6:6E:D8:B8:62:9D:A0:BD

X509v3 Authority Key Identifier:

keyid:DB:B6:B7:15:40:C4:7B:14:AE:F6:CB:A9:DF:44:C3:1E:39:AE:E0:DD

-----BEGIN CERTIFICATE-----

MIIDIjCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMx

ETAPBgNVBAgTCENvbG9yYWRvMQ0wCwYDVQQKEwRVQ0NTMRkwFwYDVQQLExBDb21w

dXRlciBTY2llbmNlMQ4wDAYDVQQDEwVDQWZjNjEkMCIGCSqGSIb3DQEJARYVY2FA

ZmM2LmNzbmV0LnVjY3MuZWR1MB4XDTA2MTIyMjE4NTIzOFoXDTA3MTIyMjE4NTIz

OFowga8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQ

Q29sb3JhZG8gU3ByaW5nczENMAsGA1UEChMEVUNDUzEZMBcGA1UECxMQQ29tcHV0

ZXIgU2NpZW5jZTEbMBkGA1UEAxMSZmM2LmNzbmV0LnVjY3MuZWR1MSswKQYJKoZI

hvcNAQkBFhx3ZWJtYXN0ZXJAZmM2LmNzbmV0LnVjY3MuZWR1MIGfMA0GCSqGSIb3

DQEBAQUAA4GNADCBiQKBgQDMkdvqlcbTA3XNdLVYKLff5TNLglOQsJhfFAvRGkTk

The certificate has now been self-signed and placed in the /etc/pki/tls directory. Both the private key and the certificate need to be renamed to better identify what server they represent so do the following:

# mv newcert.pem hostnameCert.prm

# mv newkey.pem hostnameKey.pem

That is it! Continue on to step 5 to configure Apache to use the newly created information.

Step 4B - The Trusted Certificate

To get a server certificate created by some third-party company like Thawte, VeriSign, GeoTrust, or CACert.org, look for the certification request file that was created in step 3 (This file can be found in /etc/pki/tls/newreq.pem ). Since each CA operates differently, you will have to research which way they want you to submit the data (also called the CSR by some websites)held within this file; however, most places have a simple on-line copy-and-paste procedure, or a file upload system. Once you have submitted the data held in the newreq.pem file you will be given back another batch of code similar to what you submitted. This snippet of code is your new signed/trusted certificate.

Once you have that code you will need to save it back to the /etc/pki/tls directory with a filename which makes it easily identifiable such as hostnameCert.pem

Once you have completed this step you are ready to move on to Step 5.

Step 5: Configuring Apache To Use Your Certificates

We must now configure the Apache server to utilize SSL. The first thing we will want to do is copy our newly made certificates to the proper location. Do the following:

# cd /etc/httpd/conf

# ls -al

In the listing, look for directories called ssl.key and ssl.crt. If they do not exist go ahead and make them:

# mkdir ssl.key ssl.crt

Once you have found or created the directories, it is time to copy our certificates over:

# cp /etc/pki/tls/hostnameCert.pem ssl.crt/server.crt

# cp /etc/pki/tls/hostnameKey.pem ssl.key/server.key

Once you have copied over the files, it is time to configure the Apache server to use them. Do this:

# cd /etc/httpd/conf.d

# ls -al

You should see a file called ssl.conf. Go ahead and open this file with your favorite editor. There are two thing that need to be changed in this file. They are around lines 112 and 119, it looks like this:

Change the SSLCertificateFile path to the new path of /etc/httpd/conf/ssl.crt/server.crt. Then, we need to change the SSLCertificateKeyFile to the new path of /etc/httpd/conf/ssl.key/server.key. Once these changes are made save and quit the editor.

If we leave the configuration just as it is now, the SSL will work with a restart of the apache server. However, there is bit of a bump - each time we restart the httpd server it will ask us for the PEM passphrase. This is ok if you are constantly able to monitor the system, but for the sake of saving you that headache let's fix that problem. To fix this issue do the following:

# cd /etc/httpd/conf/ssl.key

# cp server.key server.key.orig

# openssl rsa -in server.key.orig -out server.key

You will be asked to enter the PEM pass phrase, so go ahead and input it and press enter. The program will finish and will have created the key file that will not require you to enter the PEM pass phrase on starting Apache. For security, we need to put security permissions on this file and restart the Apache server:

# chmod 700 server.key

# service httpd restart

If everything was done correctly, Apache will start with no problems. Now it is time to try out your new secure website. Open your browser and navigate to https://hostname.yourdomain.com .

If you decided to do a self-signed certificate, or one through CACert.org you may get a message about the certificate not being trusted. This is normal and you should just tell the browser to accept the certificate. Once your on the website you should be able to view your certificate and the details on it.

Congratulations - you have just set up up an SSL secure website!

view as pdf |

print

Source: www.howtoforge.com

Category: Insurance

Similar articles: