Monday, November 09, 2009

Apache SSL and Certificate Authority(CA) | Howto

Tech Blog - Here is a simple howto on creating your own CA or Certificate Authority unders Cent OS 5, this howto would also work on other Linux distribution with modification to path where the command could be found, this howto covers creating a certificate authority using OpenSSL and setting up a secure website using Apache with mod_ssl module.

For Cent OS 5, you will need to have Openssl, Apache with mod_ssl module, and Openssl tools(openssl-perl), you can easily serach for this packages using the yum tool, yum search , make sure that mod_ssl is being Loaded on httpd.conf

Now lets begin with the howto

If you have all the above files installed on Cent OS 5, the path to configuration files below will work for you.

Apache SSL Configuration File - /etc/httpd/conf.d/ssl.conf
Openssl Configuraltion File - /etc/pki/ssl.conf - Openssl Perl Script tools - /etc/pki/tls/misc

Creating a new Certificate Authority

$ ./ -newca
Press Enter to create. - then enter a difficult passphrase do not forget this passphrase
Fill in your details and provide a sensible name for the
Common Name (eg, YOUR name) []:

This creates a new CA certificate in the directory /etc/pki/CA. The CA's self-signed certificate is stored in /etc/pki/CA/cacert.pem and its private key is in /etc/pki/CA/private/cakey.pem. make sure to secure this files.

Certificate Request

Now you need a server certificate that is signed by your own CA. First, generate a certificate request. Fill in the details and make sure "Common Name" is the hostname of the website.
$ ./ -newreq Produce a passphrase for the server certificate. Common Name (eg, name) []:

The certificate request are in newreq.pem.

Now sign the request as the root CA,

$ ./ -sign Enter the passphrase for the root CA. Enter the passphrase for the server certificate.

The server certificate is placed in newcert.pem. The private key is saved in newkey.pem.

Make sure the private key is never world readable. Secure the PEM files including newreq.pem for later use and make sure they are kept private..
$ chmod 0400 newkey.pem

Adding Certificate to your Apache ssl.conf

Look for the following lines under /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /pathto/newcert.pem
SSLCertificateKeyFile /pathto/newkey.pem
SSLCACertificateFile /pathto/cacert.pem

Make sure to Uncomment the following lines as well

SSLVerifyClient require
SSLVerifyDepth 10

Then restart Apache /etc/init.d/httpd restart it will ask you to enter the passphrase you use for the CA

Creating Client Certificate

You can recreate a newreq.pem and newkey.pem, or just use the ones you have generated before, now we will combine newreq.pem and newkey.pem and convert them into the PKCS#12 format that can be imported to our browser..

$ cat newcert.pem newkey.pem >> signing.pem $ openssl pkcs12 -in signing.pem -out signing.p12 -clcerts -keysig -export

Enter the Passphrase then Enter a password for export. When importing the the p12 file to your browser you will be asked for it again.

Now you should see a file named signing.p12, download it to your desktop then import it to your browser, then thats it.

If you wanted to generate ceritificate for a lot of individual or make a script of it you can use

$ openssl pkcs12 -passin pass:yourpassphrase -in signing.pem -passout pass:yourexportpassword -out signing.p12 -clcerts -keysig -export

Below are some howto on troubleshooting

No comments:

For suggestion and concerns E-mail