Apache Secure Server (HTTPS)
Have a read of http://httpd.apache.org/docs-2.0/ssl/
The shorter HOWTO guide for a standard Red Hat (7.1) install of Apache is:
- cd /etc/httpd/conf
- mv ssl.cert/server.crt ssl.cert/server.crt.old
- mv ssl.key/server.key ssl.key/server.key.old
- make genkey
- make testcert
which takes a little less than 2 minutes!
Mandrake 10.0
server.crt and server.key are under /etc/ssl/apache and the script to generate the certificate is /usr/lib/ssl/apache2-mod_ssl/gentestcrt.sh
-- Frank Dean - 20 Oct 2004
Debian Woody
Execute:
- /usr/sbin/ssl-certificate
and follow the instructions.
-- Frank Dean - 31 Jan 2005
Generating with Openssl
If suitable scripts aren't available for your distribution, or you'd like to better understand the mechanisms used, this section gives some brief pointers.
The HOWTOs listed at http://www.openssl.org/docs/HOWTO/ are very brief and to-the-point and well worth reading. This is a very short summary of those guides.
See also: OpenSSL Certificate Authority — Jamie Nguyen.
Generating public and private keys
See http://www.openssl.org/docs/HOWTO/keys.txt
Generate the private RSA key, in this case, without a password;
- openssl genrsa -out privkey.pem
To generate with a password:
- openssl genrsa -des3 -out privkey.pem
To create something more secure, seed the command with some random data.
- cat /dev/random > seedfile # Interrupt after a while with CTRL-C
- openssl genrsa -out privkey.pem -rand seedfile rsaparam.pem
Remove Private Key Password
- openssl rsa -in oldprivkey.pem -out nopassprivkey.pem
Change Private Key Password
- openssl rsa -in oldprivkey.pem -des3 -out newprivkey.pem
Generating a certificate
- (Consider using http://tinyca.sm-zone.net/ - apt-get install tinyca as an alternative)
-- Frank Dean - 26 Jan 2007
Alternatively, just use the /usr/sbin/apache2-ssl-certificate script that is included in Debian 3.1 (Sarge) apache2-common package
- -- Frank Dean - 17 Apr 2007
See http://www.openssl.org/docs/HOWTO/certificates.txt
Create a certificate request
This creates a PEM formatted certificate which is sent to a Certificate Authority for signing by them, before being returned to you.
- openssl req -new -key privkey.pem -out cert.csr
Creating a self-signed certificate
- openssl req -new -x509 -key privkey.pem -out cacert.pem -days 365
Create the Apache certificate
The Apache certificate contains both the private key and the certificate.
- cat privkey.pem cacert.pem > apache.pem
Installing the certificate will vary by distribution, but for Debian Woody, install it with perms 600, owned by root in /etc/apache-ssl/
Creating a mini Certificate Authority
Create a self-signed certificate to use as the root CA
- openssl req -new -x509 -key privkey.pem -out rootca.pem -days 365
Create a certificate request
- openssl req -new -key privkey.pem -out cert.csr
or with SHA1 instead of MD5
- openssl req -new -sha1 -key privkey.pem -out cert.csr
Sign the certificate request
- openssl x509 -req -in cert.csr -extensions v3_usr -CA rootca.pem -CAkey privkey.pem -CAcreateserial -out signedcert.pem -days 365
Viewing a certificate
- openssl x509 -in signedcert.pem -noout -text
Viewing a certificate request
- openssl req -in signedcert.pem -text
The test certficate is basically a 'self-signed' certifcate which is considered to be insecure in an Internet environment, as it doesn't prove who you are. However, it does work.
Now, to get a trusted certificates you need to go to someone like Verisign - but this isn't cheap. Fortunately it can be done cheaper...
Checkout http://easily.co.uk/ However, they want to validate all php scripts before they'll let them go live. Check in case they have changed the policy on this. I suspect they will.
Also http://www.comodogroup.com/products/certificate_services/index.html
Also some certificates are issued for a specified IP addresss, which would be no good for a server running dynamic DNS. The certificate must be issued by a Certificate Authority (CA) which is recognised by the browser. Internet Explorer and Mozilla are set-up by default to recognise a number of CAs but not all. A CA can issue a certificate to someone else that allows them to act as a CA. That would be OK as long as the browser 'trusts' the root CA.
To see what CAs Internet Explorer accepts, go to Tools->Internet Options, then the 'Content' tab and select 'Certificates' - There are two tabs 'Intermediate Certificate Authorities' and 'Trusted Root Certificate Authorities'. Unsurprisingly, Microsoft have made themselves trusted CAs by default!! In the latest Mozilla (1.4.1) it's under Edit-&Preferences then 'Privacy & Security -> Certificates' then 'Manager Certificates' then the 'Authorities' tab. If you accept my certificate as a permanently 'trusted' certificate - it ought to operate identically to the real thing. Only trouble is, I had problems in the past with Internet Explorer not treating such certificates quite the same as the real thing when I was trying to do things with ActiveX.
Search google limiting the search to your country (there are some country specific googles, e.g. http://www.google.co.uk) for something like 'certificate authority ssl' should give you plenty.
Check with your ISP. Many are including HTTPS for free.
Apache2
apache2-ssl-certificate will create /etc/apache2/ssl/apache.pem
See also:
- https://wiki.debian.org/Self-Signed_Certificate
- man make-ssl-cert (Debian Sarge) (/usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem)
- http://www.ianmiller.net/article.php?id=13
In Debian 7.x (Wheezy) the ssl-cert package can be used to create self-signed
certificates. See 'Creating self-signed certificates' in
/usr/share/doc/apache2.2-common/README.Debian.gz
.
-- Frank Dean - 30 Aug 2014
Resources
- Apache 2.0 mod_ssl reference
- Apache 2.0 SSL docs
- SSLPassPhraseDialog Directive
-- Frank Dean - 09 May 2007
-- Frank Dean - 06 Jan 2004
Related Topics: ApacheHints, LetsEncrypt