OpenSSL
OpenSSL configuration and installation
This walkthrough will help the user understand how to install and configure the OpenSSL for a Linux distribution
- Un-tar all downloaded OpenSSL software. Remember to do your work in a private directory in /tmp.Command line: tar xvzf open*gz
- Configure OpenSSL:Command line:
cd openssl*
Command line: ./config –prefix=$HOME/openssl –openssldir=$HOME/openssl
Notes: System OpenSSL libraries are usually located in /usr/bin/openssl. We make a different choice for obvious reasons. - Compile and install OpenSSL libraries:Command line:
make
Command line: make install - Remove the OpenSSL tar file and source directory as they are longer needed
SSL Apache 2.0 configuration and installation
- Un-tar the Apache source code. Don’t forget to use a private directory in /tmpCommand line: tar xvzf httpd-*gz
- Configure Apache.Command line:
cd httpd-*
Commаnd line: ./configure –prefix=$HOME/shttpd –enаble-ssl –with-ssl=PATHNotes: the –open-ssl PATH is an absolute path which points to your OpenSSL (path you used in the previous part).
This option can be omitted if you are using system OpenSSL libraries
Creating a certificate for your server
A secure server requires a server certificate before it can establish secure connections. In this step you will create a self-signed certificate. If you have installed your own OpenSSL libraries make sure that you are actually using those and not the system libraries.
- Change your present working directory to your directory where you have installed OpenSSL.Command line: cd ~/openssl/bin
- Create your private server key.Commаnd line:
./openssl genrsа -rаnd somefile -out server.key 1024
- Have a look at the contents of your generated key. Notice the different output depending how you look at the key.Command line:
cat server.key
Commаnd line: ./openssl rsа -noout -text -in server.key - Protect your private key from outside access.Command line: chmod 400 server.key
- Create a certificate signing request. You will be prompted for several pieces information. Enter them to the best of your knowledge.Commаnd line: ./openssl req -new -key server.key -out server.csr
- Look at the contents of your Certificate Request. As previously each of the command lines below will produce different output. Take a note of that.Command line:
cat server.csr
Commаnd line: ./openssl req -noout -text -in server.csr
Signing the Certificate
This step requires the user to submit the signed certificate to be registered with a distribution house but since this is a walkthrough we are making our own CA and signing the certificate ourself.
- Create a self-signed x509 certificate.Commаnd line: ./openssl x509 -req -dаys 365 -in server.csr -signkey server.key -out server.crt
- Have a look at the certificate details:Command line: ./openssl x509 -text -noout -in server.crt
Installing the certificate
By default Apache expects to have the private key and certificate in its conf directory. Place the appropriate files in your server’s conf directory.
Command line: cp server.key SERVER_ROOT/conf/server.key
Command line: cp server.crt SERVER_ROOT/conf/server.crt
Configuring Apache for SSL
- If you have not done it already configure your server to listen to one of your ports (in httpd.conf ).
- Configure your secure server.The secure configuration is stored in conf/extra/httpd-ssl.conf file. At least the following must be set:
· Listen: set it to one of your ports, different than the one you used for non-encrypted Listen in httpd.conf
· VirtualHost: set it to reside at the secure port
· ServerName: within virtual host set it to your server name (including port)
Leave a Reply