Apache2/SSL Certificates
|
Apache2 TOC | |
| |
Contents |
[edit] Introduction
SSL - Secure Socket Layer
The HyperText Transport Protocol transfers everything in-the-clear. This means that anyone can see the contents of the data being sent between the server and client and vice versa. This is not necessarily a bad thing as most content being sent back and forth is meant for public viewing anyway. There are, however, some things you want to remain secret, such as credit card numbers and passwords. This is where SSL comes into play.
Before any user data is transmitted to the server, the browser notifies the server what encryption schemes it is capable of handling, and the server will respond with a certificate. This certificate is used to encrypt and decrypt the data that is sent and received on the client end. The certificate acts as a public key. The server has a private key, however, that it uses to both encrypt and decrypt as well. No one will see the private key except the server itself.
A Secure Sockets Layer - SSL Certificate incorporates a digital signature to bind together a public key with an identity. SSL Certificates enable encryption of sensitive information during online transactions, and in the case of organizationally validated Certificates, also serve as an attestation of the Certificate owner’s identity.
[edit] Obtaining Your Own Certificate
There are several organizations that offer varying levels of security and browser acceptance for your certificate. They also come in a matching set of fees. Currently, there are only two Root Certificate Authorities (CA) that have free services available: CAcert.org and StartCom. They are not, however, accepted by every browser. Most notably they lack support for Internet Explorer, which is still the most widely used browser.
[edit] For Testing
Different parameters can be used to generate your server key. Any of the following commands will give you the server key:
This command displays the details of your private key:
And this command will generate your server certificate using the server.key:
Once this has been done, you may skip down to Configuring Apache.
[edit] For Production
[edit] Generating a CSR
Generating a Certificate Signing Request (CSR) is the first step that needs to be performed before you will be able to get a certificate. OpenSSL is required to perform this step and uses the private key generated in the Testing section above. These are examples of valid commands:
The previous command will initiate a script that will query you for several pieces of information. The following points require special attention:
- The really tricky part that gets most people is the Common Name. That actually wants to know for which domain name you are generating the CSR. If the domain is www.example.com, then enter www.example.com; If it is mail.example.com, then enter mail.example.com; and so on and so forth.
- If you have several prefixes you would like to have secured, then you will want a Wild Card Certificate (check if your Certification Authority allows wild card certificates). For example, instead of having a certificate for www.example.com and another one for mail.example.com, you could just have a certificate for *.example.com.
| Code: openssl req -nodes -new -keyout server.key -out server.csr |
Generating a 1024 bit RSA private key .......++++++ ..++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Full state or province name Locality Name (eg, city) []:Full name of the city Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example, Inc. Organizational Unit Name (eg, section) []:Administration Common Name (eg, YOUR name) []:www.example.com Email Address []:webmaster@example.com Please enter the following 'extra' attributes to be sent with your certificate request # Just hit Enter or Return for the next two queries. These should not be set. A challenge password []: An optional company name []: |
[edit] Requesting a Certificate
Once you have finished generating a CSR, you will need to submit the content of server.csr to a CA. This process varies a little from CA to CA. The best source of information and direction for this step is to get it straight from the horses mouth.
If you are working with limited funds or are looking for something that is free to enable security for a not so critical Web site, such as a family home page, take a look at these two:
- StartCom StartSSL
- CACert.org: Limited browser acceptance.
The CA will give you the file or the content for the file server.crt. The files server.crt and server.key can be used inside your Apache configuration file:
SSLCertificateFile /etc/ssl/apache2/server.crt SSLCertificateKeyFile /etc/ssl/apache2/server.key
[edit] Configuring Apache
Now that you have your key and certificate, there are a few steps you will need to perform in order to start hosting an SSL enabled Web site.
First, Apache needs to be compiled with the proper USE Flag enabled:
Use Flags: ssl (?)
Second, edit /etc/conf.d/apache2 so that -D SSL -D SSL_DEFAULT_VHOST appears in the APACHE2_OPTS line.
... # Here are the options available in the default configuration: # # AUTH_DIGEST Enables mod_auth_digest # AUTHNZ_LDAP Enables authentication through mod_ldap (available if USE=ldap) # CACHE Enables mod_cache # DAV Enables mod_dav # ERRORDOCS Enables default error documents for many languages. # INFO Enables mod_info, a useful module for debugging # LANGUAGE Enables content-negotiation based on language and charset. # LDAP Enables mod_ldap (available if USE=ldap) # MANUAL Enables /manual/ to be the apache manual (available if USE=docs) # MEM_CACHE Enables default configuration mod_mem_cache # PROXY Enables mod_proxy # SSL Enables SSL (available if USE=ssl) # SUEXEC Enables running CGI scripts (in USERDIR) through suexec. # USERDIR Enables /~username mapping to /home/username/public_html # # # The following two options provide the default virtual host for the HTTP and # HTTPS protocol. YOU NEED TO ENABLE AT LEAST ONE OF THEM, otherwise apache # will not listen for incomming connections on the approriate port. # # DEFAULT_VHOST Enables name-based virtual hosts, with the default # virtual host being in /var/www/localhost/htdocs # SSL_DEFAULT_VHOST Enables default vhost for SSL (you should enable this # when you enable SSL) # APACHE2_OPTS="-D LANGUAGE -D ERRORDOCS -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PHP5" ...
Third, you need to create an SSL virtual host. The following example well get you started with a basic configuration.
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
# Change the next two lines according to where you've actually
# stored the certificate and key files.
SSLCertificateFile /etc/ssl/apache2/server.crt
SSLCertificateKeyFile /etc/ssl/apache2/server.key
ServerName domain.tld
SSLOptions StrictRequire
SSLProtocol all -SSLv2
DocumentRoot /path/to/ssl/enabled/site
<Directory /path/to/ssl/enabled/site/>
SSLRequireSSL
Order Deny,Allow
Allow from All
</Directory>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
Restart Apache, and you are ready to start hosting a secure Web site.
[edit] Troubleshooting
- If you are using mod_security and you are getting messages like the following in your error log, you should set ServerTokens to Full in /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
[error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[edit] See Also
- SSL and Name Based Virtual Hosts: Describes how to setup Apache to serve multiple SSL hosts with only one IP address.
