# # 04-Dec-99 amo Installed secure httpd into boxes # 06-Dec-99 amo More httpsd stuf # # # http://www.your_domain.com:443 default secure port # https://www.your_domain.com secure server # # /var/log/httpd/logs/error_log-ssl # # Virtual Hosts # -------------- # http://www.apache.org/docs/vhosts # # # SSL Configuration directorives # ------------------------------ # http:/redhat/manual/mod/mod_ssl.html # http://www.modssl.org/docs/2.3/ssl_reference.html # # http://www2.psy.uq.edu.au/~ftp/Crypto/ ( good ) # http://www.consensus.com/security/ssl-talk-faq.txt ( good ) # www.egroups.com/list/ssl-talk # home.netscape.com/eng/ssl3/index.html # developer.netscape.com/docs/manuals/proxy/adminux/encrypt.htm # www.ietf.org/internet-drafts/draft-ietf-tls-protocol-05.txt # www.psy.uq.oz.au/~ftp/Crypto # www.xcert.com/~marcnarc/PKI # webcompare.internet.com # # # www.isi.edu/in-notes/iana/assignments/port-numbers # nsiiops 261/tcp IIOP Name Service over TLS/SSL # https 443/tcp http protocol over TLS/SSL # ddm-ssl 448/tcp DDM-SSL # smtps 465/tcp smtp protocol over TLS/SSL # nntps 563/tcp nntp protocol over TLS/SSL # sshell 614/tcp SSLshell # ldaps 636/tcp ldap protocol over TLS/SSL # ftps-data 989/tcp ftp protocol, data, over TLS/SSL # ftps 990/tcp ftp, control, over TLS/SSL # telnets 992/tcp telnet protocol over TLS/SSL # imaps 993/tcp imap4 protocol over TLS/SSL # ircs 994/tcp irc protocol over TLS/SSL # pop3s 995/tcp pop3 protocol over TLS/SSL # # # Secure http client testing # https://in-103.infospace.com/ - works # # -- rest are bad-- # https://ssl3.netscape.com/ # https://ssl3.c2.org # http://www.verisign.com/authentic # # Netscape + certificates # http://home.netscape.com/security/index.html # # http://home.netscape.com/eng/security/certs.html # http://home.netscape.com/newsref/std/ssl_2.0_certificate.html ( BAD ) # http://www.ietf.org/html.charters/pkix-charter.html # http://digitalid.verisign.com/id_faqs.htm # http://www.entrust.com/products/library/primer.htm ( BAD ) # http://developer.entrust.com/certutility/index.htm # http://www.xcert.com/~marcnarc/PKI # http://home.netscape.com/info/security-doc.html # http://home.netscape.com/eng/security # http://home.netscape.com/eng/security/comm4-cert-download.html # http://home.netscape.com/eng/security/certs.html X509 # # Certficate Authorities # http://www2.psy.uq.edu.au/~ftp/Crypto/#List of Certification Authorities # http://www.qmw.ac.uk/~tl6345/ca.htm Worldwide list of CAs # http://www.pca.dfn.de/eng/team/ske/pem-dok.html#CA WorldWide list of CAs # # http://digitalid.verisign.com/id_faqs.htm Verisign # http://www.verisign.com - Verisign # http://www.thawte.com/certs Thawte Consulting # http://www.cost.se COST Computer Security Technologies # http://www.compusource.co.za/id/personal CompuSource # http://www.xcert.com XCert Software Inc # http://www.entrust.com - Entrust Technologies (was Nortel) # http://www.surgeons.co.za/certificate.html - BiNARY SuRGEONS # http://www.keywitness.ca - Keywitness # http://www.softforum.co.kr/h-sf - SoftForum # http://www.cybertrust.gte.com - GTE CyberTrust # http://www.compusource.co.za # http://www.certisign.com.br - Certisign Certificadora Digital Ltda # http://eurosign.com EuroSign # http://www.belsign.be Belsign # # # http://www.webvision.com/developers_new/casetup.html Seeting up onw CA # # Microsoft issues # http://www.microsoft.com/workshop/security/default.asp # # # SSLREf # http://www.consensus.com # http://home.netscape.com/newsref/std/sslref.html # http://test-drive.netscape.com/tdrive-new/sslref.html # # SSLeay # http://www.psy.uq.oz.au/~ftp/Crypto/ # # ls -la /dev/urandom # # Install Redhat's silly rpm secure server package ( in the proper sequence ) # ================================================ # see Apache.Redhat-6.1.pl # # Creating a key # -------------------- # /etc/httpsd/conf# make genkey =============================== #/usr/sbin/openssl genrsa -des3 -rand /var/log/messages:/boot/vmlinuz:/etc/hosts:/etc/resolv.conf 1024 > ssl.key/server.key .... Enter PEM pass phrase: -enter-a-pass-phrase-and-memorize-it-NEVER-write-it-down Verifying password - Enter PEM pass phrase: # chmod go-rwx ssl.key/server.key - created /etc/httpsd/conf/ssl.key/server.key - to bypass entering the passphrase... use the two commands instead of make genkey instead... # # Creating a key request # ---------------------- # - # - change "Orgainizational Unit" to get a new test certificate # - # /etc/httpsd/conf# make certreq =============================== /usr/sbin/openssl req -new -key ssl.key/server.key > ssl.csr/server.csr Using configuration from /usr/lib/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:US State or Province Name []:California City (Locality) Name []:San Jose Company (Organization) Name []:Your Company Department Name []: Server Hostname []:www.Your_Domain.com Server Admins Email Address []:alvin@linux-consulting.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: -your-secret-pass-phrase--remember-this-NEVER-write-it-down An optional company name []: - created /etc/httpsd/conf/server.csr ( send this to CA ) # # Use verisign free CA # -------------------- # Make sure your "email address" works first # https://digitalid.verisign.com/server/trial/trialStep1.htm https://digitalid.verisign.com/server/trial/trialStep2.htm /etc/httpsd/conf# make certreq =============================== /etc/httpsd/conf/ssl.csr/server.csr - -cut-n-paste above csr into here - ==== ==== wait for an email from the CA ==== # # Installing the test certificate # ------------------------------- # http://www.verisign.com/server/trial/welcome/index.html http://www.verisign.com/server/trial/welcome/caroot.html /etc/httpsd/conf# vi ssl.crt/server.crt - copy certificate verisign sent -----BEGIN CERTIFICATE----- MIICZTCCAg8CEHEQuqtrl2wPBfae8E/qMewwDQYJKoZIhvcNAQEEBQAwgakxFjAU .... -----END CERTIFICATE----- # # Installed certificate # --------------------- # /root# ls -la /etc/httpd/conf.secure/ssl.key/server.key /root# ls -la /etc/httpd/conf.secure/ssl.crt/server.crt # # Stop and start httpsd # --------------------- # /etc/httpsd/conf# /etc/rc.d/init.d/httpsd stop /etc/httpsd/conf# /etc/rc.d/init.d/httpsd start - pass phrase required /etc/httpsd/conf# ps axuw | grep http ... /usr/sbin/httpsd -DSSL netscape: http://www.Your_Domain.com - normal httpd https://www.Your_Domain.com - should show security connection ( lock closed ) ================================================================================ # # Send the certificate request or make our own test version # /etc/httpsd/conf# /usr/sbin/openssl OpenSSL> ? - supposed to create ssl.crt (but already existed ) OpenSSL> genrsa 1112 semi-random bytes loaded Generating RSA private key, 512 bit long modulus ................................................................................e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAJ5THNQu8MqP4SdW+vUe34PMKmOMpwe3nzGYbWfvse4I8Cfx1Mcw u94Fp7iiUc7jgUZg5Wib/4wEHg/CEBnJ03sCAwEAAQJBAI85NH0mMaGs4suJveB8 m0pJKZeAp6EtlQ9yipZZmaZwdxrX9sotIJ5a9VQB2xBtpF1H5CtyMACdTVGSMyIf lmECIQDPKZKGg4ubyYa0ZJdqrFrZguYBYxbKJxWhkAS5RMvQowIhAMOmJCicN524 Zv7NL0pwsjV19hZLkPS/49jQreLbO6dJAiBBFPFoevkoJya/k36ST7V28g2qT+P/ /ElqaWFihv90+wIgfxRDGD2fwkosXARaWzeoCSF9ni2nEdIx5Hpm95r+vEECIEhk gCpVz7A0iF78vlvbIG6xxy5XJhd73gQWWuxaf4rF -----END RSA PRIVATE KEY----- OpenSSL> quit # # Free CA # http://digitalid.verisign.com/server/help/insSSLeayCSR.htm # # ssleay md5 * > rand.dat # ssleay genrsa -rand rand.dat -des3 1024 > key.pem ( des3 ) # ssleay req -new -key key.pem -out csr.pem ( generate csr ) # # # # Self signed CA # ssleay req -new -x509 -key key.pem -out dummy.pem # # openssl genrsa -des3 -out server.key 1024 openssl req -new -days 365 -key server.key -out server.csr openssl ca -in server.csr -out server.crt -days 365 cp server.key server.key.org openssl rsa -in server.key.org -out server.key # # end of file