# # 04-Dec-99 amo Installed secure httpd into boxes # 06-Dec-99 amo More httpsd stuf # # # http://www.xxx.yyy.zzz:443/ ( default secure port ) # # /var/log/httpd/logs/error_log-ssl # # Virtual Hosts # -------------- # http://www.apache.org/docs/vhosts # # # SSL Configuration directorives # ------------------------------ # http:/redhat/manual/mod/mod_ssl.html # http://www.modssl.org/docs/2.3/ssl_reference.html # # http://www2.psy.uq.edu.au/~ftp/Crypto/ ( good ) # http://www.consensus.com/security/ssl-talk-faq.txt ( good ) # www.egroups.com/list/ssl-talk # home.netscape.com/eng/ssl3/index.html # developer.netscape.com/docs/manuals/proxy/adminux/encrypt.htm # www.ietf.org/internet-drafts/draft-ietf-tls-protocol-05.txt # www.psy.uq.oz.au/~ftp/Crypto # www.xcert.com/~marcnarc/PKI # webcompare.internet.com # # # www.isi.edu/in-notes/iana/assignments/port-numbers # nsiiops 261/tcp IIOP Name Service over TLS/SSL # https 443/tcp http protocol over TLS/SSL # ddm-ssl 448/tcp DDM-SSL # smtps 465/tcp smtp protocol over TLS/SSL # nntps 563/tcp nntp protocol over TLS/SSL # sshell 614/tcp SSLshell # ldaps 636/tcp ldap protocol over TLS/SSL # ftps-data 989/tcp ftp protocol, data, over TLS/SSL # ftps 990/tcp ftp, control, over TLS/SSL # telnets 992/tcp telnet protocol over TLS/SSL # imaps 993/tcp imap4 protocol over TLS/SSL # ircs 994/tcp irc protocol over TLS/SSL # pop3s 995/tcp pop3 protocol over TLS/SSL # # # Secure http client testing # https://in-103.infospace.com/ - works # # -- rest are bad-- # https://ssl3.netscape.com/ # https://ssl3.c2.org # http://www.verisign.com/authentic # # Netscape + certificates # http://home.netscape.com/security/index.html # # http://home.netscape.com/eng/security/certs.html # http://home.netscape.com/newsref/std/ssl_2.0_certificate.html ( BAD ) # http://www.ietf.org/html.charters/pkix-charter.html # http://digitalid.verisign.com/id_faqs.htm # http://www.entrust.com/products/library/primer.htm ( BAD ) # http://developer.entrust.com/certutility/index.htm # http://www.xcert.com/~marcnarc/PKI # http://home.netscape.com/info/security-doc.html # http://home.netscape.com/eng/security # http://home.netscape.com/eng/security/comm4-cert-download.html # http://home.netscape.com/eng/security/certs.html X509 # # Certficate Authorities # http://www2.psy.uq.edu.au/~ftp/Crypto/#List of Certification Authorities # http://www.qmw.ac.uk/~tl6345/ca.htm Worldwide list of CAs # http://www.pca.dfn.de/eng/team/ske/pem-dok.html#CA WorldWide list of CAs # # http://digitalid.verisign.com/id_faqs.htm Verisign # http://www.verisign.com - Verisign # http://www.thawte.com/certs Thawte Consulting # http://www.cost.se COST Computer Security Technologies # http://www.compusource.co.za/id/personal CompuSource # http://www.xcert.com XCert Software Inc # http://www.entrust.com - Entrust Technologies (was Nortel) # http://www.surgeons.co.za/certificate.html - BiNARY SuRGEONS # http://www.keywitness.ca - Keywitness # http://www.softforum.co.kr/h-sf - SoftForum # http://www.cybertrust.gte.com - GTE CyberTrust # http://www.compusource.co.za # http://www.certisign.com.br - Certisign Certificadora Digital Ltda # http://eurosign.com EuroSign # http://www.belsign.be Belsign # # # http://www.webvision.com/developers_new/casetup.html Seeting up onw CA # # Microsoft issues # http://www.microsoft.com/workshop/security/default.asp # # # SSLREf # http://www.consensus.com # http://home.netscape.com/newsref/std/sslref.html # http://test-drive.netscape.com/tdrive-new/sslref.html # # SSLeay # http://www.psy.uq.oz.au/~ftp/Crypto/ # # ls -la /dev/urandom [root@m58 /root]# cd /etc/httpd/conf.secure # # Creating a key # -------------------- # [root@m58 conf.secure]# make genkey #/usr/sbin/openssl genrsa -des3 -rand /var/log/messages:/boot/vmlinuz:/etc/hosts:/etc/resolv.conf 1024 > ssl.key/server.key .... Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: # chmod go-rwx ssl.key/server.key ( pass phrase ) - created /etc/httpd/conf.secure/ssl.key/server.key - to bypass entering the passphrase... use the two commands instead of make genkey instead... # # Creating a key request # -------------------- # [root@m58 conf.secure]# make certreq /usr/sbin/openssl req -new -key ssl.key/server.key > ssl.csr/server.csr Using configuration from /usr/lib/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:US State or Province Name []:California City (Locality) Name []:San Jose Company (Organization) Name []: Corp name Department Name []: Server Hostname []:www.SomeServer.com Server Admins Email Address []:alvin@linux-consulting.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:............... An optional company name []: - created /etc/httpd/conf.secure/server.csr ( send this to CA ) # # Use verisign free CA # -------------------- # Make sure your "email address" works first # https://digitalid.verisign.com/server/trial/trialStep1.htm https://digitalid.verisign.com/server/trial/trialStep2.htm [root@m58 /root]# cd /etc/httpd/conf.secure [root@m58 conf.secure]# make certreq /etc/httpd/conf.secure/ssl.csr/server.csr cut-n-paste above csr into here # # Installing the test certificate # -------------------- # http://www.verisign.com/server/trial/welcome/index.html http://www.verisign.com/server/trial/welcome/caroot.html [root@m58 conf.secure]# vi ssl.crt/server.crt - copy certificate verisign sent -----BEGIN CERTIFICATE----- MIICZTCCAg8CEHEQuqtrl2wPBfae8E/qMewwDQYJKoZIhvcNAQEEBQAwgakxFjAU .... -----END CERTIFICATE----- # # Installed certificate # -------------------- # [root@m58 conf.secure]# ls -la /etc/httpd/conf.secure/ssl.key/server.key [root@m58 conf.secure]# ls -la /etc/httpd/conf.secure/ssl.crt/server.crt # # Stop and start httpsd # -------------------- # [root@m58 conf.secure]# /etc/rc.d/init.d/httpsd stop [root@m58 conf.secure]# /etc/rc.d/init.d/httpsd start - pass phrase required [root@m58 conf.secure]# ps axuw | grep http ... /usr/sbin/httpsd -DSSL netscape: http://www.Server.com - normal httpd https://www.Server.com - should show security connection ( lock closed ) ================================================================================ # # Send the certificate request or make our own test version # [root@m58 conf.secure]# /usr/sbin/openssl OpenSSL> ? - supposed to create ssl.crt (but already existed ) OpenSSL> genrsa 1112 semi-random bytes loaded Generating RSA private key, 512 bit long modulus ................................................................................e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAJ5THNQu8MqP4SdW+vUe34PMKmOMpwe3nzGYbWfvse4I8Cfx1Mcw u94Fp7iiUc7jgUZg5Wib/4wEHg/CEBnJ03sCAwEAAQJBAI85NH0mMaGs4suJveB8 m0pJKZeAp6EtlQ9yipZZmaZwdxrX9sotIJ5a9VQB2xBtpF1H5CtyMACdTVGSMyIf lmECIQDPKZKGg4ubyYa0ZJdqrFrZguYBYxbKJxWhkAS5RMvQowIhAMOmJCicN524 Zv7NL0pwsjV19hZLkPS/49jQreLbO6dJAiBBFPFoevkoJya/k36ST7V28g2qT+P/ /ElqaWFihv90+wIgfxRDGD2fwkosXARaWzeoCSF9ni2nEdIx5Hpm95r+vEECIEhk gCpVz7A0iF78vlvbIG6xxy5XJhd73gQWWuxaf4rF -----END RSA PRIVATE KEY----- OpenSSL> quit # # Free CA # http://digitalid.verisign.com/server/help/insSSLeayCSR.htm # # ssleay md5 * > rand.dat # ssleay genrsa -rand rand.dat -des3 1024 > key.pem ( des3 ) # ssleay req -new -key key.pem -out csr.pem ( generate csr ) # # # # Self signed CA # ssleay req -new -x509 -key key.pem -out dummy.pem # # openssl genrsa -des3 -out server.key 1024 openssl req -new -days 365 -key server.key -out server.csr openssl ca -in server.csr -out server.crt -days 365 cp server.key server.key.org openssl rsa -in server.key.org -out server.key # # end of file