How to create an internal Certificate authority
Submitted by steev on Sun, 10/01/2010 - 16:18
And generate server certificates, and how to set up apache2 on ubuntu for SSL
Create a root private key and a public key for the root (use makepasswd --chars 20 to make the passwds more secure)
$ openssl genrsa -des3 -out ca.key 4096Generate a certificate - this is used by clients to verify the server identity. If they trust this certificate, then the server key is trusted.
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crtCreate a server key - where the CA key was armoured (using -des3 for triple des encryption (e.g. the passphrase). The server key, in this case, is one of a number protecting source code, not credit cards! So rather than having to type in a passphrase each time apache is restarted (to decrypt the 3des encrypted key) - we omit the des3 option and the key is in clear on disk.
$ openssl genrsa -out server.key 4096Generate a certificate signing request
$ openssl req -new -key server.key -out server.csrAnd then sign this request using the CA key ( you will need the CA key as well). If you intend to do a lot of this kind of stuff, then probably best to stick the CA key with a long password in a fireproof safe, and never use it, but do use it to create a master signing key which can then create other keys that can actually be used without risking a mass revocation if they are lost, stolen or broke)
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crtmove these files to somewhere apache can get to them for rebooting. (in reality you would create your CA key on a more secure system, and move the server key under passwd, the use openssl to render a passwordless version of the key only on the target system in that directory)
$ sudo cp server.key ca.crt /etc/apache2/ssl/
$ sudo chmod -R 600 /etc/apache2/ssl
$ sudo chown -R root:root /etc/apache2/sslCreate and enable a new vhost in sites-available, and away you go.
<VirtualHost *:443>
ServerAdmin sysadmin@initsix.co.uk
ServerName initsix.co.uk
ErrorLog /var/log/apache2/error.svn.initsix.co.uk.log
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
</VirtualHost>I did have an error message 'SSL received a record that exceeded the maximum permissible length.'. Apparently this is because apache is confused about which port to serve on. This is because i had mixed * and *:80 + *:443 declarations in the virtual hosts. Make sure they are all appended and all sorted.
To make things a bit more seemless, provide a link to the ca.crt file on the page so the clients browser can install the cert and then not have to bother with exceptions (useful if there are a lot of sites with unknown root keys)
If you're going to do a lot of these at any one time, probably best to learn your way around /etc/ssl/openssl.cnf as thats where you can change the defaults.
Drupal Services
- Architecture
- Configuration
- Custom modules
- Custom themes
- Performance tuning
- Emergencies
Linux Services
- EC2 performance computing
- Linux desktop migration
- LAMP configuration
- Networking services
- Professional hosting
- Backup solutions
- Migration to Linux
Security Services
- System hardening
- Application security testing
- Cryptography and key management
- Intrusion detection
- Due dilligence
Recent blog posts
- Install and configure Ejabberd 2.1 on Ubuntu 10.4
- Drupal, OpenID and Google
- Multisites and Apache Vhosts with Project Mercury
- ERROR 1018 (HY000): Can't read dir of '.' (errno: 24) and other jazz funk classics
- Standalone Solr Listen to Localhost only
- Conditional CCK fields module discovered!
- Resend Drupal registration email
- drush snippet for ubercart site install
- How to create an internal Certificate authority
- Apache2, Subversion and Webdav
