User Tools

Site Tools


build:security

SSL Certificate

We need SSL certificates to run HTTPS on Apache. We'll probably need SSL certificates to add TLS support to SMTP (Postfix) and IMAP later. Not sure if we'll be able to use the same certificate for those or not.

For now, we're using a self-signed certificate, but submitting the CSR to an SSL provider (like StartSSL) would work pretty much the same.

We're generating the certificate with the Subject Alternative Name extension, which lets us put multiple domain names in a single certificate. As long as we can generate a single certificate (i.e. all the names have the same ownership details) then this works fine, and we can host all the sites with a single IP address. All modern browsers (and Internet Explorer 6) support Subject Alternative Name.

Generate CSR

CERT_DIR='/etc/ssl/certs'
CERT_KEY_DIR='/etc/ssl/private'
CERT_NAME='boochtek'  ;# Name of the cert files we will generate.
CERT_COUNTRY='US'
CERT_STATE='Missouri'
CERT_CITY='Ballwin'
CERT_ORGANIZATION='BoochTek, LLC'
CERT_SERVER='www.boochtek.com'  ;# Be sure to use the server's primary FQDN here. All others should be listed below.
CERT_ALT_NAME[1]='boochtek.com'
CERT_ALT_NAME[2]='www.boochtek.com'
CERT_ALT_NAME[3]='admin.boochtek.com'
CERT_ALT_NAME[4]='*.boochtek.com'
CERT_ALT_NAME[5]='craigbuchek.com'
CERT_ALT_NAME[6]='*.craigbuchek.com'
CERT_ALT_NAME[7]='buchek.com'
CERT_ALT_NAME[8]='*.buchek.com'
CERT_ALT_NAME[9]='stlruby.org'
CERT_ALT_NAME[10]='*.stlruby.org'
CERT_PASSWORD="`dd if=/dev/urandom bs=15 count=1 | base64`"  ;# Note that you can read this from the CSR.
 
# Generate a key to sign the CSR: (note that we're not protecting this with a password)
openssl genrsa -out $CERT_NAME.key 2048
chmod 400 $CERT_NAME.key
 
# Set the config for this CSR:
cat >$CERT_NAME.config <<EOF
[req]
default_bits = 2048
prompt = no
distinguished_name = dn
attributes = attributes
req_extensions = v3_req
[attributes]
challengePassword = '$CERT_PASSWORD'
[dn]
C  = $CERT_COUNTRY
ST = $CERT_STATE
L  = $CERT_CITY
O  = $CERT_ORGANIZATION
CN = $CERT_SERVER
[v3_req]
subjectAltName = @alt_names
[alt_names]
EOF
(for i in `seq 1 ${#CERT_ALT_NAME[@]}`; do echo "DNS.$i = ${CERT_ALT_NAME[$i]}"; done) >>$CERT_NAME.config
 
# Generate the CSR:
openssl req -new -key $CERT_NAME.key -out $CERT_NAME.csr -config $CERT_NAME.config
 
# Verify the CSR and print out the details:
openssl req -verify -text -noout -in $CERT_NAME.csr
 
# Move the CSR and key files to the SSL private directory.
sudo mv $CERT_NAME.key $CERT_KEY_DIR
sudo mv $CERT_NAME.config $CERT_KEY_DIR
sudo mv $CERT_NAME.csr $CERT_KEY_DIR

Generate Self-signed Certificate

# Generate a self-signed certificate that lasts 10 years:
openssl x509 -req -days 3650 -in $CERT_NAME.csr -signkey $CERT_NAME.key -out $CERT_NAME.crt \
    -extfile $CERT_NAME.config -extensions v3_req
 
# Print out the certificate details:
openssl x509 -text -noout -in $CERT_NAME.crt
 
# Move the certificate to the SSL certificate directory.
sudo mv $CERT_NAME.crt $CERT_DIR

Testing

[This section should be moved to the Apache build page.]

To test connecting to Apache via HTTPS:

# Test connecting to port 443 on the web server directly.
openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0
Host: boochtek.com
build/security.txt · Last modified: 2012/12/14 17:43 by Admin