SSL in brief
This section will serve as a very brief introduction to SSL, the
Secure Socket Layer. Cryptography is a very extensive topic which
literally fills volumes of texts. The following is an extremely
simplified view of how SSL is implemented and what part the
certificate plays in the entire process. There may be some small
inaccuracies in an effort to present the information in the easiest
possible format.
Normal web traffic is sent unencrypted over the Internet. That is,
anyone with access to the right tools can snoop all of that traffic.
Obviously, this can lead to problems, especially where security and
privacy is necessary, such as in credit card data and bank
transactions. The Secure Socket Layer is used to encrypt the data
stream between the web server and the web client (the browser).
SSL makes use of what is known as asymmetric cryptography,
commonly referred to as public key cryptography (PKI). With public
key cryptography, two keys are created, one public, one private.
Anything encrypted with either key can only be decrypted with its
corresponding key. Thus if a message or data stream were encrypted
with the server's private key, it can be decrypted only using its
corresponding public key, ensuring that the data only could have come
from the server.
If SSL utilizes public key cryptography to encrypt the data stream
traveling over the Internet, why is a certificate necessary? The
technical answer to that question is that a certificate is not really
necessary--the data is secure and cannot easily be decrypted by a
third party. However, certificates do serve a crucial role in the
communication process. The certificate, signed by a trusted
Certificate Authority (CA), ensures that the certificate holder is
really who he claims to be. Without a trusted signed certificate,
your data may be encrypted, however, the party you are communicating
with may not be whom you think. Without certificates, impersonation
attacks would be much more common.
Generating a Private Key and CSR
The openssl toolkit is used to generate an RSA Private Key and CSR
(Certificate Signing Request). It can also be used to generate
self-signed certificates which can be used for testing purposes or
internal usage. The utility used to do all of these tasks is known
simply as openssl. It should be installed in the /usr/local/ssl/bin
directory. You may want to add this directory to your PATH, or copy
or link the openssl utility to a directory that is already in your
PATH so that you do not have to type the full path to the executable.
The examples below will assume that openssl is in a location that is
accessible to you without using the full path to the command.
The first step is to create your RSA Private Key. This key is a
1024 bit RSA key which is encrypted using Triple-DES and stored in a
PEM format so that it is readable as ASCII text. We will use several
files as random seed enhancers which will help to make the key more
secure. Text files that have been compressed with a utility such as
gzip are good choices. The key is generated using the following
command, where file1:file2:etc represents the random compressed
files.
$ openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out
server.key 1024
The command will prompt you for a pass-phrase and then store the
key in the file server.key. It is critical that the pass-phrase be
secure and not forgotten. If either the key is lost, or the
pass-phrase is forgotten,
the certificate will be useless! It
cannot be stressed enough how important the private key is to the
certificate. If the private key and pass-phrase are compromised, the
certificate will have to be revoked, costing you the price of the
certificate all over again if you have paid an authority for the
certificate. It may be a wise idea to back this file up to secure
media, such as tape or diskette.
One unfortunate side-effect of the pass-phrased private key is
that Apache will ask for the pass-phrase each time the web server is
started. Obviously this is not necessarily convenient as someone will
not always be around to type in the pass-phrase, such as after a
reboot or crash. mod_ssl includes the ability to use an external
program in place of the built-in pass-phrase dialog, however, this is
not necessarily the most secure option either. It is possible to
remove the Triple-DES encryption from the key, thereby no longer
needing to type in a pass-phrase. If the private key is no longer
encrypted, it is critical that this file
only be readable by the
root user! If your system is ever compromised and a third party
obtains your unencrypted private key, the corresponding certificate
will need to be revoked. With that being said, use the following
command to remove the pass-phrase from the key:
$ openssl rsa -in server.key -out server.pem
Once the private key is generated a Certificate Signing Request
can be generated. The CSR is then used in one of two ways. Ideally,
the CSR will be sent to a Certificate Authority, such as
Thawte
or
Verisign who will verify
the identity of the requestor and issue a signed certificate. The
second option is to self-sign the CSR, which will be demonstrated in
the next section.
During the generation of the CSR, you will be prompted for several
pieces of information. These are the X.509 attributes of the
certificate. One of the prompts will be for "Common Name (e.g.,
YOUR name)". It is important that this field be filled in with
the fully qualified domain name of the server to be protected by SSL.
If the website to be protected will be https://www.server.com, then
enter www.server.com at this prompt. The command to generate the CSR
is as follows:
$ openssl req -new -key server.key -out server.csr
A sample CSR generation session is shown below, with sample
responses shown in bold:
$ openssl req -new -key server.key -out server.csr
Using
configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass
phrase:
Enter pass phrase here
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN. There are quite a few fields but you can leave some blank.
For some fields there will be a default value, If you enter '.',
the field will be left blank.
-----
Country Name (2 letter code) [AU]:
US
State or Province
Name (full name) [Some-State]:
New Hampshire
Locality Name
(eg, city) []:
Nashua
Organization Name (eg, company)
[Internet Widgits Pty Ltd]:
Domain.com, Inc.
Organizational
Unit Name (eg, section) []:
.
Common Name (eg, YOUR
name) []:
www.domain.com
Email Address
[]:
webmaster@domain.com
Please enter the following
'extra' attributes to be sent with your certificate request
A
challenge password []:
An optional company name []:
Generating a Self-Signed Certificate
At this point you will need to generate a self-signed certificate
because you either don't plan on having your certificate signed by a
CA, or you wish to test your new SSL implementation while the CA is
signing your certificate. In my experience dealing with Thawte, it
can take up to a week or more before receiving your signed
certificate. The time it takes to receive the certificate will vary
based on how quickly they receive your required documentation. This
temporary certificate will generate an error in the client browser to
the effect that the signing certificate authority is unknown and not
trusted.
To generate a temporary certificate which is good for 60 days,
issue the following command:
$ openssl x509 -req -days 60 -in server.csr -signkey server.key
-out server.crt
Configuring SSL Enabled Virtual Hosts
The mod_ssl module is available in apache2-common package. Execute
the following command from a terminal prompt to enable the mod_ssl
module:
$
sudo
a2enmod ssl
Create a virtual host entry in /etc/apache2/httpd.conf. A basic
SSL enabled virtualhost entry will appear like as follows:
# SSL Virtual Hosts
<VirtualHost _default_:443>
ServerAdmin
webmaster@domain.com
DocumentRoot
/usr/local/apache/share/htdocs
ServerName www.domain.com
SSLEngine
on
SSLCertificateFile
/usr/local/apache/etc/ssl.crt/server.crt
SSLCertificateKeyFile
/usr/local/apache/etc/ssl.key/server.pem
SetEnvIf User-Agent
".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
This will create an SSL virtualhost named www.domain.com, which is
accessed via port 443 (the standard port for https) on the default IP
address of the web server. It is possible to add as many additional
virtualhosts as there are IP addresses that the web server listens
to. Simply add additional virtualhost blocks
inside of the
<IfDefine SSL> and </IfDefine> tags. Due to the nature of
the SSL encryption of the HTTP traffic,
it is NOT possible to have
name-based (HTTP1.1) SSL virtual hosts. To create a new SSL
virtualhost on a different IP address, simply replace _default_ with
the IP address of the virtualhost.
After adding the virtualhost, Apache must be killed and restarted
in order for it to recognize the new virtualhost.
Now, point your favorite browser to the new virtualhost you just
created, remembering to use https:// instead of http://, and you
should be greeted with a warning dialog if you are using the
self-signed certificate. Acknowledge the dialog and the page will
continue to load, protected by SSL. The status bar of your browser
should be graced by the 'lock' icon, which signifies the page is
protected via SSL. This is all there is to it!
