Article

(View Disclaimer)

Setting up an Apache web server for secure communications isn't as difficult as it seems. OES 2 comes preconfigured with SSL/TLS for eDirectory operations in the web based utilities, like iManager.

If you plan on using your web server for Internet or public use, you may want to purchase a signed certificate from one of the commercial root CA's.

Procedure

We have to complete the following steps, in order.

• Create a new Certificate of Authority (CA)
• Create a new Key and Certificate for the Apache Server
• Create a new Host Location for the Secure Site
• Configure Apache for SSL

Create a new Certificate of Authority (CA)

Make a directory to perform the CA operations, temporarily.

mkdir /root/temp/ca
cd /root/temp/ca

Generate the CA using 2048 bit.

openssl genrsa -des3 -out newca.key 2048

Generating RSA private key, 2048 bit long modulus
.....+++
...................+++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Create the X.509 certificate and make it expire in 2 years.

openssl req -new -x509 -days 730 -key newca.key -out newca.crt

Enter pass phrase for newca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Independent
Common Name (eg, YOUR name) []:*.mydomain.com
Email Address []:webmaster@mydomain.com

Let's view the certificate we just created:

openssl x509 -in newca.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8c:1c:d7:a8:44:d2:44:10
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
        Validity
            Not Before: Feb 24 22:29:39 2008 GMT
            Not After : Feb 21 22:29:39 2010 GMT
        Subject: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b7:bd:2e:ec:38:b9:42:cf:b4:d4:97:fd:b7:4a:
                    0e:a3:25:34:81:e4:ee:d1:a3:63:35:14:26:5e:28:
                    83:67:e9:25:db:2b:48:e4:bf:95:cd:13:c6:34:be:
                    5d:c5:52:3b:f1:63:26:a4:bd:c8:04:77:d1:ad:d2:
                    2f:df:85:2a:25:c5:8d:94:85:ac:60:26:9c:38:75:
                    f9:2c:6b:8a:49:aa:36:c6:3a:a7:a6:44:b6:26:f8:
                    5b:cc:a3:4c:cc:c9:29:28:9a:f7:3c:b4:6a:54:f4:
                    9e:0d:cf:a1:f4:b7:bb:a3:44:a9:20:36:0a:6c:23:
                    6a:17:f6:f8:f1:00:a9:1a:02:3b:04:fa:b6:0a:78:
                    8f:c2:12:f8:98:12:16:2d:09:15:56:ee:42:8d:3f:
                    29:b6:d5:5e:40:51:77:5c:6f:3e:41:9c:f3:68:31:
                    ed:ba:55:41:7d:23:37:72:69:b3:40:9c:04:1e:00:
                    f5:f0:e1:49:2a:25:a2:b2:46:3f:4e:c4:61:8e:65:
                    8c:ca:87:64:bf:84:81:b9:ab:bd:aa:98:94:f1:0d:
                    ee:1a:ac:c0:38:23:b4:06:73:f0:ad:69:da:3c:be:
                    fe:e5:17:fa:6c:bc:55:56:9e:5e:70:0f:b3:67:ac:
                    2f:99:d5:19:c0:65:33:ed:4f:bd:21:22:24:70:e4:
                    04:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A9:A0:AD:2B:A0:27:FD:DD:29:FF:43:1B:14:3D:80:17:62:34:B7:BC
            X509v3 Authority Key Identifier:
                keyid:A9:A0:AD:2B:A0:27:FD:DD:29:FF:43:1B:14:3D:80:17:62:34:B7:BC
                DirName:/C=US/ST=Texas/L=Dallas/O=My Company, Inc./OU=Independent/CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
                serial:8C:1C:D7:A8:44:D2:44:10

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        1e:b2:f8:7e:6c:34:b1:6b:cb:91:ec:ed:97:eb:ca:c7:9a:75:
        e4:59:80:06:9d:6b:00:74:17:e5:86:d5:a8:53:1d:85:03:90:
        1c:a0:ca:77:45:65:e6:e8:50:9c:c4:85:10:13:d0:30:6f:1d:
        fc:3f:c6:b4:41:be:69:a3:a0:b4:e1:67:b3:41:0c:97:1b:a9:
        87:73:f2:9b:e4:c6:d8:b8:e5:a8:b0:0d:4c:c8:d9:a1:d2:17:
        89:93:03:74:cb:b6:ad:ff:53:66:00:71:3b:92:b1:7d:28:ce:
        3b:ec:8e:70:42:43:49:14:7c:9d:4a:cf:87:53:2b:84:5d:33:
        79:70:ff:0e:34:26:ae:38:30:df:19:e8:b4:7c:52:33:bd:3c:
        a4:fd:c0:ad:78:75:26:76:ac:fe:be:ef:9c:ec:09:d8:ab:6f:
        25:fc:f2:35:f1:90:44:30:2f:0c:74:68:4b:1a:80:79:4f:f3:
        e3:7b:64:4e:a4:57:7d:2c:48:0f:0e:35:54:78:ad:eb:2e:3f:
        9d:e3:8b:21:07:75:93:86:dd:b2:c1:0a:e6:a4:42:93:9e:60:
        81:99:a9:34:87:1d:47:cc:56:49:e2:b8:05:65:c0:02:45:04:
        1a:bd:87:99:3e:c4:db:9f:37:0c:c7:61:83:f9:62:e2:18:45:
        c0:4e:e6:74
		
		

Copy the to a safe location for backup and security. Remember the pass phrase you used, because you'll need it to sign additional certificates.

Create a new Key and Certificate for the Apache Server

When we create the certificate for the Apache server, we will create a signed certificate based on the CA we created earlier.

Create the server key using 1024 bit.

openssl genrsa -des3 -out ap2server.key 1024

Generating RSA private key, 1024 bit long modulus
.............................++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase for ap2server.key:
Verifying - Enter pass phrase for ap2server.key:

Create the Certificate Signed Request (CSR)

openssl req -new -key ap2server.key -out ap2server.csr

Enter pass phrase for ap2server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Independent
Common Name (eg, YOUR name) []:www.mydomain.com
Email Address []:webmaster@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Create the server signed certificate from the CA and the CSR

openssl x509 -req -in ap2server.csr -out ap2server.crt -sha1 -CA newca.crt -CAkey newca.key -CAcreateserial -days 730

Signature ok
subject=/C=US/ST=Texas/L=Dallas/O=My Company, Inc./OU=Independent/CN=www.mydomain.com/emailAddress=webmaster@mydomain.com
Getting CA Private Key
Enter pass phrase for newca.key:

Let's look at the key.

openssl x509 -in ap2server.crt -text -noout

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b4:27:81:78:c5:9b:2a:46
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=*.mydomain.com/emailAddress=webmaster@mydomain.com
        Validity
            Not Before: Feb 24 23:37:47 2008 GMT
            Not After : Feb 23 23:37:47 2010 GMT
        Subject: C=US, ST=Texas, L=Dallas, O=My Company, Inc., OU=Independent, CN=www.mydomain.com/emailAddress=webmaster@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c1:9c:72:73:c9:7b:ab:dc:39:3f:c2:83:e6:e2:
                    e3:49:db:a5:21:3b:7f:e4:72:ec:17:bb:bc:92:ce:
                    88:30:1a:57:81:11:a0:06:71:93:65:ea:59:5e:e9:
                    2a:09:83:83:12:15:ad:d4:d3:8e:bd:1f:d5:ee:31:
                    99:1c:85:c6:d7:c5:1a:5c:f2:e0:24:f8:a2:d4:b5:
                    2b:cb:b8:e8:52:60:18:59:94:e2:1b:cc:a0:b5:52:
                    1f:d2:0b:d2:88:77:ab:d0:76:c8:37:0c:01:87:c9:
                    06:31:fb:d6:6d:53:1e:b0:24:f9:5c:48:13:5b:1e:
                    11:c0:f3:74:96:35:b4:9e:8b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        37:a7:50:93:61:26:67:ea:90:cd:2b:ac:91:ef:19:13:1f:e3:
        f3:27:a9:46:c2:28:5e:3d:89:28:d9:de:03:6b:b4:d5:d0:dd:
        15:3c:d6:d0:c1:1f:6f:25:ea:f7:f3:d5:df:18:a8:f3:22:c5:
        8a:82:8f:be:a3:32:19:2e:d5:d7:28:ea:5f:56:b6:b4:68:1e:
        9a:90:01:72:83:58:2c:d2:2f:d8:28:1b:1f:e4:e1:64:3e:e4:
        1d:b8:67:6b:28:9e:57:23:5a:75:47:e9:f3:ad:f3:dd:6b:d7:
        43:66:a8:a0:97:a8:3e:d0:57:25:cb:84:14:72:33:b3:7b:0e:
        18:49:68:3a:a6:5b:10:fc:e4:fe:4c:25:72:05:1c:d0:fe:b9:
        e9:48:1e:48:1e:ad:1d:b8:a0:ea:35:c8:06:30:bc:cd:51:37:
        11:6b:f8:c6:45:47:26:89:ef:99:32:fb:d6:c3:1e:ee:5f:7a:
        4e:5a:6e:e4:4b:ed:9b:cc:8b:ed:5c:0c:2e:e2:ad:65:cd:7f:
        87:b2:c5:04:0b:aa:15:78:14:69:8e:2b:a5:ed:07:41:ab:f2:
        3a:c3:6e:53:94:dc:fd:2c:bf:7e:65:18:c8:18:81:81:c2:c0:
        7d:dc:94:4c:72:28:9a:ba:4f:ce:85:29:c0:bf:6f:ae:3b:8a:
        79:41:ad:be
		
		

That's all for the server side. Copy the generated keys and certificates to the Apache directory hierarchy.

cp ap2server.crt /etc/apache2/ssl.crt/
cp ap2server.key /etc/apache2/ssl.key/
cp newca.crt /etc/apache2/ssl.crt/

Create a new Host Location for the Secure Site

We want to separate this site from other sites on this server, if applicable. We'll use the a subdirectory off of the htdocs (default) to place our files.

Create the subdirectory.

mkdir /srv/www/htdocs/ssite
cd /srv/www/htdocs/ssite

Using your favorite editor, create an index.html for this site and place it in this directory.

<html>
<head>
</head>
<body>
<h1>We're encrypted!</h1>
</body>
<html>

Configure the Apache web server

We need to create a virtual host for this site. There is a template we can use that has all the settings we'll need.

Copy the template to a new virtual host configuration file.

cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts/ssl-ssite.conf

Open that file with a text editor.

NameVirtualHost www.mydomain.com:443

<VirtualHost www.mydomain.com:443>

	ServerName www.mydomain.com
	ServerAdmin webmaster@mydomain.com
	DocumentRoot "/srv/www/htdocs/ssite"
	# Only allow "high" and "medium" security key lengths REMOVE the others.
	SSLCipherSuite HIGH:MEDIUM

	# Force SSLv3 and TLSv1 Only!
	SSLProtocol all -SSLv2

	#   Server Certificate:
	SSLCertificateFile /etc/apache2/ssl.crt/ap2server.crt

	#   Server Private Key:
	SSLCertificateKeyFile /etc/apache2/ssl.key/ap2server.key

	#   Server Certificate Chain:
	SSLCertificateChainFile /etc/apache2/ssl.crt/newca.crt

	#   Certificate Authority (CA):
	SSLCACertificateFile /etc/apache2/ssl.crt/newca.crt

	<Directory "/srv/www/htdocs/ssite">
        Options Indexes
        AllowOverride None
        Allow from from all
        Order allow,deny
	</Directory>

</VirtualHost>

Save the file.

Restart Apache

rcapache2 restart

Testing

Open a browser and enter the site URL www.mydomain.com

Accept the certificate for your new site.

Click to view.

As you can see from the image, the page is utilizing https instead of http.

Conclusion

I don't claim to be any expert in SSL/TLS nor am I an encryption junkie. This article shows you that encryption for Apache on SLES 10 is not something that needs a degree at MIT. If you have more interests in SSL/TLS, I found a site that really explains how it works, with pictures! http://www.securityfocus.com/infocus/1818

Enjoy!

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.