SSL certificates verify your identity with an end user and make it possible to encrypt the communication between two hosts.
The browser would check the web server's certificate to see if it's valid or not. If the certificate is valid the browser and web server negotiate on an encryption algorithm they both can understand.
The browser would check the web server's certificate to see if it's valid or not. If the certificate is valid the browser and web server negotiate on an encryption algorithm they both can understand.
Once a negotiation has been reached they use unique keys or codes (public key and private key) for encrypting and decrypting the data on both sides. Finally the browser and web server communicate securely so no one can eavesdrop on their conversation. Secure Sockets Layer (SSL) is used in e-commerce and other applications where the information being transmitted must be secure and not visible to anyone watching the network traffic. SSL certificates must be signed by a trusted authority or more commonly known as Certificate Authorities (CA). CA's confirm your identity by adding their signature to your SSL certificate. On the web browser side, browsers like FireFox and Internet Explorer have a list of CA fingerprints to match against the SSL certificates they come across.if all goes well your browser would accept the certificate and give no complaints, however, if the certificate doesn't have the fingerprint on file of CA it would complain and typically throw up a window saying the certificate is bad or shouldn't be trusted.
OpenSSL helps in creating self signed certificates for free. Self-signed certs are the same as signed versions except for the fact that a CA doesn't stamp it with their approval, instead you stamp it with yours.
Self-signed certs offer the same amount of protection but at the cost of dealing with the annoying popup alert the browser displays and someone being able to forge your identity.
SSL is a layered protocol and consists of four sub-protocols:
! SSL Handshake Protocol
! SSL Change Cipher Spec Protocol
! SSL Alert Protocol
! SSL Record Layer
@ Get the apache package first
# cd /ctechz/
# wget http://apache.mirrors.hoobly.com//httpd/httpd-2.2.22.tar.gz
# gunzip httpd-2.2.22.tar.gz
# tar -xvf httpd-2.2.22.tar
# cd httpd-2.2.22
# ./configure --prefix=/opt/apachessl/ --enable-ssl --enable-so
# make
# make install
# cd /opt/apachessl
# /opt/apachessl/bin/apachectl start
take browser http://192.168.1.240 ## it will shows the default apache page if every this going right OR if you need a custom html page follow the steps below.
# mkdir /opt/apachessl/htdocs/ctechz.com/ ## this is its default document root
create an index.html page there for you.
# vim /opt/apachessl/conf/httpd.conf
<VirtualHost 192.168.1.240:80>
DocumentRoot /opt/apachessl/htdocs/ctechz.com/
ServerName ctechz.com
</VirtualHost>
Listen 192.168.1.240:80
<VirtualHost 192.168.1.240:80>
DocumentRoot /opt/apachessl/htdocs/ctechz.com/
ServerName ctechz.com
</VirtualHost>
Listen 192.168.1.240:80
@ Now generate a self signed ssl certificate key
# cd /opt/apachessl/conf/
# cd /opt/apachessl/conf/
# mkdir ssl
# cd ssl
generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.
Generate Private Key on the Server Running Apache + mod_ssl
First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.
Generating RSA private key, 1024 bit long modulus.
# openssl genrsa -des3 -out www.ctechz.com.key 1024
Generate a Certificate Signing Request (CSR)
Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.
Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.
# openssl req -new -key www.ctechz.com.key -out www.ctechz.com.csr
@ Remove Passphrase from Key
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:
Do this only if you enter any password while creating a key file
# cp server.key server.key.org
Do this only if you enter any password while creating a key file
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
Generate a Self-Signed SSL Certificate
For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.
# openssl x509 -req -days 365 -in www.ctechz.com.csr -signkey www.ctechz.com.key -out www.ctechz.com.crt
After generating the certificate, if it has any default location for each certificate copy the files to that location. Here i create a directory called ssl under /opt/apachessl/ssl and copied all files there.
Then edit httpd.conf and shows the certificate there. For apache on Red Hat using the default location, the config file is /etc/httpd/conf/apache.conf. Note that your apache.conf file may make use of separate config files and you may have an /etc/httpd/conf.d/ssl.conf file. Check for this first before you place the following in your apache.conf file.
# openssl x509 -req -days 365 -in www.ctechz.com.csr -signkey www.ctechz.com.key -out www.ctechz.com.crt
After generating the certificate, if it has any default location for each certificate copy the files to that location. Here i create a directory called ssl under /opt/apachessl/ssl and copied all files there.
Then edit httpd.conf and shows the certificate there. For apache on Red Hat using the default location, the config file is /etc/httpd/conf/apache.conf. Note that your apache.conf file may make use of separate config files and you may have an /etc/httpd/conf.d/ssl.conf file. Check for this first before you place the following in your apache.conf file.
# cd /opt/apachessl/conf
# vim httpd.conf
Listen *:80
Listen *:443
<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /opt/apachessl/htdocs/ctechz.com/
ServerName ctechz.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:443>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /opt/apachessl/htdocs/ctechz.com/
ServerName ctechz.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /opt/apachessl/ssl/www.ctechz.com.crt
SSLCertificateKeyFile /opt/apache/ssl/www.ctechz.com.key
</VirtualHost>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /opt/apachessl/htdocs/ctechz.com/
ServerName ctechz.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /opt/apachessl/ssl/www.ctechz.com.crt
SSLCertificateKeyFile /opt/apache/ssl/www.ctechz.com.key
</VirtualHost>
And take the browser and access the link
https://192.168.1.240
No comments:
Post a Comment