In this exercise you will setup a secure (HTTPS) virtual server within an Apache Webserver and connect to it. The connection will be secured by a selfsigned certificate you will create and sign yourself.
-
Generate a new private key file (in PEM format):
(within the Vagrant setup you might want to do the following steps directly in/home/vagrant)~# openssl genrsa -out example.com.key 2048 Generating RSA private key, 2048 bit long modulus ....................................................................+++++ ..............................................................................+++++ e is 65537 (0x010001)
-
Create a new certificate signing request (CSR) from the private key you just generated:
~# openssl req -new -key example.com.key -out example.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Franconia Locality Name (eg, city) []:Nuernberg Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raffzahn GmbH Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:certifcates@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
-
Create a selfsigned certificate from the CSR above.
~# openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt Signature ok subject=C = DE, ST = Franconia, L = Nuernberg, O = Raffzahn GmbH, CN = example.com, emailAddress = certifcates@example.com Getting Private key
You have 3 new files now:
~# ls -l total 12 -rw-r--r-- 1 vagrant vagrant 1302 Sep 13 15:16 example.com.crt -rw-r--r-- 1 vagrant vagrant 1054 Sep 13 15:15 example.com.csr -rw------- 1 vagrant vagrant 1675 Sep 13 15:12 example.com.key
-
Now let's setup a secure (HTTPS) virtual server within Apache:
Copyexercises/A1/apache_conf.d/exercise-A1.confto a directory where Apache looks for configurations and edit all paths in there (to match the paths you choose on your system).- in our Vagrant setup this is
~# sudo cp /vagrant/exercises/A1/apache_conf.d/exercise-A1.conf /etc/httpd/conf.d/ ~# sudo vim /etc/httpd/conf.d/exercise-A1.conf
- in other CentOS / RedHat Enterprise setups do something like
~# sudo cp exercises/A1/apache_conf.d/exercise-A1.conf /etc/httpd/conf.d/ ~# sudo vim /etc/httpd/conf.d/exercise-A1.conf
- and in Debian / Ubuntu / Mint you do something like
~# sudo cp exercises/A1/apache_conf.d/exercise-A1.conf /etc/apache2/sites-available ~# sudo vim /etc/apache2/sites-available/exercise-A1.conf
At
DocumentRootyou give the full path of yourexercises/A1/htdocsdirectory
(make sure the runtime user of your Apache is allowed to read this directory)
SSLCertificateFileandSSLCertificateKeyFilerefrence the full path of the files you created above. - in our Vagrant setup this is
-
Enable the config now and reload your Apache.
- in our Vagrant setup as well as in other CentOS / RedHat Enterprise setups this is
~# sudo systemctl restart httpd
- and in Debian / Ubuntu / Mint you do something like
~# sudo a2ensite exercise-A1 ~# sudo systemctl reload apache2
- in our Vagrant setup as well as in other CentOS / RedHat Enterprise setups this is
-
Make sure it has an TCP Listener on Port 11443 now:
~# sudo netstat -pltn # or alternatively ~# sudo lsof | grep LISTEN
-
Now it's time to test it:
~# curl https://localhost:11443/index.html curl: (60) Peer certificate cannot be authenticated with known CA certificates
Or - depending on the versions in use - the message for curl error code 60 might be phrased differently.
That's what we expected. We not yet did put our selfsigned certificate into the truststore of our client (curl). So it is not trusted. Let's tell curl explicitly which certificate we trust:~# curl --cacert example.com.crt https://localhost:11443/index.html curl: (51) SSL: certificate subject name 'example.com' does not match target host name 'localhost'
Or maybe again the wording of the message 51 might be slightly different.
Ah! Oh! Still doesn't work. The name (CN) in the certificate doesn't match the name in the URL (localhost). That's the point where users tend to click buttons like "Continue anyway!" or "I accept the insecure way!" (or add parameters to the curl command telling the same). We - of course - NEVER DO SUCH THINGS!! We want trust! We fix problems instead of working around them. -
Please continue with Exercise A.2 to see how we manage to do this.