SSL Certificates
SSL Certificates:
Normally data is sent unencrypted over Internet, which means anybody with certain tools can hack all your data. To pervent this from happening SSL (Secure Socket Layer) is used to encrypt the data stream between the Web Server and the Web Client.
Types:
* Self Signed Certificate
* Certificate issued by a trusted Certificate Authority(CA)
Why is a certificate issued by a CA necessary?
Simple - It is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority, ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.
Steps in generating Certificates:
* Generate a Private Key
* Generate a CSR (Certificate Signing Request)
* Generating a Self-Signed Certificate / Get the Certificate from a CA
* Installing the Private Key and Certificate
* Configuring SSL Enabled Virtual Hosts
* Restart Apache and Test
Generate a Private Key:
* OpenSSL tool is used for this purpose, make sure openssl is installed
* It is always ideal to include the domain names in file names
openssl genrsa -out /etc/httpd/conf/ssl.key/domain.key 1024
Generate a CSR:
* Once the Private Key is created, use it to generate a CSR
* Avoid entering data for extra attributes like : “A Challenge Password”, since this might be asking you for the passphrase each time you restart Apache
openssl req -new -key /etc/httpd/conf/ssl.key/domain.key -out /etc/httpd/conf/ssl.crt/domain.csr
Generating a Self-Signed Certificate / Get the Certificate from CA
* A Self-Signed Certificate is one that we create by ourself
* However, using a self-signed certificate will generate an error in clients browser that, “igning certificate authority is unknown and not trusted”.
openssl x509 -req -in /usr/local/apache/ssl.crt/domain.csr -signkey /usr/local/apache/ssl.key/domain.key -out /usr/local/apache/ssl.crt/domain.crt
* And to get a Certificate from a CA, all you have to do is send them a copy of the Private key and CSR ytou have just generated on the server
* Copy all the certificates generated to appropriate folders
Configuring SSL Enabled Virtual Hosts
Configure your httpd.conf to encorporate the SSL Certificates with Apache Server
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domain.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domain.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
Add A Comment