In this section we will cover the basics of key generation with SSL. The Red Hat Secure Web Server was used in the examples given.
To generate a key you must use OpenSSL and the system file /dev/urandom to generate a random key. Here's how:
cd /etc/httpd/conf/ make genkey
You will see the following output:
/usr/sbin/openssl genrsa -des3 -rand /dev/urandom 1024 >
ssl.key/server.key
unable to load 'random state'
Note: the error shown above only occurred once (the first time) and I ran this command several times. Every time after the first time it ran
just fine. As the key was generated in all cases I think this error may be ignored.
1048664 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........................................e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase: ########
chmod go-rwx ssl.key/server.key
|
If, for some reason you don't have "make" installed on your system you may use the following less "user-friendly" command instead of make genkey:
/usr/sbin/openssl gensra -rand /dev/urandom 1024 > ssl.key/server.key
-and-
chmod go-rwx ssl.key/server.key
The server.key file should be owned by the root user on your system and should not be accessible to any other user. You should make a backup copy of this file and keep it under lock and key. A good idea is to copy it to a floppy and then store this in a very, very safe place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request (CSR), your certificate will no longer work and the Certificate Authority will not be able to help you. Your only option would be to request a new certificate and pay for it all over again.
To generate a Certificate Request (CSR) type in the following command:
make certreq
If, for some reason you don't have "make" installed on your system you may use the following less "user-friendly" command instead of make certreq:
You will see the following output:
[root@ntbox conf]# make certreq
/usr/sbin/openssl req -new -key ssl.key/server.key > ssl.csr/server.csr
Using configuration from /usr/lib/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name []:NC
City (Locality) Name []:Cary
Company (Organization) Name []:My New Outfit, Inc.
Department Name []:Sales
Server Host Name []:ntbox.somewhere.com
Server Administrators Email Address []:me@somewhere.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:xxxxxxxx
An optional company name []:
|
After executing this task check in /etc/httpd/conf/ssl.csr/ to ensure that the CSR was created:
[root@ntbox ssl.csr]# pwd
/etc/httpd/conf/ssl.csr
[root@ntbox ssl.csr]# ls
server.csr
|
Here's what it looks like:
-----BEGIN CERTIFICATE REQUEST-----
MIIB+jCCAWMCAQAwgaAxCzAJBgNVBAYTATVTMQswCQYDVQQIEwJOQzENMAsGA1UE
BxMEQ2FyeTEjMCEGA1UEChMaTW9vbkdyb3VwIENvbnN1bHRpbmcsIEluYy4xDjAM
BgNVBAsTBVNhbGVzMRwwGgYDVQQDExNudGJveC5tb29uZ3JvdXAub3JnMSIwIAYJ
KoZIhvcNAQkBFhNjaHVja0Btb29uZ3JvdXXuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDI3WgxyhyrdHwhqN5xIiXsSN1UNLW4vq2Wz1aton2fgdViOvHC
A02Nc6PLrPj015UNP54sj1/TQJEJeSHEi/YKOyzHQj0sw1sXaFguR0IeJEEdWbpX
DCZjLkZVcuUeYWxuwnOt4GjtcKlDc2m1w59kVNYSEfMQOELoVIIj9yAmAwIDAQAB
oBkwFwYJKoZIhvcNAQkHMQoTCGphbWVzb24AMA0GCSqGSIb3DQEBBAUAA4GBAGOd
wCO4DDggCe3idSDpIbuvENCucVFoaogZn1Tsn7EC81nvI0FthTUAtVZas9Tv0VhS
WSGS2llOdjr3sISi+7Xm+AV0K+KDvAW56zddCsmJ5WlzVZ2gRulmfjG7Zz5dXcA+
1Z8DAy5lp4lzacb/vO8sUXQlHWDHLRtNvXvudoiH
-----END CERTIFICATE REQUEST-----
|
This is what gets sent to your Certificate Authority (CA).
Once again we will execute this operation in /etc/httpd/conf/. The command to use is:
make testcert
You will see the following output:
[root@ntbox conf]# make testcert /usr/sbin/openssl x509 -days 365
-signkey ssl.key/server.key -in ssl.csr/server.csr -req -out
ssl.crt/server.crt
Signature ok
subject=/C=US/ST=NC/L=Cary/O=My New Outfit,
Inc./OU=Sales/CN=ntbox.somewhere.com/Email=me@somewhere.com
Getting Private key
Enter PEM pass phrase:xxxxxxxx |
At this point you are ready to restart your server. Issue the following command:
[root@ntbox conf]# /etc/rc.d/init.d/httpsd restart
|
You will see the following output:
Shutting down httpsd: [ OK ]
Starting httpsd: Red Hat Secure/3.0 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases.
Server ntbox.moongroup.org:443
Enter pass phrase:xxxxxxxx
Ok: Pass Phrase Dialog successful.
[ OK ]
|
Now you are ready to test your server with a browser.
When you get to your web site with your browser you will have to tell the browser to accept the certificate you just created because it's not a "real" certificate. Only after you get the genuine certificate from your Certificate Authority will the browser not ask you to accept or deny the cert.
What you should use for a URL is not:
http://ntbox.somewhere.com:443/
-but-
https://ntbox.somewhere.com/
Note the "s" in the protocol field!
What you will see looks like this:
ntbox.somewhere.com is a site that uses encryption to protect transmitted information. However, Netscape does not recognize the authority who signed its Certificate. Although Netscape does not recognize the signer of this Certificate, you may decide to accept it anyway so that you can connect to and exchange information with this site. This assistant will help you decide whether or not you wish to accept this Certificate and to what extent.
Just accept the defaults all the way through the series of dialogues which follow and you'll be fine... it's just a test, after all.