[ On Fedora Core 4 digital certificates are now centralized in
directories under /etc/pki/.
Users performing an upgrade must relocate their digital certificates.
For example the /usr/share/ssl contents have moved to /etc/pki/tls
and /etc/pki/CA.
See the /etc/httpd/conf.d/ssl.conf file for default locations and names. ]
======================= Set Up a CA ======================================
/root# cd /etc/pki/tls/misc
/etc/pki/tls/misc# ./CA.pl -newca # or: .CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
....++++++
.....................................................++++++
writing new private key to '../../CA/private/cakey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Florida
Locality Name (eg, city) [Newbury]:Tampa
Organization Name (eg, company) [My Company Ltd]:HCC GCAW
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org
Email Address []:security@gcaw.org
/etc/pki/tls/misc# ls -l ../../CA
total 32
-rw-r--r-- 1 root root 1220 Apr 27 00:45 cacert.pem
drwxr-xr-x 2 root root 4096 Apr 27 00:45 certs/
drwxr-xr-x 2 root root 4096 Apr 27 00:45 crl/
-rw-r--r-- 1 root root 116 Apr 27 00:46 index.txt
-rw-r--r-- 1 root root 0 Apr 27 00:45 index.txt.old
drwxr-xr-x 2 root root 4096 Apr 27 00:46 newcerts/
drwxr-xr-x 2 root root 4096 Apr 27 00:45 private/
-rw-r--r-- 1 root root 3 Apr 27 00:46 serial
-rw-r--r-- 1 root root 3 Apr 27 00:45 serial.old
/etc/pki/tls/misc# cat ../../CA/cacert.pem >> ../certs/ca-bundle.crt
======================= Create certificate for email =====================
/etc/pki/tls/misc# ./CA -newreq-nodes
Generating a 1024 bit RSA private key
............++++++
...................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Florida
Locality Name (eg, city) [Newbury]:Tampa
Organization Name (eg, company) [My Company Ltd]:Evil R Us
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org
Email Address []:postmaster@gcaw.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Request (and private key) is in newreq.pem
/etc/pki/tls/misc# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 04:46:48 2005 GMT
Not After : Apr 27 04:46:48 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Florida
localityName = Tampa
organizationName = Evil R Us
commonName = whoopie.gcaw.org
emailAddress = postmaster@gcaw.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2
X509v3 Authority Key Identifier:
keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A
DirName:/C=US/ST=Florida/L=Tampa/O=HCC GCAW/CN=wphome.gcaw.org/emailAddress=postmaster@gcaw.org
serial:00
Certificate is to be certified until Apr 27 04:46:48 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Florida, L=Tampa, O=HCC GCAW, CN=whoopie.gcaw.org/emailAddress=security@gcaw.org
Validity
Not Before: Apr 27 04:46:48 2005 GMT
Not After : Apr 27 04:46:48 2006 GMT
Subject: C=US, ST=Florida, L=Tampa, O=Evil R Us, CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:a7:0c:0a:f9:e0:44:79:1b:11:9a:22:75:5b:
2a:50:d4:91:12:d4:5b:6e:10:ac:13:7b:57:28:8e:
75:b9:63:df:aa:98:ea:12:93:df:01:ff:50:a6:66:
92:d0:9d:d3:bc:5e:2f:90:8e:4c:71:e9:99:21:86:
ef:5f:06:e9:19:26:ef:a8:26:5f:f0:04:31:2e:13:
6c:6e:86:79:29:2d:af:76:99:db:43:15:95:52:7c:
a1:47:b7:d8:09:85:f4:f3:5e:6b:6c:7b:1d:4f:6c:
35:4c:be:43:2c:fa:f4:0f:29:a3:be:38:16:38:42:
47:46:03:65:c3:57:af:ca:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2
X509v3 Authority Key Identifier:
keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A
DirName:/C=US/ST=Florida/L=Tampa/O=Evil R Us/CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org
serial:00
Signature Algorithm: md5WithRSAEncryption
92:e5:b6:9c:0a:25:23:7e:da:4c:b8:4d:8c:51:6c:6e:74:ca:
70:d6:d4:f2:b2:91:16:d1:3f:08:73:fa:68:df:dd:df:25:41:
5c:3e:da:f4:8b:5d:85:d6:1e:be:46:e8:d0:29:bd:a1:aa:74:
c0:05:74:96:de:a9:92:4f:29:9c:75:7c:44:b8:9e:dc:48:96:
0b:1a:1e:9e:bc:01:a5:6b:ea:be:08:ae:4d:83:74:7b:89:79:
77:8d:f0:1a:42:bc:85:a7:11:f1:a5:d9:b7:75:e8:a9:21:b0:
00:5c:41:9b:5a:67:52:15:f2:b4:40:53:26:9d:ef:3d:d5:bf:
d5:09
-----BEGIN CERTIFICATE-----
MIIDhjCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMREwDwYDVQQKEwhIQ0Mg
S2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3JnMSIwIAYJKoZIhvcNAQkBFhNw
b3N0bWFzdGVyQGthb3Mub3JnMB4XDTA1MDQyNzA0NDY0OFoXDTA2MDQyNzA0NDY0
OFowgYAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMQ4wDAYDVQQHEwVU
YW1wYTERMA8GA1UEChMISENDIEthb3MxGDAWBgNVBAMTD3dwaG9tZS5rYW9zLm9y
ZzEiMCAGCSqGSIb3DQEJARYTcG9zdG1hc3RlckBrYW9zLm9yZzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAv6cMCvngRHkbEZoidVsqUNSREtRbbhCsE3tXKI51
uWPfqpjqEpPfAf9QpmaS0J3TvF4vkI5McemZIYbvXwbpGSbvqCZf8AQxLhNsboZ5
KS2vdpnbQxWVUnyhR7fYCYX0815rbHsdT2w1TL5DLPr0DymjvjgWOEJHRgNlw1ev
yskCAwEAAaOCAQwwggEIMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR6KPDtmlTyC5CkRmwF
OIng5EmMojCBrQYDVR0jBIGlMIGigBT2jQ06W95CBqKru+p4/GOcljgkmqGBhqSB
gzCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRh
bXBhMREwDwYDVQQKEwhIQ0MgS2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3Jn
MSIwIAYJKoZIhvcNAQkBFhNwb3N0bWFzdGVyQGthb3Mub3JnggEAMA0GCSqGSIb3
DQEBBAUAA4GBAJLltpwKJSN+2ky4TYxRbG50ynDW1PKykRbRPwhz+mjf3d8lQVw+
2vSLXYXWHr5G6NApvaGqdMAFdJbeqZJPKZx1fES4ntxIlgsaHp68AaVr6r4Irk2D
dHuJeXeN8BpCvIWnEfGl2bd16KkhsABcQZtaZ1IV8rRAUyad7z3Vv9UJ
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
/etc/pki/tls/misc# ls -l newcert.pem newreq.pem
-rw-r--r-- 1 root root 3545 Apr 27 00:46 newcert.pem
-rw-r--r-- 1 root root 1575 Apr 27 00:46 newreq.pem
/etc/pki/tls/misc# mkdir /etc/postfix/certs
/etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-email-key.pem
/etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-email-cert.pem
/etc/pki/tls/misc# chmod 400 ../private./*
/etc/pki/tls/misc# cd /etc/postfix/
/etc/postfix# vi main.cf
/etc/postfix# tail /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/certs/gcaw.org-email-key.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/gcaw.org-email-cert.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_timeout = 3600s
tls_random_source = dev:/dev/urandom
/etc/postfix# postfix -v check
/etc/postfix# postfix reload
/etc/postfix# cd ..
/etc# vi imapd.conf
/etc# cat imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
#tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
#tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
#tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
tls_key_file: /etc/pki/tls/private/gcaw.org-email-key.pem
tls_cert_file: /etc/pki/tls/certs/gcaw.org-email-cert.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
/etc# init.d/cyrus-imapd reload
Reloading cyrus.conf file: [ OK ]
================ Setup Apache for HTTPS (TLS/SSL) ====================
/etc/pki/tls/misc# ./CA.pl -newreq-nodes
/etc/pki/tls/misc# ./CA.pl -signreq
/etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-https-key.pem
/etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-https-cert.pem
/etc/pki/tls/misc# vi /etc/hosts.{allow,deny}
/etc/pki/tls/misc# cd /etc/sysconfig
/etc/sysconfig# #Make firewall hole for port 443 (edit /etc/sysconfig/iptables
/etc/sysconfig# #by adding the following line after the line for port 80):
/etc/sysconfig# # -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/etc/sysconfig# vi /etc/sysconfig/iptables
/etc/sysconfig# /etc/init.d/iptables restart
/etc/sysconfig# cp httpd httpd.orig
/etc/sysconfig# vi /etc/sysconfig/httpd
/etc/sysconfig# diff httpd.orig httpd
15c15
< #OPTIONS=
---
> OPTIONS="-DSSL"
/etc/sysconfig# cd /etc/httpd/conf
/etc/httpd/conf# vi httpd.conf
/etc/httpd/conf# cd ../conf.d
/etc/httpd/conf.d# vi ssl.conf
/etc/httpd/conf.d# cp ssl.conf ~/ssl.conf.orig
/etc/httpd/conf.d# diff ~/ssl.conf.orig ssl.conf
89,90c89,90
< #DocumentRoot "/var/www/html"
< #ServerName www.example.com:443
---
> DocumentRoot "/var/www/gcaw.org-secure"
> ServerName whoopie.gcaw.org:443
112c112
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> SSLCertificateFile /etc/pki/tls/certs/gcaw.org-https-cert.pem
119c119
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> SSLCertificateKeyFile /etc/pki/tls/private/gcaw.org-https-key.pem
134c134
< #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
---
> SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
/etc/httpd/conf# cd /var/www
/var/www# mkdir gcaw.org-secure
/var/www# chmod 775 gcaw.org-secure
/var/www# cd gcaw.org-secure/
/var/www/gcaw.org-secure# vi index.htm
/var/www/gcaw.org-secure# chmod 644 index.htm
/var/www/gcaw.org-secure# cd
/root# /etc/init.d/httpd start
/root# chkconfig httpd on
/root# links https://whoopie.gcaw.org/
/root# # Success!
-------------------------------------------------------------
To add Basic authentication to this site, create a password
file "/var/www/passwords/gcaw.org-htpasswd" via "htpasswd"
command, and then change:
Options Includes SymLinksIfOwnerMatch
To:
Options SymLinksIfOwnerMatch
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/passwords/gcaw.org-htpasswd
Require valid-user
Order allow,deny
Allow from all
Order deny,allow
Deny from all
========================================================================
How I added SSL support for https://wpollock.com/ to apache (old):
cd
# Generate a private key for the wpollock.com website:
openssl genrsa -des3 -out wpollock-com.key 1024
# Remove password from key (so apache can start unattended):
openssl rsa -in wpollock-com.key.orig -out wpollock-com.key
# Generate a CSR (certificate signing request), to be submitted
# to your CA of choice (I used CAcert.org):
openssl req -new -key wpollock-com.key -out wpollock-com.csr
# Upload the CSR to cacert.org website,
# Wait for CA to return certificate via email, saved
# as ~/wpollock-com.crt. (This took a little over a day.)
# While waiting, get the CA's root certificate:
wget https://www.cacert.org/cacert.crt
# Install everything: (The locations have changed for Fedora 4)
# cd /etc/httpd/conf/
cd /etc/pki/tls
cp ~/wpollock-com.key private
cp ~/cacert.crt certs
cp ~/wpollock-com.crt certs
# cp ~/wpollock-com.csr ssl.csr
# Update permissions:
chmod 400 certs/{cacert,wpollock-com}.crt private/wpollock-com.key
# Build indexes to certificates:
cd certs
make -f Makefile
# Edit /etc/sysconfig/httpd to start apache with SSL option:
cd /etc/sysconfig/
cp httpd httpd.orig
vi httpd
diff httpd.orig httpd
15c15
< #OPTIONS=
---
> OPTIONS="-DSSL"
# Make firewall hole for port 443 (edit /etc/sysconfig/iptables
# by adding the following line after the line for port 80):
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Modify /etc/httpd/conf/httpd.conf to include new virtual host:
# Change:
# to:
# Added new section to httpd.conf (comments and blank lines
# stripped out to reduce listing size here):
ServerAdmin webmaster@wpollock.com
DocumentRoot /home/wpollock.com/html-secure
ServerName wpollock.com:443
CheckSpelling on
Options SymLinksIfOwnerMatch
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/wpollock.com/passwords/htpasswd
Require valid-user
Order allow,deny
Allow from all
Order deny,allow
Deny from all
Scriptalias /cgi-bin/ "/home/wpollock.com/cgi-bin/"
ErrorLog /home/wpollock.com/ssl_error_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/pki/tls/certs/wpollock-com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wpollock-com.key
SSLCACertificatePath /etc/pki/tls/certs
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog /home/wpollock.com/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# Now reload iptables (firewall) and apache (httpd):
/etc/init.d/iptables restart
/etc/init.d/httpd restart
# Check all logs (some errors in fact appear):
cd /var/log
tail messages
cd httpd
tail error_log
cat ssl*