[ On Fedora Core 4 digital certificates are now centralized in directories under /etc/pki/. Users performing an upgrade must relocate their digital certificates. For example the /usr/share/ssl contents have moved to /etc/pki/tls and /etc/pki/CA. See the /etc/httpd/conf.d/ssl.conf file for default locations and names. ] ======================= Set Up a CA ====================================== /root# cd /etc/pki/tls/misc /etc/pki/tls/misc# ./CA.pl -newca # or: .CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ....++++++ .....................................................++++++ writing new private key to '../../CA/private/cakey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Florida Locality Name (eg, city) [Newbury]:Tampa Organization Name (eg, company) [My Company Ltd]:HCC GCAW Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org Email Address []:security@gcaw.org /etc/pki/tls/misc# ls -l ../../CA total 32 -rw-r--r-- 1 root root 1220 Apr 27 00:45 cacert.pem drwxr-xr-x 2 root root 4096 Apr 27 00:45 certs/ drwxr-xr-x 2 root root 4096 Apr 27 00:45 crl/ -rw-r--r-- 1 root root 116 Apr 27 00:46 index.txt -rw-r--r-- 1 root root 0 Apr 27 00:45 index.txt.old drwxr-xr-x 2 root root 4096 Apr 27 00:46 newcerts/ drwxr-xr-x 2 root root 4096 Apr 27 00:45 private/ -rw-r--r-- 1 root root 3 Apr 27 00:46 serial -rw-r--r-- 1 root root 3 Apr 27 00:45 serial.old /etc/pki/tls/misc# cat ../../CA/cacert.pem >> ../certs/ca-bundle.crt ======================= Create certificate for email ===================== /etc/pki/tls/misc# ./CA -newreq-nodes Generating a 1024 bit RSA private key ............++++++ ...................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Florida Locality Name (eg, city) [Newbury]:Tampa Organization Name (eg, company) [My Company Ltd]:Evil R Us Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org Email Address []:postmaster@gcaw.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. Request (and private key) is in newreq.pem /etc/pki/tls/misc# ./CA -sign Using configuration from /usr/share/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 27 04:46:48 2005 GMT Not After : Apr 27 04:46:48 2006 GMT Subject: countryName = US stateOrProvinceName = Florida localityName = Tampa organizationName = Evil R Us commonName = whoopie.gcaw.org emailAddress = postmaster@gcaw.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2 X509v3 Authority Key Identifier: keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A DirName:/C=US/ST=Florida/L=Tampa/O=HCC GCAW/CN=wphome.gcaw.org/emailAddress=postmaster@gcaw.org serial:00 Certificate is to be certified until Apr 27 04:46:48 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Florida, L=Tampa, O=HCC GCAW, CN=whoopie.gcaw.org/emailAddress=security@gcaw.org Validity Not Before: Apr 27 04:46:48 2005 GMT Not After : Apr 27 04:46:48 2006 GMT Subject: C=US, ST=Florida, L=Tampa, O=Evil R Us, CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:a7:0c:0a:f9:e0:44:79:1b:11:9a:22:75:5b: 2a:50:d4:91:12:d4:5b:6e:10:ac:13:7b:57:28:8e: 75:b9:63:df:aa:98:ea:12:93:df:01:ff:50:a6:66: 92:d0:9d:d3:bc:5e:2f:90:8e:4c:71:e9:99:21:86: ef:5f:06:e9:19:26:ef:a8:26:5f:f0:04:31:2e:13: 6c:6e:86:79:29:2d:af:76:99:db:43:15:95:52:7c: a1:47:b7:d8:09:85:f4:f3:5e:6b:6c:7b:1d:4f:6c: 35:4c:be:43:2c:fa:f4:0f:29:a3:be:38:16:38:42: 47:46:03:65:c3:57:af:ca:c9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2 X509v3 Authority Key Identifier: keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A DirName:/C=US/ST=Florida/L=Tampa/O=Evil R Us/CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org serial:00 Signature Algorithm: md5WithRSAEncryption 92:e5:b6:9c:0a:25:23:7e:da:4c:b8:4d:8c:51:6c:6e:74:ca: 70:d6:d4:f2:b2:91:16:d1:3f:08:73:fa:68:df:dd:df:25:41: 5c:3e:da:f4:8b:5d:85:d6:1e:be:46:e8:d0:29:bd:a1:aa:74: c0:05:74:96:de:a9:92:4f:29:9c:75:7c:44:b8:9e:dc:48:96: 0b:1a:1e:9e:bc:01:a5:6b:ea:be:08:ae:4d:83:74:7b:89:79: 77:8d:f0:1a:42:bc:85:a7:11:f1:a5:d9:b7:75:e8:a9:21:b0: 00:5c:41:9b:5a:67:52:15:f2:b4:40:53:26:9d:ef:3d:d5:bf: d5:09 -----BEGIN CERTIFICATE----- MIIDhjCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMREwDwYDVQQKEwhIQ0Mg S2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3JnMSIwIAYJKoZIhvcNAQkBFhNw b3N0bWFzdGVyQGthb3Mub3JnMB4XDTA1MDQyNzA0NDY0OFoXDTA2MDQyNzA0NDY0 OFowgYAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMQ4wDAYDVQQHEwVU YW1wYTERMA8GA1UEChMISENDIEthb3MxGDAWBgNVBAMTD3dwaG9tZS5rYW9zLm9y ZzEiMCAGCSqGSIb3DQEJARYTcG9zdG1hc3RlckBrYW9zLm9yZzCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAv6cMCvngRHkbEZoidVsqUNSREtRbbhCsE3tXKI51 uWPfqpjqEpPfAf9QpmaS0J3TvF4vkI5McemZIYbvXwbpGSbvqCZf8AQxLhNsboZ5 KS2vdpnbQxWVUnyhR7fYCYX0815rbHsdT2w1TL5DLPr0DymjvjgWOEJHRgNlw1ev yskCAwEAAaOCAQwwggEIMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR6KPDtmlTyC5CkRmwF OIng5EmMojCBrQYDVR0jBIGlMIGigBT2jQ06W95CBqKru+p4/GOcljgkmqGBhqSB gzCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRh bXBhMREwDwYDVQQKEwhIQ0MgS2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3Jn MSIwIAYJKoZIhvcNAQkBFhNwb3N0bWFzdGVyQGthb3Mub3JnggEAMA0GCSqGSIb3 DQEBBAUAA4GBAJLltpwKJSN+2ky4TYxRbG50ynDW1PKykRbRPwhz+mjf3d8lQVw+ 2vSLXYXWHr5G6NApvaGqdMAFdJbeqZJPKZx1fES4ntxIlgsaHp68AaVr6r4Irk2D dHuJeXeN8BpCvIWnEfGl2bd16KkhsABcQZtaZ1IV8rRAUyad7z3Vv9UJ -----END CERTIFICATE----- Signed certificate is in newcert.pem /etc/pki/tls/misc# ls -l newcert.pem newreq.pem -rw-r--r-- 1 root root 3545 Apr 27 00:46 newcert.pem -rw-r--r-- 1 root root 1575 Apr 27 00:46 newreq.pem /etc/pki/tls/misc# mkdir /etc/postfix/certs /etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-email-key.pem /etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-email-cert.pem /etc/pki/tls/misc# chmod 400 ../private./* /etc/pki/tls/misc# cd /etc/postfix/ /etc/postfix# vi main.cf /etc/postfix# tail /etc/postfix/main.cf smtpd_use_tls = yes smtpd_tls_key_file = /etc/pki/tls/certs/gcaw.org-email-key.pem smtpd_tls_cert_file = /etc/pki/tls/certs/gcaw.org-email-cert.pem smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_auth_only = yes smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_timeout = 3600s tls_random_source = dev:/dev/urandom /etc/postfix# postfix -v check /etc/postfix# postfix reload /etc/postfix# cd .. /etc# vi imapd.conf /etc# cat imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN #tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem #tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem #tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt tls_key_file: /etc/pki/tls/private/gcaw.org-email-key.pem tls_cert_file: /etc/pki/tls/certs/gcaw.org-email-cert.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt /etc# init.d/cyrus-imapd reload Reloading cyrus.conf file: [ OK ] ================ Setup Apache for HTTPS (TLS/SSL) ==================== /etc/pki/tls/misc# ./CA.pl -newreq-nodes /etc/pki/tls/misc# ./CA.pl -signreq /etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-https-key.pem /etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-https-cert.pem /etc/pki/tls/misc# vi /etc/hosts.{allow,deny} /etc/pki/tls/misc# cd /etc/sysconfig /etc/sysconfig# #Make firewall hole for port 443 (edit /etc/sysconfig/iptables /etc/sysconfig# #by adding the following line after the line for port 80): /etc/sysconfig# # -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT /etc/sysconfig# vi /etc/sysconfig/iptables /etc/sysconfig# /etc/init.d/iptables restart /etc/sysconfig# cp httpd httpd.orig /etc/sysconfig# vi /etc/sysconfig/httpd /etc/sysconfig# diff httpd.orig httpd 15c15 < #OPTIONS= --- > OPTIONS="-DSSL" /etc/sysconfig# cd /etc/httpd/conf /etc/httpd/conf# vi httpd.conf /etc/httpd/conf# cd ../conf.d /etc/httpd/conf.d# vi ssl.conf /etc/httpd/conf.d# cp ssl.conf ~/ssl.conf.orig /etc/httpd/conf.d# diff ~/ssl.conf.orig ssl.conf 89,90c89,90 < #DocumentRoot "/var/www/html" < #ServerName www.example.com:443 --- > DocumentRoot "/var/www/gcaw.org-secure" > ServerName whoopie.gcaw.org:443 112c112 < SSLCertificateFile /etc/pki/tls/certs/localhost.crt --- > SSLCertificateFile /etc/pki/tls/certs/gcaw.org-https-cert.pem 119c119 < SSLCertificateKeyFile /etc/pki/tls/private/localhost.key --- > SSLCertificateKeyFile /etc/pki/tls/private/gcaw.org-https-key.pem 134c134 < #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt --- > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt /etc/httpd/conf# cd /var/www /var/www# mkdir gcaw.org-secure /var/www# chmod 775 gcaw.org-secure /var/www# cd gcaw.org-secure/ /var/www/gcaw.org-secure# vi index.htm /var/www/gcaw.org-secure# chmod 644 index.htm /var/www/gcaw.org-secure# cd /root# /etc/init.d/httpd start /root# chkconfig httpd on /root# links https://whoopie.gcaw.org/ /root# # Success! ------------------------------------------------------------- To add Basic authentication to this site, create a password file "/var/www/passwords/gcaw.org-htpasswd" via "htpasswd" command, and then change: Options Includes SymLinksIfOwnerMatch To: Options SymLinksIfOwnerMatch AuthType Basic AuthName "Restricted Files" AuthUserFile /var/www/passwords/gcaw.org-htpasswd Require valid-user Order allow,deny Allow from all Order deny,allow Deny from all ======================================================================== How I added SSL support for https://wpollock.com/ to apache (old): cd # Generate a private key for the wpollock.com website: openssl genrsa -des3 -out wpollock-com.key 1024 # Remove password from key (so apache can start unattended): openssl rsa -in wpollock-com.key.orig -out wpollock-com.key # Generate a CSR (certificate signing request), to be submitted # to your CA of choice (I used CAcert.org): openssl req -new -key wpollock-com.key -out wpollock-com.csr # Upload the CSR to cacert.org website, # Wait for CA to return certificate via email, saved # as ~/wpollock-com.crt. (This took a little over a day.) # While waiting, get the CA's root certificate: wget https://www.cacert.org/cacert.crt # Install everything: (The locations have changed for Fedora 4) # cd /etc/httpd/conf/ cd /etc/pki/tls cp ~/wpollock-com.key private cp ~/cacert.crt certs cp ~/wpollock-com.crt certs # cp ~/wpollock-com.csr ssl.csr # Update permissions: chmod 400 certs/{cacert,wpollock-com}.crt private/wpollock-com.key # Build indexes to certificates: cd certs make -f Makefile # Edit /etc/sysconfig/httpd to start apache with SSL option: cd /etc/sysconfig/ cp httpd httpd.orig vi httpd diff httpd.orig httpd 15c15 < #OPTIONS= --- > OPTIONS="-DSSL" # Make firewall hole for port 443 (edit /etc/sysconfig/iptables # by adding the following line after the line for port 80): -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Modify /etc/httpd/conf/httpd.conf to include new virtual host: # Change: # to: # Added new section to httpd.conf (comments and blank lines # stripped out to reduce listing size here): ServerAdmin webmaster@wpollock.com DocumentRoot /home/wpollock.com/html-secure ServerName wpollock.com:443 CheckSpelling on Options SymLinksIfOwnerMatch AuthType Basic AuthName "Restricted Files" AuthUserFile /home/wpollock.com/passwords/htpasswd Require valid-user Order allow,deny Allow from all Order deny,allow Deny from all Scriptalias /cgi-bin/ "/home/wpollock.com/cgi-bin/" ErrorLog /home/wpollock.com/ssl_error_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/pki/tls/certs/wpollock-com.crt SSLCertificateKeyFile /etc/pki/tls/private/wpollock-com.key SSLCACertificatePath /etc/pki/tls/certs SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog /home/wpollock.com/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # Now reload iptables (firewall) and apache (httpd): /etc/init.d/iptables restart /etc/init.d/httpd restart # Check all logs (some errors in fact appear): cd /var/log tail messages cd httpd tail error_log cat ssl*