TLS Setup for Email, Web

On Fedora digital certificates are now centralized in directories under /etc/pki/. Users performing an upgrade must relocate their digital certificates. For example the /usr/share/ssl contents have moved to /etc/pki/tls and /etc/pki/CA. See the /etc/httpd/conf.d/ssl.conf file for default locations and names.

Set Up a CA

/root# cd /etc/pki/tls/misc
/etc/pki/tls/misc# ./CA -newca  # or: ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
....++++++
.....................................................++++++
writing new private key to '../../CA/private/cakey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Florida
Locality Name (eg, city) [Newbury]:Tampa
Organization Name (eg, company) [My Company Ltd]:GCAW Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org
Email Address []:security@gcaw.org


/etc/pki/tls/misc# ls -l ../../CA
total 32
-rw-r--r--  1 root root 1220 Apr 27 00:45 cacert.pem
drwxr-xr-x  2 root root 4096 Apr 27 00:45 certs/
drwxr-xr-x  2 root root 4096 Apr 27 00:45 crl/
-rw-r--r--  1 root root  116 Apr 27 00:46 index.txt
-rw-r--r--  1 root root    0 Apr 27 00:45 index.txt.old
drwxr-xr-x  2 root root 4096 Apr 27 00:46 newcerts/
drwxr-xr-x  2 root root 4096 Apr 27 00:45 private/
-rw-r--r--  1 root root    3 Apr 27 00:46 serial
-rw-r--r--  1 root root    3 Apr 27 00:45 serial.old

/etc/pki/tls/misc# cat ../../CA/cacert.pem >> ../certs/ca-bundle.crt

Create certificate for email

/etc/pki/tls/misc# ./CA -newreq-nodes # Requires modification of CA script!
Generating a 1024 bit RSA private key
............++++++
...................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Florida
Locality Name (eg, city) [Newbury]:Tampa
Organization Name (eg, company) [My Company Ltd]:Evil R Us
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org
Email Address []:postmaster@gcaw.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Request (and private key) is in newreq.pem

/etc/pki/tls/misc# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 27 04:46:48 2005 GMT
            Not After : Apr 27 04:46:48 2006 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Florida
            localityName              = Tampa
            organizationName          = Evil R Us
            commonName                = whoopie.gcaw.org
            emailAddress              = postmaster@gcaw.org
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2
            X509v3 Authority Key Identifier:
            keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A
            DirName:/C=US/ST=Florida/L=Tampa/O=GCAW Ltd/CN=wphome.gcaw.org/emailAddress=postmaster@gcaw.org
            serial:00

Certificate is to be certified until Apr 27 04:46:48 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=Florida, L=Tampa, O=GCW Ltd, CN=whoopie.gcaw.org/emailAddress=security@gcaw.org
        Validity
            Not Before: Apr 27 04:46:48 2005 GMT
            Not After : Apr 27 04:46:48 2006 GMT
        Subject: C=US, ST=Florida, L=Tampa, O=Evil R Us, CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bf:a7:0c:0a:f9:e0:44:79:1b:11:9a:22:75:5b:
                    2a:50:d4:91:12:d4:5b:6e:10:ac:13:7b:57:28:8e:
                    75:b9:63:df:aa:98:ea:12:93:df:01:ff:50:a6:66:
                    92:d0:9d:d3:bc:5e:2f:90:8e:4c:71:e9:99:21:86:
                    ef:5f:06:e9:19:26:ef:a8:26:5f:f0:04:31:2e:13:
                    6c:6e:86:79:29:2d:af:76:99:db:43:15:95:52:7c:
                    a1:47:b7:d8:09:85:f4:f3:5e:6b:6c:7b:1d:4f:6c:
                    35:4c:be:43:2c:fa:f4:0f:29:a3:be:38:16:38:42:
                    47:46:03:65:c3:57:af:ca:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2
            X509v3 Authority Key Identifier:
            keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A
            DirName:/C=US/ST=Florida/L=Tampa/O=Evil R Us/CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org
            serial:00

    Signature Algorithm: md5WithRSAEncryption
        92:e5:b6:9c:0a:25:23:7e:da:4c:b8:4d:8c:51:6c:6e:74:ca:
        70:d6:d4:f2:b2:91:16:d1:3f:08:73:fa:68:df:dd:df:25:41:
        5c:3e:da:f4:8b:5d:85:d6:1e:be:46:e8:d0:29:bd:a1:aa:74:
        c0:05:74:96:de:a9:92:4f:29:9c:75:7c:44:b8:9e:dc:48:96:
        0b:1a:1e:9e:bc:01:a5:6b:ea:be:08:ae:4d:83:74:7b:89:79:
        77:8d:f0:1a:42:bc:85:a7:11:f1:a5:d9:b7:75:e8:a9:21:b0:
        00:5c:41:9b:5a:67:52:15:f2:b4:40:53:26:9d:ef:3d:d5:bf:
        d5:09
-----BEGIN CERTIFICATE-----
MIIDhjCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMREwDwYDVQQKEwhIQ0Mg
S2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3JnMSIwIAYJKoZIhvcNAQkBFhNw
b3N0bWFzdGVyQGthb3Mub3JnMB4XDTA1MDQyNzA0NDY0OFoXDTA2MDQyNzA0NDY0
OFowgYAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMQ4wDAYDVQQHEwVU
YW1wYTERMA8GA1UEChMISENDIEthb3MxGDAWBgNVBAMTD3dwaG9tZS5rYW9zLm9y
ZzEiMCAGCSqGSIb3DQEJARYTcG9zdG1hc3RlckBrYW9zLm9yZzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAv6cMCvngRHkbEZoidVsqUNSREtRbbhCsE3tXKI51
uWPfqpjqEpPfAf9QpmaS0J3TvF4vkI5McemZIYbvXwbpGSbvqCZf8AQxLhNsboZ5
KS2vdpnbQxWVUnyhR7fYCYX0815rbHsdT2w1TL5DLPr0DymjvjgWOEJHRgNlw1ev
yskCAwEAAaOCAQwwggEIMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR6KPDtmlTyC5CkRmwF
OIng5EmMojCBrQYDVR0jBIGlMIGigBT2jQ06W95CBqKru+p4/GOcljgkmqGBhqSB
gzCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRh
bXBhMREwDwYDVQQKEwhIQ0MgS2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3Jn
MSIwIAYJKoZIhvcNAQkBFhNwb3N0bWFzdGVyQGthb3Mub3JnggEAMA0GCSqGSIb3
DQEBBAUAA4GBAJLltpwKJSN+2ky4TYxRbG50ynDW1PKykRbRPwhz+mjf3d8lQVw+
2vSLXYXWHr5G6NApvaGqdMAFdJbeqZJPKZx1fES4ntxIlgsaHp68AaVr6r4Irk2D
dHuJeXeN8BpCvIWnEfGl2bd16KkhsABcQZtaZ1IV8rRAUyad7z3Vv9UJ
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

/etc/pki/tls/misc# ls -l newcert.pem newreq.pem
-rw-r--r--  1 root root 3545 Apr 27 00:46 newcert.pem
-rw-r--r--  1 root root 1575 Apr 27 00:46 newreq.pem

Configure Postfix to use the new certificates

/etc/pki/tls/misc# mkdir /etc/postfix/certs
/etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-email-key.pem
/etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-email-cert.pem
/etc/pki/tls/misc# chmod 400 ../private/*

/etc/pki/tls/misc# cd /etc/postfix/
/etc/postfix# vi main.cf
/etc/postfix# tail /etc/postfix/main.cf

smtpd_use_tls = yes
smtpd_tls_key_file  = /etc/pki/tls/private/gcaw.org-email-key.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/gcaw.org-email-cert.pem
smtpd_tls_CAfile    = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/postfix# postfix -v check
/etc/postfix# postfix reload

/etc/postfix# cd ..
/etc# vi imapd.conf
/etc# cat imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
#tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
#tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
#tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
tls_key_file: /etc/pki/tls/private/gcaw.org-email-key.pem
tls_cert_file: /etc/pki/tls/certs/gcaw.org-email-cert.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

/etc# init.d/cyrus-imapd reload
Reloading cyrus.conf file:                                 [  OK  ]

Setup Apache for HTTPS (TLS/SSL)

/root# yum -y install mod_ssl # No longer installed with Apache
/etc/pki/tls/misc# ./CA -newreq-nodes  # Must patch CA first!
/etc/pki/tls/misc# ./CA -signreq
/etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-https-key.pem
/etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-https-cert.pem

/etc/pki/tls/misc# cd /etc/sysconfig
/etc/sysconfig# cp iptables iptables.orig
/etc/sysconfig# vi iptables  # Make firewall hole for port 443 (and 80 of course)
/etc/sysconfig# diff iptablesa.orig iptables
80a81
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/etc/sysconfig# /etc/init.d/iptables restart
/etc/sysconfig# rm iptables.orig

/etc/sysconfig# cp httpd httpd.orig
/etc/sysconfig# vi httpd  # On non-RH systems you enable SSL differently
/etc/sysconfig# diff httpd.orig httpd
15c15
< #OPTIONS=
---
> OPTIONS="-DSSL"

/etc/sysconfig# cd /etc/httpd/conf
/etc/httpd/conf# vi httpd.conf  # No changes may be needed here

/etc/httpd/conf# cd ../conf.d
/etc/httpd/conf.d# cp ssl.conf ~/ssl.conf.orig
/etc/httpd/conf.d# vi ssl.conf
/etc/httpd/conf.d# httpd -S  # Check syntax of Apache
...
Syntax OK
/etc/httpd/conf.d# diff ~/ssl.conf.orig ssl.conf
89,90c89,90
< #DocumentRoot "/var/www/html"
< #ServerName www.example.com:443
---
> DocumentRoot "/var/www/gcaw.org-secure"
> ServerName whoopie.gcaw.org:443
112c112
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> SSLCertificateFile /etc/pki/tls/certs/gcaw.org-https-cert.pem
119c119
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> SSLCertificateKeyFile /etc/pki/tls/private/gcaw.org-https-key.pem
134c134
< #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
---
> SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

/etc/httpd/conf# cd /var/www
/var/www# mkdir gcaw.org-secure
/var/www# chmod 775 gcaw.org-secure
/var/www# cd gcaw.org-secure/
/var/www/gcaw.org-secure# vi index.htm
/var/www/gcaw.org-secure# chmod 644 index.htm

/var/www/gcaw.org-secure# cd
/root# /etc/init.d/httpd start  # Or use reload
/root# chkconfig httpd on

/root#  links https://whoopie.gcaw.org/
/root# exit  # Success!

Add Basic Authentication To This Site

Create a password file /var/www/passwords/gcaw.org-htpasswd via the htpasswd command, and then change the following:

<Location />
    Options Includes SymLinksIfOwnerMatch
</Location>

To:

<Location />
    Options SymLinksIfOwnerMatch
    AuthType Basic
    AuthName "Restricted Files"
    AuthUserFile /var/www/passwords/gcaw.org-htpasswd
    Require valid-user
    <Limit GET>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Location>