On Fedora digital certificates are now centralized in
directories under /etc/pki/
.
Users performing an upgrade must relocate their digital certificates.
For example the /usr/share/ssl
contents have moved to
/etc/pki/tls
and /etc/pki/CA
.
See the /etc/httpd/conf.d/ssl.conf
file for default
locations and names.
openssl
packages no longer include
the CA.pl
script, only the CA
script.
Both scripts work identically, except the CA
script
doesn't support the "-newreq-nodes
" option to
create unencrypted (no DES) certificates.
While not secure (any atacker that can read the file has your private
key), such unencrypted keys are needed for unattended reboots.
Otherwise, the server can't be brought up until a human enters a
password to decrypt the key.
To add this option to the CA
script,
modify that script
(download a patch file)
as follows:
root# diff CA.orig CA 51c51 < echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 --- > echo "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 65a66,71 > -newreq-nodes) > # create an unencrypted certificate request > $REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS > RET=$? > echo "Request is in newreq.pem, private key is in newkey.pem" > ;;
/root# cd /etc/pki/tls/misc /etc/pki/tls/misc# ./CA -newca # or: ./CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ....++++++ .....................................................++++++ writing new private key to '../../CA/private/cakey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Florida Locality Name (eg, city) [Newbury]:Tampa Organization Name (eg, company) [My Company Ltd]:GCAW Ltd Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org Email Address []:security@gcaw.org /etc/pki/tls/misc# ls -l ../../CA total 32 -rw-r--r-- 1 root root 1220 Apr 27 00:45 cacert.pem drwxr-xr-x 2 root root 4096 Apr 27 00:45 certs/ drwxr-xr-x 2 root root 4096 Apr 27 00:45 crl/ -rw-r--r-- 1 root root 116 Apr 27 00:46 index.txt -rw-r--r-- 1 root root 0 Apr 27 00:45 index.txt.old drwxr-xr-x 2 root root 4096 Apr 27 00:46 newcerts/ drwxr-xr-x 2 root root 4096 Apr 27 00:45 private/ -rw-r--r-- 1 root root 3 Apr 27 00:46 serial -rw-r--r-- 1 root root 3 Apr 27 00:45 serial.old /etc/pki/tls/misc# cat ../../CA/cacert.pem >> ../certs/ca-bundle.crt
/etc/pki/tls/misc# ./CA -newreq-nodes # Requires modification of CA script! Generating a 1024 bit RSA private key ............++++++ ...................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Florida Locality Name (eg, city) [Newbury]:Tampa Organization Name (eg, company) [My Company Ltd]:Evil R Us Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:whoopie.gcaw.org Email Address []:postmaster@gcaw.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. Request (and private key) is in newreq.pem /etc/pki/tls/misc# ./CA -sign Using configuration from /usr/share/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 27 04:46:48 2005 GMT Not After : Apr 27 04:46:48 2006 GMT Subject: countryName = US stateOrProvinceName = Florida localityName = Tampa organizationName = Evil R Us commonName = whoopie.gcaw.org emailAddress = postmaster@gcaw.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2 X509v3 Authority Key Identifier: keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A DirName:/C=US/ST=Florida/L=Tampa/O=GCAW Ltd/CN=wphome.gcaw.org/emailAddress=postmaster@gcaw.org serial:00 Certificate is to be certified until Apr 27 04:46:48 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Florida, L=Tampa, O=GCW Ltd, CN=whoopie.gcaw.org/emailAddress=security@gcaw.org Validity Not Before: Apr 27 04:46:48 2005 GMT Not After : Apr 27 04:46:48 2006 GMT Subject: C=US, ST=Florida, L=Tampa, O=Evil R Us, CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:a7:0c:0a:f9:e0:44:79:1b:11:9a:22:75:5b: 2a:50:d4:91:12:d4:5b:6e:10:ac:13:7b:57:28:8e: 75:b9:63:df:aa:98:ea:12:93:df:01:ff:50:a6:66: 92:d0:9d:d3:bc:5e:2f:90:8e:4c:71:e9:99:21:86: ef:5f:06:e9:19:26:ef:a8:26:5f:f0:04:31:2e:13: 6c:6e:86:79:29:2d:af:76:99:db:43:15:95:52:7c: a1:47:b7:d8:09:85:f4:f3:5e:6b:6c:7b:1d:4f:6c: 35:4c:be:43:2c:fa:f4:0f:29:a3:be:38:16:38:42: 47:46:03:65:c3:57:af:ca:c9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7A:28:F0:ED:9A:54:F2:0B:90:A4:46:6C:05:38:89:E0:E4:49:8C:A2 X509v3 Authority Key Identifier: keyid:F6:8D:0D:3A:5B:DE:42:06:A2:AB:BB:EA:78:FC:63:9C:96:38:24:9A DirName:/C=US/ST=Florida/L=Tampa/O=Evil R Us/CN=whoopie.gcaw.org/emailAddress=postmaster@gcaw.org serial:00 Signature Algorithm: md5WithRSAEncryption 92:e5:b6:9c:0a:25:23:7e:da:4c:b8:4d:8c:51:6c:6e:74:ca: 70:d6:d4:f2:b2:91:16:d1:3f:08:73:fa:68:df:dd:df:25:41: 5c:3e:da:f4:8b:5d:85:d6:1e:be:46:e8:d0:29:bd:a1:aa:74: c0:05:74:96:de:a9:92:4f:29:9c:75:7c:44:b8:9e:dc:48:96: 0b:1a:1e:9e:bc:01:a5:6b:ea:be:08:ae:4d:83:74:7b:89:79: 77:8d:f0:1a:42:bc:85:a7:11:f1:a5:d9:b7:75:e8:a9:21:b0: 00:5c:41:9b:5a:67:52:15:f2:b4:40:53:26:9d:ef:3d:d5:bf: d5:09 -----BEGIN CERTIFICATE----- MIIDhjCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMREwDwYDVQQKEwhIQ0Mg S2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3JnMSIwIAYJKoZIhvcNAQkBFhNw b3N0bWFzdGVyQGthb3Mub3JnMB4XDTA1MDQyNzA0NDY0OFoXDTA2MDQyNzA0NDY0 OFowgYAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMQ4wDAYDVQQHEwVU YW1wYTERMA8GA1UEChMISENDIEthb3MxGDAWBgNVBAMTD3dwaG9tZS5rYW9zLm9y ZzEiMCAGCSqGSIb3DQEJARYTcG9zdG1hc3RlckBrYW9zLm9yZzCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAv6cMCvngRHkbEZoidVsqUNSREtRbbhCsE3tXKI51 uWPfqpjqEpPfAf9QpmaS0J3TvF4vkI5McemZIYbvXwbpGSbvqCZf8AQxLhNsboZ5 KS2vdpnbQxWVUnyhR7fYCYX0815rbHsdT2w1TL5DLPr0DymjvjgWOEJHRgNlw1ev yskCAwEAAaOCAQwwggEIMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR6KPDtmlTyC5CkRmwF OIng5EmMojCBrQYDVR0jBIGlMIGigBT2jQ06W95CBqKru+p4/GOcljgkmqGBhqSB gzCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRh bXBhMREwDwYDVQQKEwhIQ0MgS2FvczEYMBYGA1UEAxMPd3Bob21lLmthb3Mub3Jn MSIwIAYJKoZIhvcNAQkBFhNwb3N0bWFzdGVyQGthb3Mub3JnggEAMA0GCSqGSIb3 DQEBBAUAA4GBAJLltpwKJSN+2ky4TYxRbG50ynDW1PKykRbRPwhz+mjf3d8lQVw+ 2vSLXYXWHr5G6NApvaGqdMAFdJbeqZJPKZx1fES4ntxIlgsaHp68AaVr6r4Irk2D dHuJeXeN8BpCvIWnEfGl2bd16KkhsABcQZtaZ1IV8rRAUyad7z3Vv9UJ -----END CERTIFICATE----- Signed certificate is in newcert.pem /etc/pki/tls/misc# ls -l newcert.pem newreq.pem -rw-r--r-- 1 root root 3545 Apr 27 00:46 newcert.pem -rw-r--r-- 1 root root 1575 Apr 27 00:46 newreq.pem
/etc/pki/tls/misc# mkdir /etc/postfix/certs /etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-email-key.pem /etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-email-cert.pem /etc/pki/tls/misc# chmod 400 ../private/* /etc/pki/tls/misc# cd /etc/postfix/ /etc/postfix# vi main.cf /etc/postfix# tail /etc/postfix/main.cf smtpd_use_tls = yes smtpd_tls_key_file = /etc/pki/tls/private/gcaw.org-email-key.pem smtpd_tls_cert_file = /etc/pki/tls/certs/gcaw.org-email-cert.pem smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_auth_only = yes smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom /etc/postfix# postfix -v check /etc/postfix# postfix reload /etc/postfix# cd .. /etc# vi imapd.conf /etc# cat imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN #tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem #tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem #tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt tls_key_file: /etc/pki/tls/private/gcaw.org-email-key.pem tls_cert_file: /etc/pki/tls/certs/gcaw.org-email-cert.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt /etc# init.d/cyrus-imapd reload Reloading cyrus.conf file: [ OK ]
/root# yum -y install mod_ssl # No longer installed with Apache /etc/pki/tls/misc# ./CA -newreq-nodes # Must patch CA first! /etc/pki/tls/misc# ./CA -signreq /etc/pki/tls/misc# mv newreq.pem ../private/gcaw.org-https-key.pem /etc/pki/tls/misc# mv newcert.pem ../certs/gcaw.org-https-cert.pem /etc/pki/tls/misc# cd /etc/sysconfig /etc/sysconfig# cp iptables iptables.orig /etc/sysconfig# vi iptables # Make firewall hole for port 443 (and 80 of course) /etc/sysconfig# diff iptablesa.orig iptables 80a81 > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT /etc/sysconfig# /etc/init.d/iptables restart /etc/sysconfig# rm iptables.orig /etc/sysconfig# cp httpd httpd.orig /etc/sysconfig# vi httpd # On non-RH systems you enable SSL differently /etc/sysconfig# diff httpd.orig httpd 15c15 < #OPTIONS= --- > OPTIONS="-DSSL" /etc/sysconfig# cd /etc/httpd/conf /etc/httpd/conf# vi httpd.conf # No changes may be needed here /etc/httpd/conf# cd ../conf.d /etc/httpd/conf.d# cp ssl.conf ~/ssl.conf.orig /etc/httpd/conf.d# vi ssl.conf /etc/httpd/conf.d# httpd -S # Check syntax of Apache ... Syntax OK /etc/httpd/conf.d# diff ~/ssl.conf.orig ssl.conf 89,90c89,90 < #DocumentRoot "/var/www/html" < #ServerName www.example.com:443 --- > DocumentRoot "/var/www/gcaw.org-secure" > ServerName whoopie.gcaw.org:443 112c112 < SSLCertificateFile /etc/pki/tls/certs/localhost.crt --- > SSLCertificateFile /etc/pki/tls/certs/gcaw.org-https-cert.pem 119c119 < SSLCertificateKeyFile /etc/pki/tls/private/localhost.key --- > SSLCertificateKeyFile /etc/pki/tls/private/gcaw.org-https-key.pem 134c134 < #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt --- > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt /etc/httpd/conf# cd /var/www /var/www# mkdir gcaw.org-secure /var/www# chmod 775 gcaw.org-secure /var/www# cd gcaw.org-secure/ /var/www/gcaw.org-secure# vi index.htm /var/www/gcaw.org-secure# chmod 644 index.htm /var/www/gcaw.org-secure# cd /root# /etc/init.d/httpd start # Or use reload /root# chkconfig httpd on /root# links https://whoopie.gcaw.org/ /root# exit # Success!
Create a password file
via the /var/www/passwords/gcaw.org-htpasswd
command, and then change the following:
htpasswd
<Location /> Options Includes SymLinksIfOwnerMatch </Location>
To:
<Location /> Options SymLinksIfOwnerMatch AuthType Basic AuthName "Restricted Files" AuthUserFile /var/www/passwords/gcaw.org-htpasswd Require valid-user <Limit GET> Order allow,deny Allow from all </Limit> <LimitExcept GET> Order deny,allow Deny from all </LimitExcept> </Location>