Difference between revisions of "SUNScholar/Secure Internet Connections"
| Line 139: | Line 139: | ||
Type the following to create the Java security cert. | Type the following to create the Java security cert. | ||
/usr/bin/openssl pkcs12 -export -out %hostname%.pkcs12 -in %hostname%.crt -inkey %hostname%.key | /usr/bin/openssl pkcs12 -export -out %hostname%.pkcs12 -in %hostname%.crt -inkey %hostname%.key | ||
| − | Replace %hostname% with the hostname of the server. You will be asked for a keystore password. Enter it and keep a careful | + | Replace %hostname% with the hostname of the server. You will be asked for a keystore password. Enter it and keep a careful record of it somewhere. |
Now Tomcat6, has to be told where to find this security key file. Edit the '''/etc/tomcat6/server.xml''' file as follows: | Now Tomcat6, has to be told where to find this security key file. Edit the '''/etc/tomcat6/server.xml''' file as follows: | ||
Revision as of 17:51, 19 August 2011
Contents
Introduction
Secure internet connections are created using the secure port (443) of the Apache2 web server. Below are instructions for setting up the Apache2 web server for secure internet connections by DEFAULT.
Defaults
The default location for certficates is: /etc/ssl/certs. This is where we will put the certificates. Other services should point to this folder for the certificates.
Step 1. Create the SSL certificates
Become root as follows:
sudo -i
Make the scripts folder:
mkdir /root/scripts
Open the script file:
nano /root/scripts/make-new-certs
Then copy and paste the following into the nano editor:
#! /bin/bash # Check for SSL binaries test -x /usr/bin/openssl || apt-get install openssl # Setup certificate variables HOST="bib.sun.ac.za" EMAIL="wklap@sun.ac.za" # Set certs path CERTS="/etc/ssl/certs/" # Define the config file to be used to create certs # Fill in your own values for "ST", "L", "O" and "OU" CONF="\n [ req ] \n default_bits = 1024 \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n " echo -e $CONF > $HOST.cnf sleep 3 # Build path for certificate creation CPATH="$CERTS$HOST" # Create a large random seed for the new key dd if=/dev/urandom of=$CPATH.rand count=1 2>/dev/null # Generate the new key and certificate openssl req -new -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key || cleanup # Create a large random seed for the signing openssl gendh -rand $CPATH.rand 1024 > $CPATH.gendh || cleanup # Create a new certficate request openssl req -new -key $CPATH.key -config $HOST.cnf > $CPATH.csr # Create a "pem" file suitable for Apache2 cat $CPATH.key $CPATH.crt > $CPATH.pem # Clean up rm -f $HOST.rand
Change the following to suit your organisation:
- $HOST
- C=
- ST=
- L=
- O=
- OU=
Save the file and exit
Now we make the script executeable as follows:
chmod 0755 /root/scripts/make-new-certs
Then we execute the script as follows:
/root/scripts/make-new-certs
After the script is complete we make the versign cert as follows:
nano /etc/ssl/certs/verisign-ca.crt
Copy and paste the following to the nano editor:
-----BEGIN CERTIFICATE----- MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1 dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93 d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu 7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/ RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4 3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5 OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf -----END CERTIFICATE-----
Save the file and exit.
Step 2. Setup Tomcat to use the SSL certs
You must complete step 1 above for this to work.
Change to cert folder as follows:
cd /etc/ssl/certs
Type the following to create the Java security cert.
/usr/bin/openssl pkcs12 -export -out %hostname%.pkcs12 -in %hostname%.crt -inkey %hostname%.key
Replace %hostname% with the hostname of the server. You will be asked for a keystore password. Enter it and keep a careful record of it somewhere.
Now Tomcat6, has to be told where to find this security key file. Edit the /etc/tomcat6/server.xml file as follows:
nano /etc/tomcat6/server.xml
Find the port 443 connector section and add the following keystore settings:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/certs/%hostname%.pkcs12"
keystoreType="PKCS12"
keystorePass="%SecretPassword%" />
Replace %SecretPassword% with the password you used when creating the keystore above. And add the %hostname% used when creating the keystore above.
Step 3. Apply for a signed certificate
Send the file ending with .csr created above in the /etc/ssl/certs folder to a recognised certificate authority for signing.
The following can supply signed certificates for an annual fee.
Try to shop around for the best prices.
After payment they will send you the signed certificate which you copy to the /etc/ssl/certs folder.
Command Line Help
Go to: http://www.ubuntu.sun.ac.za/wiki/index.php/SelfHelp for more help about the command line programs used in this procedure.
References
- http://www.linode.com/wiki/index.php/Apache2_SSL_in_Ubuntu
- http://linuxgravity.com/configuring-apache-for-ssl
- http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
- http://www.tc.umn.edu/~brams006/selfsign.html
Back to IR Help
