Home

ssl

Creating Self-Signed Certs on Apache 2.2

Sun, 05/13/2007 - 17:07 — Chris Barber

Security is a always a big concern and there's no reason your website should go unsecure. You can secure your Apache website with a self-signed SSL certificate. This post describes the process using Apache 2.2 and OpenSSL on a Ubuntu Linux server.

Begin by generating a private key:

> openssl genrsa -out mycert.key 1024

Next, generating a certificate request and enter the information:

> openssl req -new -key mycert.key -out mycert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, generate the self-signed certificate. You can specify the number of days the cert is valid for.

> openssl x509 -req -days 365 -in mycert.csr -signkey mycert.key -out mycert.cert
Signature ok
subject=/C=/ST=/L=/O=/CN=
Getting Private key

You no longer need the .csr request file. Create a folder and move the .key and .cert files into it:

> sudo mkdir /etc/apache2/ssl
> sudo mv *.cert /etc/apache2/ssl
> sudo mv *.key /etc/apache2/ssl
> sudo chmod 400 /etc/apache2/ssl/*.key

If the cert is protected with a password, by default Apache will prompt for the password when it starts. This can be a problem since you will need to enter the password each time Apache is restarted. We can fix this by having Apache call a program that returns the password.

Create the shell script /etc/apache2/ssl/password.sh and enter the following:

#!/bin/bash
echo “password”;

Next we need to tell Apache to run the script. Apache's SSL settings are stored in:

/etc/apache2/mods-enabled/ssl.conf

Edit the file and change the SSLPassPhraseDialog to:

SSLPassPhraseDialog exec:/etc/apache2/ssl/password.sh

The last step is to assign the certificate to your Apache site by editing the sites file:

/etc/apache2/sites-enabled/000-default

You'll need to configure the SSL settings for the site:

<VirtualHost 192.168.1.100:443>
        ...
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/mycert.cert
        SSLCertificateKeyFile /etc/apache2/ssl/mycert.key
        ...
</VirtualHost>

Don't forget to tell Apache to listen on port 443 in the /etc/apache2/ports.conf file. Restart Apache with sudo apache2ctl restart and you should be a little closer to being secure.

Creating Self-Signed Certs on Apache Tomcat 5.5

Sat, 05/12/2007 - 09:13 — Chris Barber

Recently I needed to generate a self-signed SSL cert for Apache Tomcat 5.5 on my Ubuntu Linux server. The basic process is to create a Java keystore with the self-signed cert, change Tomcat's configuration file, and restart the server. Here's how I did it:

> keytool -genkey -alias tomcat -keyalg RSA -keystore mycert.jks
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  Chris Barber
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  CB1, INC.
What is the name of your City or Locality?
  [Unknown]:  Minneapolis
What is the name of your State or Province?
  [Unknown]:  MN
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Chris Barber, OU=Unknown, O="CB1, INC.", L=Minneapolis, ST=MN, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):

By default, Tomcat will assume the password as "changeit". You can change the password, but then you need to set the keystorePass in Tomcat's configuration file. Regardless, the password for both the keystore and the cert MUST be the same. Store the keystore in a safe place such as Tomcat's configuration folder:

/etc/tomcat5.5

Next edit Tomcat's server configuration file:

/etc/tomcat5.5/server.xml

Locate the SSL connector declaration, uncomment it, and add the keystoreFile path:

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"
        keystoreFile="/etc/tomcat5.5/mycert.jks"
        clientAuth="false" sslProtocol="TLS" />

Save the changes and restart Tomcat:

sudo /etc/init.d/tomcat5.5 restart

You should be good to go at this point. Launch your favorite web browser and go to https://localhost:8443.

SSL dialog

Now you are secure and ready to rock.

Syndicate content