Apache + Mod_SSL + OpenSSL

Posted March 5th, 2008 by gnulinux

SSL Certificate CSR Generation Instructions

Apache + Mod_SSL + OpenSSL

Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to your provider in order to be generated into a SSL Security Certificate.

1. Create a RSA key for your Apache server:

cd /apacheserverroot/conf/ssl.key (ssl.key is the default key directory.)

If you have a different path, cd to your server’s private key directory OR you can generate key and csr any where on your system. To make it working you need to copy them to correct path according to your webserver configuration.

2. Enter the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver:

openssl genrsa -des3 -out domainname.key 1024

Warning: If you lose or forget the passphrase, you will not be able to use the certificate. so we suggest you to create key without passphrase.

Create a private key without file encryption if you do not want to enter the passphrase when starting your webserver:

openssl genrsa -out domainname.key 1024

Note: We recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key

3. Type the following command to create a CSR with the RSA private key (output will be PEM format):

openssl req -new -key domainname.key -out domainname.csr

Note: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 3. When creating a CSR you must follow these conventions:

• Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ / \ ( ) ?.,&
• If you are applying for a wildcard certificate you must state * in place of the sub domain, for example *.yourdomain.com instead of www.yourdomain.com

You will now be prompted for information to include within the CSR:

Country Name (2 letter code) [AU]:
US (must be two letter country code, note for United Kingdom the country code must be GB and NOT UK)

State or Province Name (full name) [Some-State]:
The state or province where your organization is legally located. This cannot be abbreviated and must be entered in full.

Locality Name (eg, city) []:
The city where your organization is legally located.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:
The exact legal name of your organization. Do not abbreviate your organization name.

Organizational Unit Name (eg, section) []:
Section of the organization, such as Marketing or Web Development.

Common Name (eg, YOUR name) []:
The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you applying for a wildcard certificate to secure all sub domains on your domain, the common name must be *.yourdomain.com.

Email Address []:
Leave this field blank by just pressing return.

A challenge password []:
Leave this field blank by just pressing return.

An optional company name []:
Leave this field blank by just pressing return.

4. If you would like to verify the contents of the CSR, use the following command:

openssl req -noout -text -in domainname.csr

5. Create a backup of your private key. If the private key is lost your CSR and Certificate will be invalid. Make a copy of the private key file (domainname.key) generated earlier and store it in a safe place! The private key file should begin with (when using a text editor):

-----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----

6. Your CSR will now have been created. Open the domainname.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

7. Verifying a Digital Certificate To verify a X.509 Certificate use the following command.
# openssl verify server.crt
server.crt: OK
Verifying a Digital Certificate

To verify a X.509 Certificate use the following command

# openssl verify server.crt
server.crt: OK

Where server.crt is the name of the file that contains the Digital Certificate
7.1. Viewing the contents of a Digital Certificate

The contents of a Digital Certificate can be viewed by using the # openssl x509 command as follows:

# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 312312312 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=UK, O=Some Corporation, CN=Some CompanyTrust Root
Validity
Not Before: May 8 03:25:50 2005 BST
Not After : May 8 03:25:50 2010 BST
Subject: C=GB, ST=London, L=London, O=Open-source, OU=webtechnologies, CN=www.xml-dev.com/Email=admin@linux4beginners.info
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
............
............
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
............
............

7.2. Modifying the httpd.conf to Install the Certificates.

You will need to place this certificate on the server, and tell Apache where to find it.

For this example, the Private Key is placed in the /usr/local/apache2/conf/ssl.key/ directory, and the Sever Certificate is placed in the /usr/local/apache2/conf/ssl.crt/.

Copy the file received from the Certification to a file called server.crt in the /usr/local/apache2/conf/ssl.crt/.

And place the private.key generated in the previous step in the /usr/local/apache2/conf/ssl.key/

Then modify the /usr/local/apache2/conf/ssl.conf to point to the correct Private Key and Server Certificate files:

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/private.key
#SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key

7.3. Removing passphrase from the RSA Private Key.

RSA Private Key stored on the webserver is usually encrypted, and you need a passphrase to parse the file. That is why you are prompted for a passphrase when start Apache with modssl:

# apachectl startssl
Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server your.server.dom:443 (RSA)
Enter pass phrase:

Encrypting the RSA Private Key is very important. If a cracker gets hold of your "Unencrypted RSA Private Key" he/she can easily impersonate your webserver. If the Key is encrypted, the cracker can not do anything without brute forcing the passphrase. Use of a strong (ie: long) passphrase is encouraged.

However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server. Especially if you are using rc scripts to start the webserver at boot time. The prompt for a passphrase will stop the boot process, waiting for your input.

You can get rid of the passphrase prompt easily by decrypting the Key. However make sure that no one can hold of this Key. I would recommend Hardening and Securing guidelines be followed before decrypting the Key on the webserver.

To decrypt the Key:

First make a copy of the encrypted key

# cp server.key server.key.cryp

Then re-write the key with encryption. You will be prompted for the original encrypted Key passphrase

# /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key
read RSA key
Enter PEM pass phrase:
writing RSA key

One way to secure the decrypted Private Key is to make readable only by the root:

# chmod 400 server.key

7.4. SSL Performance Tuning

7.4.1. Inter Process SSL Session Cache

Apache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests. Multiple SSL HandShakes causes lot of overhead on the webserver and the client. To avoid this, SSL Session Information must be stored in a inter-process Session Cache, allowing all the processes to have access to to handshake information. SSLSessionCache Directive the in /usr/local/apache2/conf/ssl.conf file can be used to specify the location of the SSL Session Cache:

SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300

Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk.
Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory Segment
Note shmht vs shmcb
shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory
shmht: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory

Note Note:

Not all platforms/OS support creation of Hash table in the Shared Memory. So dbm:logs/ssl_scache must be used instead
7.4.2. Verifying SSLSession Cache.

To verify if the SSLSessionCache is working properly, you can use the openssl utility with the -reconnect as follows:

# openssl s_client -connect your.server.dom:443 -state -reconnect

CONNECTED(00000003)
.......
.......
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
.....

-reconnect forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above.

www.linux4beginners.info

GNU/Linux is the best Operating System.

Apache + Mod_SSL + OpenSSL

SSL Certificate CSR Generation Instructions

Apache + Mod_SSL + OpenSSL

7.4. SSL Performance Tuning

User login

Navigation

Who's online

Country Name (2 letter code) [AU]:	US (must be two letter country code, note for United Kingdom the country code must be GB and NOT UK)
State or Province Name (full name) [Some-State]:	The state or province where your organization is legally located. This cannot be abbreviated and must be entered in full.
Locality Name (eg, city) []:	The city where your organization is legally located.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:	The exact legal name of your organization. Do not abbreviate your organization name.
Organizational Unit Name (eg, section) []:	Section of the organization, such as Marketing or Web Development.
Common Name (eg, YOUR name) []:	The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you applying for a wildcard certificate to secure all sub domains on your domain, the common name must be *.yourdomain.com.
Email Address []:	Leave this field blank by just pressing return.
A challenge password []:	Leave this field blank by just pressing return.
An optional company name []:	Leave this field blank by just pressing return.