Apache, imap, and exim all support ssl connections. Because I want webmail connections to be encrypted, so that passwords are not sent over the internet in plain text, I needed to create a key and a certificate for apache. For testing purposes I am going to be my own certificate authority. This will most likely be changed for the production server. You don't have to use any certificate authority - see http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO.html
Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arrising from following these directions. You are responsible for your own security, use, and creation of certificates.
See http://www.eclectica.ca/ssl-cert-howto.php for much more information. (Much of what I cover here was learned from this page.)
Quick steps:
- Setup and create root certificate.
- Create a key and signing request.
- Sign the request.
- Copy to the correct location.
- Edit the apache config file.
- Restart apache.
- Tips.
The following covers the command-line way of doing it. If you are using a GUI, it should be fairly simple to follow along.
Note: I am running Red Hat Linux 8.0, apache 2.x with mod_ssl, and openssl 0.9.x. Steps vary slightly when you are using a certificate authority.
1) Setup and create root certificate
See Setting up OpenSSL to Create Certificates
2) Create a key and signing request
To do this type:
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
You will be prompted for information. The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain, or the IP address. If you want to cover all subdomains you can enter *.your.domain. Use the "Organizational Unit" to remind you what the certificate is for, such as "Web Server".
Name Field | Explanation | Example |
---|---|---|
Country Name | The two-letter ISO abbreviation for your country | US = United States |
State or Province Name | The state or province where your organization is located. Can not be abbreviated. | Georgia |
City or Locality | The city where your organization is located. | Atlanta |
Organization Name | The exact legal name of your organization. Do not abbreviate | SSL Secure Inc. |
Organizational Unit | Optional for additional organization information. | Marketing |
Common Name | The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match. | www.domain.tld |
Email address | The server admin's email address | someone@your.domain |
This will generate two files:
name-req.pem - the request
name-key.pem - the private key in the private directory
This will generate the certificate.
Type:
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem
You will be prompted for the password used when creating the root certificate.
Two files are created:
name-cert.pem - which is the certificate
<number>.pem - a copy of it in the certs directory.
4) Copy to the correct location
For apache 2.x on Red Hat using the default location, the directory is:
For the name-key.pem:
cp name-key.pem /etc/httpd/conf/ssl.key/
For the certificate:
cp name-cert.pem /etc/httpd/conf/ssl.crt/
5) Edit the apache config file
For apache on Red Hat using the default location, the config file is /etc/httpd/conf/apache.conf. Note that your apache.conf file may make use of separate config files and you may have an /etc/httpd/conf.d/ssl.conf file. Check for this first before you place the following in your apache.conf file. Create a VirtualHost section for your web server. Basic example:
<VirtualHost 192.168.1.1:443> DocumentRoot /var/www/html ServerName 192.168.1.98 ServerAdmin someone@your.domain ErrorLog /etc/httpd/logs/ssl_error_log TransferLog /etc/httpd/logs/ssl_access_log SSLEngine On SSLCertificateFile /etc/httpd/conf/ssl.crt/name-cert.pem SSLCertificateKeyFile /etc/httpd/conf/ssl.key/name-key.pem <Files ~ "\.(cgi|shtml|php)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /etc/httpd/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
Also see http://httpd.apache.org/docs-2.0/mod/mod_ssl.html
Example:
service httpd restart
The certificate we created is only good for 365 days. When it expires visitors to your site will receive a warning message. Don't forget to remake your key each year, or however long you set it for.
For Squirrelmail, get the secure_login plugin. This will force https for login and switch back to http after.
No comments:
Post a Comment