Configure TLS and SSL in Ubuntu 10.04 LTS
Configuring TLS/SSL in Ubuntu 10.04 LTS (Lucid Lynx) is a breeze. This post will outline the series of steps that are required to SSL up and running. Additionally, it appears as though the long-standing limitation of requiring different IP’s or different ports when configuring SSL using Name-Based Virtual Hosts is no longer a limitation. This is certainly great news indeed.
To set up a secure server using SSL, public key cryptography is used to create a public and private key pair. The certificate request (including the public key), proof of identity, and payment is sent to a Certificate Authority (CA). The CA verifies the certificate request and the identity of the requester. Then, a certificate is sent back to the requester.
One common (and expensive) Certificate Authority is Verisign. When a browser visits a website that is using SSL, the browser checks that the Certificate Authority that signed the request is in its’ list of pre-approved CA’s. If it is and if the Common Name on the certificate matches the domain name, then a warning is not displayed to the user. However, if the certificate is not signed by one of the browser’s built-in CA’s or if the domain on the certificate does not match, then a large warning is displayed to the user. In this case, most internet users will immediately leave the site. Typically, this is sub-optimal.
Alternatively, if displaying a warning to users is not an issue (i.e. testing), then a self-signed certificate can be created. Once a self-signed certificate or a signed certificate from the CA if obtained, it will need to be installed on the server.
Installing the Required Packages
First off, the package that will be required for SSL to work will need to be installed. It is assumed that the web server is already installed, configured, and running. If not, there are many greate guides on the internet for this already.
Perform the following command to install openssl:
aptitude install openssl
Generating a Certificate Signing Request
Whether the certificate is being obtained from a CA or a self-signed certificate is being created, the first step is to generate a key. To generate the Certificate Signing Request (CSR), create a key (e.g. server.key).
Run the following command from a terminal prompt to create the key:
# To create a CSR with a pass phrase: openssl genrsa -des3 -out server.key 4096 # To create a CSR without a pass phrase (use this one): openssl genrsa -out server.key 4096
Ensure the server.key file is only readable by root:
chmod 400 server.key
After the key is created, the Certificate Signing Request (CSR) is created using the key. This will require the following information:
- Country Name
- State or Province Name
- Locality Name
- Organization Name
- Organizational Unit Name
- Common Name (must match domain name e.g. www.mysecureserver.com)
- Email Address
- Challenge Password
- Company Name
If the Common Name does not match the DNS name or the IP address of the web server, then the client will get a “domain mismatch” error. Additionally, the default values for the prompts are stored in /etc/ssl/openssl.cnf. Therefore, if there are a large number of certificate signing requests that will need to be created then appropriate defaults can be set.
To create the CSR, run the following command:
openssl req -new -key server.key -out server.csr
Creating/Obtaining a Certificate
The CSR file is now submitted to the Certificate Authority (CA) for processing. The CA will use the CSR file and issue the certificate. Alternatively, a self-signed certificate using this CSR can be created using the following command:
# Create a self-signed certificate that expires in 365 days. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The previous command will prompt for a pass-phrase if using the secure key. Otherwise, if a pass-phrase was not used, then it will not. Once the correct pass-phrase is entered, the certificate will be created and it will be stored in the server.crt file.
Installing the Certificate and Key Files
To install the certificate and key files, perform the following:
mkdir /etc/apache2/ssl/ cp server.crt /etc/apache2/ssl/ cp server.key /etc/apache2/ssl/
Activating SSL within Apache
To enable the SSL module within Apache, perform the following:
Enable SSL virtual hosts within the /etc/apache2/ports.conf file:
vim /etc/apache2/ports.conf # Alter the section: # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. NameVirtualHost *:443 Listen 443
Creating an SSL Name-Based Virtual Host
Create a SSL Name Based Virtual Host by creating a virtual host file in /etc/apache2/sites-available/:
vim /etc/apache2/sites-available/www.mysecurehost.com ServerAdmin email@example.com ServerName www.mysecurehost.com DocumentRoot /var/www/www.mysecurehost.com Options FollowSymLinks AllowOverride All Order allow,deny allow from all ErrorLog /var/log/apache2/www.mysecurehost.com-error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/www.mysecurehost.com-access.log combined SSLEngine On SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
Enable the site within Apache:
If a key was used that has pass-phrase, it will be requested every time the web server (Apache) starts. Otherwise, it will not.