Step 1:  Creating the index page

We are doing the same what we have done in the last workshop. Just create the following directory:

mkdir /srv/www/htdocs/ssl

You can later store you content in this directory. Let’s just create a single file called index.html that contains a message about the type of the server. An example file could look like this:
 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html; charset=ISO-8859-1"
 http-equiv="content-type">
  <title></title>
</head>
<body>
<div style="text-align: center;"><span
 style="font-weight: bold;">This is my secure webserver working on
Port 443.<br>
<a href="http://www.linux-tip.net">Linux-Tip.net</a></span></div>
</body>
</html>


Step 2: Setup an IP based virtual host running on port 443

OpenSuse stores the vhost configuration files in the following directory:

/etc/apache2/vhosts.d

During the start-up process, Apache will automatically use all .conf files located in this directory for the final configuration.

You can easily create a new vhost ssl configuration file by using the ssl template like this:

cd /etc/apache2/vhosts.d/
cp vhost-ssl.template ssl.conf


Here are the lines you should take care of:

VirtualHost 192.168.33.234:443  - Use your IP here, leave the port to 443
DocumentRoot – use the directory you have created in step 1.
SSLCertificateFile  - use the server certificate you will create in step 3
SSLCertificateKeyFile - use the server key file you will create in step 3
SSLCACertificateFile - use the CA certificate you will create in step 3

The configuration file could look like this:

<IfDefine SSL>
<IfDefine !NOSSL>
##
## SSL Virtual Host Context
##
<VirtualHost 192.168.33.234:443>
        DocumentRoot "/srv/www/htdocs/ssl/"
        ServerAdmin This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /srv/www/etc/server.crt
        SSLCertificateKeyFile /srv/www/etc/server.key
        SSLCACertificateFile /srv/www/etc/ca-cert.crt
        #SSLVerifyClient require
        #SSLVerifyDepth  1
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/srv/www/htdocs/ssl/">
            Options All
            Order Allow,Deny
            Allow from all
        </Directory>
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
        CustomLog /var/log/apache2/ssl_request_log   ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>

Important remark:
To enable SSL support on the Apache server the following file needs to be configured:

/etc/sysconfig/apache2

Please change the following line (around line 132) to this:

APACHE_SERVER_FLAGS="SSL"



Step 3: Creating the certificates and keys


TinyCA is a simple graphical user interface written in Perl/Gtk to manage a small CA (Certification Authority). It works as a frontend for openssl.

If you updating your Suse server regularly, you should find the tool at your update server. Please use YAST to install it.

Alternatively you can download the tool from the following webpage.

http://tinyca.sm-zone.net/

Please keep in mind that TinyCA needs perl-Gtk2 to run properly

Start TinyCA from you Linux console like this:

tinyca &

If you are working as root, TinyCA will store all created certificates in the following directory:

/root/.TinyCA

We have to create a Certification Authority first: Just create it like the picture shows below:

Next we have to create a server certificate like this. Click on “Request” and than right mouse click – “New Request”. Please fill in the information in the next window:

It’s now time to sign the Request. Mark the Request you would like to sign and do a right-mouse-click on “Sign Request” – “Sign Request (Server). Enter the CA password you have created in the beginning.



You should now find a new entry respectively in “Certificates” and “Keys”. Please double check. It should look like this:



We will later use client certificates and keys as well. Let’s create it little quick. Just create a request for a client certificate like this: Click on “Request” and than right mouse click – “New Request”. Please fill in the information in des next window:



Sign the request accordingly like this. Mark the request you would like to sign and do a right-mouse-click on “Sign Request” – “Sign Request (Client). ). Enter the CA password you have created in the beginning.



 

Step 4: Running Apache with SSL support

We now need to copy the server certificates and key to the right place. Please create the following directory:

/srv/www/etc

We will also use TinyCA to export the keys and certificates. Mark the certificate you would like the export and click on the export button (floppy disk). If you are working as root, TinyCA will store it in the /root directory:



Mark the key you would like the export and click on the export button. Important! Answer the “Without Passphrase” and Include Certificate (PEM) questions with “Yes” and put a pass phrase in. You will need it to decrypt the key later.



Copy the files to /srv/www/etc/ and rename it like this:

cp This e-mail address is being protected from spam bots, you need JavaScript enabled to view it /srv/www/etc/server.crt
cp This e-mail address is being protected from spam bots, you need JavaScript enabled to view it /srv/www/etc/server.key
cp ca_cert-cacert.pem /srv/www/etc/ca-cert.crt

Restart Apache like this and watch for errors:

/etc/init.d/apache2 restart

or

service apache2 restart

If everything is working fine, you can now start your favourite browser and use the following URL to your test page. Please accept this certificate for a while temporarily. We will later work on it.



 

Step 5: Client Authentication and Access Control

When you know your user community (i.e. a closed user group situation), as it's the case for instance in an Intranet, you can use plain certificate authentication. We have already created a client certificates signed by our own CA certificate. We now have to verify the clients against this certificate. You may have noticed these two entries in our configuration file /etc/apache2/vhost.d/ssl.conf

#SSLVerifyClient require
#SSLVerifyDepth  1

We just have to comment these two lines out to achieve our goal. Please do not forget to save the file and to restart Apache with the command you have used in step 4. If you now try to access your server, you will get the following error:



Next you have to find a way to transfer the client certificate to the person who would like to access you web page. Just use TinyCA to export it to the root directory. To do so, please click on “Certificates” and mark the client certificate you would like to export. Use a right mouse-click and “Export Certificate”.  Please use the options “PKCS#12”, “Include Key (PEM)” and Include Fingerprint (PEM) like this.



Please remember the password you have used in this step. You will later need it to import the certificate into your browser (see step 6).



In this case you will find the certificate in the following file:

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Copy it to the user’s home directory or store it on a USB stick in order to transfer it to the user.

Step 6:  Import the certificate to your favourite browser

If you are using Mozilla Firefox please use “Firefox Preferences” – “Encryption” – “Your Certificate” and click on Import button:



Open the certificate file name.p12

Use the passwords you have used in step5.