Home arrow Apache arrow Page 10 - Secure Installation and Configuration

Generate Certificates - Apache

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

TABLE OF CONTENTS:
  1. Secure Installation and Configuration
  2. Asymmetric Encryption and GnuPG
  3. GnuPG and Apache Signatures
  4. Checking and Installing Apache
  5. Running Apache and Testing it with Nikto
  6. Secure Configuration
  7. File Permissions
  8. Donít Give Extra Information Away
  9. Apache and SSL
  10. Generate Certificates
  11. Configuration
By: Apress Publishing
Rating: starstarstarstarstar / 31
August 17, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Generating the Certificates

Before you start Apache, you need to generate the serverís private key. You can use the following command:

[root@merc root]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
******
Verifying - Enter pass phrase for server.key:
******
[root@merc root]#

You then need to create a Certificate Signing Request (CSR), using your serverís private key:

[root@merc root]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
[...]
-------
Country Name (2 letter code) [GB]:
AU
State or Province Name (full name) [Berkshire]:
WA
Locality Name (eg, city) [Newbury]:
Fremantle
Organization Name (eg, company) [My Company Ltd]:
Mobily.com
Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: www.mobily.com

Email Address []: my_address@mobily.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@merc root]#

You should send the generated file, server.csr, to a Certificate Authority (CA). After verifying your details, they will reply with a proper certificate (the file would be probably called server.crt).

If you want to test your server, you will need to create your own CA first:

[root@merc root]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
******
Verifying - Enter pass phrase for ca.key:
******

You now need to create a self-signed CA certificate:

[root@merc root]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
******
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
------
Country Name (2 letter code) [GB]:
AU
State or Province Name (full name) [Berkshire]:
Test
Locality Name (eg, city) [Newbury]:
Test
Organization Name (eg, company) [My Company Ltd]:
Test
Organizational Unit Name (eg, section) []:
Test
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@merc root]#

You should now use the script sign.sh to sign your server.csr file with your newly created certifying authority:

[root@merc root]# apache_source/mod_ssl-2.8.14-1.3.29/pkg.contrib/sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows countryName         :PRINTABLE:'AU'
stateOrProvinceName :PRINTABLE:'WA'
localityName        :PRINTABLE:'Fremantle'
organizationName    :PRINTABLE:'Mobily.com'
commonName          :PRINTABLE:'www.mobily.com'
emailAddress        :IA5STRING:'merc@mobily.com'
Certificate is to be certified until Aug 17 04:42:23 2004 GMT (365 days)
Sign the certificate? [y/n]:
y
1 out of 1 certificate requests certified, commit? [y/n]
y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

You now have the files server.crt (your certificate) and server.key (your serverís private key). 

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Apache Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: