Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Securing Internet Protocols.
SSL Certificates HOWTO
PrevChapter 2. Certificate ManagementNext

2.6. Securing Internet Protocols.

2.6.1. Use a certificate with mod_ssl in apache

First never use your self-signed root CA Certificate with any application and especially with apache as it requires you to remove the passphrase on your private key.

First generate and sign a certificate request with the Common Name (CN) as www.mysite.com.

The key needs to be made insecure, so no password is required when reading the private key. Take the newreq.pem files that contains your private key and remove the passphrase from it. 

openssl rsa -in newreq.pem -out wwwkeyunsecure.pem

Because the key (PRIVATE Key) is insecure, you must know what you are doing: check file permissions, etc... If someone gets its hand on it, your site is compromised (you have been warned) Now you can use the newcert and cakeyunsecure.pem for apache.

Copy wwwkeyunsecure.pem and newcert.pem in the directory /etc/httpd/conf/ssl/ as wwwkeyunsecure.pem and wwwcert.crt respectively.

Edit /etc/httpd/conf/ssl/ssl.default-vhost.conf. 

---- 
# Server Certificate: 
# Point SSLCertificateFile at a PEM encoded certificate. If 
# the certificate is encrypted, then you will be prompted for a 
# pass phrase. Note that a kill -HUP will prompt again. A test 
# certificate can be generated with `make certificate' under 
# built time. 
#SSLCertificateFile conf/ssl/ca.crt 
SSLCertificateFile wwwcert.crt
# Server Private Key: 
# If the key is not combined with the certificate, use this 
# directive to point at the key file. 
#SSLCertificateKeyFile conf/ssl/ca.key.unsecure SSLCertificateKeyFile wwwkeyunsecure.pem 
----

Stop and start httpd (/etc/rc.d/init.d/httpd stop) ensure that all processes are dead (killall httpd) and start httpd (/etc/rc.d/init.d/httpd start)

2.6.2. Using a certificate with IMAPS

FIXME

2.6.3. Using a certificate with POPS

FIXME

2.6.4. Using a certificate with Postfix

FIXME

2.6.5. Generate and Sign a key with Microsoft Key Manager

In Microsoft Key Manager, Select the service you want to create a key, for instance IMAP (or WWW). Use the wizard to generate a new key. Ensure that the distinguished name won't be identical to previous generated key, for Instance for the Common Name (CN) use imap.mycompany.com. The wizard will place the request in the file C:\NewKeyRq.txt. Key Manager shows a Key with a strike to indicate the key is not signed.

Import this file in the OpenSSL /var/ssl directory rename it to newreq.pem and sign the request as usual. 

CA.pl -sign

The file newcert.pem is not yet suitable for key manager as it contains some text and the -CERTIFICATE- section. We have to remove the text, the easy way is to do: 

openssl x509 -in newcert.pem -out newcertx509.pem

Using a text editor is also suitable to delete everything outside the -CERTIFICATE- section.

The newcertx509.pem file contains now only the -CERTIFICATE- section.

Export the file newcertx509.pem to the Computer running key Manager and while selecting the key, right click and click on Install the Key Certificate, select this file, enter the passphrase. The key is now fully functional.

PrevHomeNext
Certificate managementUpSecuring E-mails.