Configuring OpenSSL

Create OpenSSL configuration file

This sample has been done with Ubuntu and Debian server, for Red Hat and CentOS the path of Apache files is not the same.

On Ubuntu and Debian the Apache path /etc/apache2 is /etc/httpd on Red Hat and CentOS.

Edit file /etc/ssl/openssl.cnf

$ vim /etc/ssl/openssl.cnf

    RANDFILE         = $ENV::SSLDIR/.rnd
    [ ca ]
    default_ca       = CA_default
    [ CA_default ]
    dir              = /opt/ca
    certs            = $dir/certs
    new_certs_dir    = $dir/newcerts
    crl_dir          = $dir/crl
    database         = $dir/index.txt
    private_key      = $dir/private/ca.key
    certificate      = $dir/ca.crt
    serial           = $dir/serial
    crl              = $dir/crl.pem
    RANDFILE         = $dir/private/.rand
    default_days     = 365
    default_crl_days = 30
    default_md       = sha1
    preserve         = no
    policy           = policy_anything
    name_opt         = ca_default
    cert_opt         = ca_default
    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    [ req ]
    default_bits            = 2048
    default_md              = sha1
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    x509_extensions         = v3_ca
    string_mask             = nombstr
    [ req_distinguished_name ]
    countryName             = Country Name (2 letter code)
    countryName_min         = 2
    countryName_max         = 2
    stateOrProvinceName     = State or Province Name (full name)
    localityName            = Locality Name (eg, city)
    0.organizationName      = Organization Name (eg, company)
    organizationalUnitName  = Organizational Unit Name (eg, section)
    commonName              = Common Name (eg, YOUR name)
    commonName_max          = 64
    emailAddress            = Email Address
    emailAddress_max        = 64
    [ usr_cert ]
    basicConstraints        = CA:FALSE
    # nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem
    [ ssl_server ]
    basicConstraints        = CA:FALSE
    nsCertType              = server
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, nsSGC, msSGC
    nsComment               = "OpenSSL Certificate for SSL Web Server"
    [ ssl_client ]
    basicConstraints        = CA:FALSE
    nsCertType              = client
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = clientAuth
    nsComment               = "OpenSSL Certificate for SSL Client"
    [ v3_req ]
    basicConstraints       = CA:FALSE
    keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
    [ v3_ca ]
    basicConstraints        = critical, CA:true, pathlen:0
    nsCertType              = sslCA
    keyUsage                = cRLSign, keyCertSign
    extendedKeyUsage        = serverAuth, clientAuth
    nsComment               = "OpenSSL CA Certificate"
    [ crl_ext ]
    basicConstraints        = CA:FALSE
    keyUsage                = digitalSignature, keyEncipherment
    nsComment               = "OpenSSL generated CRL"

Create Certification Authority (CA)

Create folder structure to hold certificates:

$ mkdir /opt/met-ca
$ mkdir /opt/met-ca/certs
$ mkdir /opt/met-ca/crl
$ mkdir /opt/met-ca/newcerts
$ mkdir /opt/met-ca/private
$ mkdir /opt/met-ca/requests
$ touch /opt/met-ca/index.txt
$ echo “01” > /opt/ca/serial
$ echo “01” > /opt/ca/crlnumber
$ chmod 700 /opt/ca

Create public and private auto signed keys of our own Certification Authority ( in the example is valid for 10 years ). We will need to specify certificate data, password to crypt and the process will generate two files:

$ openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt

Change key grants:

$ chmod 600 /opt/met-ca/private/ca.key

Create Apache Certification 

Create a pair of keys. We will need to specify password and certification data. Will be created the file key ( server.key ) and certification request (server.pem).

$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem

CA should sign the certification request. Copy server.pem to certification request and sign.

$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions ssl_server -out requests/server-signed.pem -infiles requests/server.pem

Apache will be waiting a PEM format, is mandatory convert to this format:

$ openssl x509 -in requests/server-signed.pem -out requests/server.crt

Apache configuration

Copy server.crt and server.key into /etc/apache2/ssl ( if SSL folder not exists, create it ). Change files grants ( server.key should only be read by root user, server.crt should have read grant to everybody ):

$ chmod 400 server.key
$ chmod 444 server.crt

If Apache is not listening SSL port, enable it configuring /etc/apache2/ports.conf:

Listen 80
Listen 443 

Enable Apache SSL support:

$ apt-get install libapache-mod-ssl

Indicate Apache to load SSL modules:

$ a2enmod ssl

Configure website:

Link default-ssl file to enable SSL:

$ ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl

Edit /etc/apache2/sites-availables/default-ssl ( enable SSL engine and set SSLCertificateFile and SSLCertificateKeyFile )

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Create user certificate:

To create certificates and sign with CA, first create the pair of keys. We will need to specify password and certification data. Will be created a eky ( user.key) and certification request ( user.pem ):

$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout user.key -out user.pem

With CA is needed sign certificates:

$ cp /tmp/usuario.pem /opt/ca/requests
$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_client[/b] -out requests/user-signed.pem -infiles requests/user.pem

Convert certificate to PKCS12 to be recognized by browser  

$ openssl pkcs12 -export -clcerts -in user-signed.pem -inkey usuario.key -out user.p12

The files user-signed.pem, user.pem and user.key can be deleted  

$ wipe user-signed.pem user.key user.pem

The user.p12 should be installed to allow user browser.

Certification revocation

If the server has been compromised the CA should be revocated. To revocate a certificate should see serial number at /opt/ca/index.txt.  

$ openssl ca -config /etc/ssl/openssl.cnf -revoke newcerts/<serial-number>.pem

Creat a list of revocated certificates ( CRL )

$ openssl ca -config /etc/ssl/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl.pem

To send to the browser list should be converted to DER format:  

$ openssl crl -in crl.pem -out ca.crl -outform DER

Now can be sent to browser.

Add CRL to Apache

Copy CRL file to Apache SSL folder:  

$ cp /tmp/crl.pem /etc/apache2/ssl/ca.crl

Modify /etc/apache2/sites-available/default-ssl file, add SSLCARevocationFile:

SSLCARevocationFile /etc/apache2/ssl/ca.crl

Restart Apache service.