Configuring OpenSSL

Create the OpenSSL Configuration File

This sample was created for Ubuntu and Debian servers, Red Hat and CentOS have a different path for Apache files.

The Apache path for Ubuntu and Debian is /etc/apache2, on Red Hat and CentOS it is /etc/httpd.

Edit file /etc/ssl/openssl.cnf

$ vim /etc/ssl/openssl.cnf

    RANDFILE         = $ENV::SSLDIR/.rnd
    [ ca ]
    default_ca       = CA_default
    [ CA_default ]
    dir              = /opt/ca
    certs            = $dir/certs
    new_certs_dir    = $dir/newcerts
    crl_dir          = $dir/crl
    database         = $dir/index.txt
    private_key      = $dir/private/ca.key
    certificate      = $dir/ca.crt
    serial           = $dir/serial
    crl              = $dir/crl.pem
    RANDFILE         = $dir/private/.rand
    default_days     = 365
    default_crl_days = 30
    default_md       = sha1
    preserve         = no
    policy           = policy_anything
    name_opt         = ca_default
    cert_opt         = ca_default
    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    [ req ]
    default_bits            = 2048
    default_md              = sha1
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    x509_extensions         = v3_ca
    string_mask             = nombstr
    [ req_distinguished_name ]
    countryName             = Country Name (2 letter code)
    countryName_min         = 2
    countryName_max         = 2
    stateOrProvinceName     = State or Province Name (full name)
    localityName            = Locality Name (eg, city)
    0.organizationName      = Organization Name (eg, company)
    organizationalUnitName  = Organizational Unit Name (eg, section)
    commonName              = Common Name (eg, YOUR name)
    commonName_max          = 64
    emailAddress            = Email Address
    emailAddress_max        = 64
    [ usr_cert ]
    basicConstraints        = CA:FALSE
    # nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem
    [ ssl_server ]
    basicConstraints        = CA:FALSE
    nsCertType              = server
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, nsSGC, msSGC
    nsComment               = "OpenSSL Certificate for SSL Web Server"
    [ ssl_client ]
    basicConstraints        = CA:FALSE
    nsCertType              = client
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = clientAuth
    nsComment               = "OpenSSL Certificate for SSL Client"
    [ v3_req ]
    basicConstraints       = CA:FALSE
    keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
    [ v3_ca ]
    basicConstraints        = critical, CA:true, pathlen:0
    nsCertType              = sslCA
    keyUsage                = cRLSign, keyCertSign
    extendedKeyUsage        = serverAuth, clientAuth
    nsComment               = "OpenSSL CA Certificate"
    [ crl_ext ]
    basicConstraints        = CA:FALSE
    keyUsage                = digitalSignature, keyEncipherment
    nsComment               = "OpenSSL generated CRL"

Create the Certification Authority (CA)

Create the folder structure to hold certificates:

$ mkdir /opt/met-ca
$ mkdir /opt/met-ca/certs
$ mkdir /opt/met-ca/crl
$ mkdir /opt/met-ca/newcerts
$ mkdir /opt/met-ca/private
$ mkdir /opt/met-ca/requests
$ touch /opt/met-ca/index.txt
$ echo “01” > /opt/ca/serial
$ echo “01” > /opt/ca/crlnumber
$ chmod 700 /opt/ca

Create public and private auto signed keys of our own Certification Authority (in the example it is valid for 10 years). We will need to specify certificate data, the password for encryption and the process will generate two files:

$ openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt

Change key grants:

$ chmod 600 /opt/met-ca/private/ca.key

Create Apache Certification

Create a pair of keys. We will need to specify the password and certification data. A file key (server.key) and certification request (server.pem) will be created.

$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem

CA should sign the certification request. Copy server.pem to certification request and sign.

$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions ssl_server -out requests/server-signed.pem -infiles requests/server.pem

Apache will need a PEM format, is mandatory to convert to this format:

$ openssl x509 -in requests/server-signed.pem -out requests/server.crt

Apache Configuration

Copy server.crt and the server.key into /etc/apache2/ssl (if no SSL folder exists, create it). Change files grants (server.key should only be read by the root user, server.crt should have read permission granted to everyone):

$ chmod 400 server.key
$ chmod 444 server.crt

If Apache is not listening to the SSL port, enable it configuring /etc/apache2/ports.conf:

Listen 80
Listen 443 

Enable Apache SSL support:

$ apt-get install libapache-mod-ssl

Set Apache to load SSL modules:

$ a2enmod ssl

Configure the website:

Link the default-ssl file to enable SSL:

$ ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl

Edit /etc/apache2/sites-availables/default-ssl (enable SSL engine and set SSLCertificateFile and SSLCertificateKeyFile)

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Create user certificates:

To create certificates and sign with CA, first create the pair of keys. We will need to specify the password and certification data. A key (user.key) and certification request (user.pem) will be created:

$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout user.key -out user.pem

Sign certificates with CA:

$ cp /tmp/usuario.pem /opt/ca/requests
$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_client[/b] -out requests/user-signed.pem -infiles requests/user.pem

Convert certificate to PKCS12 to be recognized by the browser:

$ openssl pkcs12 -export -clcerts -in user-signed.pem -inkey usuario.key -out user.p12

The files user-signed.pem, user.pem and user.key can be deleted  

$ wipe user-signed.pem user.key user.pem

The user.p12 should be installed to allow browser use.

Certification Revocation

If the server has been compromised the CA should be revocated. To revocate a certificate find the serial number at /opt/ca/index.txt.  

$ openssl ca -config /etc/ssl/openssl.cnf -revoke newcerts/<serial-number>.pem

Creat a list of certificates (CRL) to be revocated.

$ openssl ca -config /etc/ssl/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl.pem

To send it to the browser the list should be converted to DER format:  

$ openssl crl -in crl.pem -out ca.crl -outform DER

Now send the list to the browser.

Add CRL to Apache

Copy the CRL file to the Apache SSL folder:  

$ cp /tmp/crl.pem /etc/apache2/ssl/ca.crl

Modify /etc/apache2/sites-available/default-ssl file, add SSLCARevocationFile:

SSLCARevocationFile /etc/apache2/ssl/ca.crl

Restart Apache service.