Configuring OpenSSL

Create OpenSSL configuration file

This sample was created on Ubuntu and Debian servers; for Red Hat and CentOS the path to Apache files is not the same.

On Ubuntu and Debian the Apache path is /etc/apache2; on Red Hat and CentOS it is /etc/httpd.

Edit file /etc/ssl/openssl.cnf

$ vim /etc/ssl/openssl.cnf

    RANDFILE         = $ENV::SSLDIR/.rnd
 
    [ ca ]
    default_ca       = CA_default
 
    [ CA_default ]
    dir              = /opt/ca
    certs            = $dir/certs
    new_certs_dir    = $dir/newcerts
    crl_dir          = $dir/crl
    database         = $dir/index.txt
    private_key      = $dir/private/ca.key
    certificate      = $dir/ca.crt
    serial           = $dir/serial
    crl              = $dir/crl.pem
    RANDFILE         = $dir/private/.rand
    default_days     = 365
    default_crl_days = 30
    default_md       = sha1
    preserve         = no
    policy           = policy_anything
    name_opt         = ca_default
    cert_opt         = ca_default
 
    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
 
    [ req ]
    default_bits            = 2048
    default_md              = sha1
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    x509_extensions         = v3_ca
    string_mask             = nombstr
 
    [ req_distinguished_name ]
    countryName             = Country Name (2 letter code)
    countryName_min         = 2
    countryName_max         = 2
    stateOrProvinceName     = State or Province Name (full name)
    localityName            = Locality Name (eg, city)
    0.organizationName      = Organization Name (eg, company)
    organizationalUnitName  = Organizational Unit Name (eg, section)
    commonName              = Common Name (eg, YOUR name)
    commonName_max          = 64
    emailAddress            = Email Address
    emailAddress_max        = 64
 
    [ usr_cert ]
    basicConstraints        = CA:FALSE
    # nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem
 
    [ ssl_server ]
    basicConstraints        = CA:FALSE
    nsCertType              = server
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, nsSGC, msSGC
    nsComment               = "OpenSSL Certificate for SSL Web Server"
 
    [ ssl_client ]
    basicConstraints        = CA:FALSE
    nsCertType              = client
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = clientAuth
    nsComment               = "OpenSSL Certificate for SSL Client"
 
    [ v3_req ]
    basicConstraints       = CA:FALSE
    keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
 
    [ v3_ca ]
    basicConstraints        = critical, CA:true, pathlen:0
    nsCertType              = sslCA
    keyUsage                = cRLSign, keyCertSign
    extendedKeyUsage        = serverAuth, clientAuth
    nsComment               = "OpenSSL CA Certificate"
 
    [ crl_ext ]
    basicConstraints        = CA:FALSE
    keyUsage                = digitalSignature, keyEncipherment
    nsComment               = "OpenSSL generated CRL"

Create Certification Authority (CA)

Create folder structure to hold certificates:

$ mkdir /opt/met-ca
$ mkdir /opt/met-ca/certs
$ mkdir /opt/met-ca/crl
$ mkdir /opt/met-ca/newcerts
$ mkdir /opt/met-ca/private
$ mkdir /opt/met-ca/requests
$ touch /opt/met-ca/index.txt
$ echo “01” > /opt/ca/serial
$ echo “01” > /opt/ca/crlnumber
$ chmod 700 /opt/ca

Create public and private self-signed keys for our own Certification Authority (in the example they are valid for 10 years). You will need to specify certificate data and a password to encrypt, and the process will generate two files:

$ openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt

Change key permissions:

$ chmod 600 /opt/met-ca/private/ca.key

Create Apache Certificate

Create a pair of keys. You will need to specify a password and certificate data. This will create the key file (server.key) and the certificate request (server.pem).

$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem

The CA should sign the certificate request. Copy server.pem to the requests directory and sign it.

$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions ssl_server -out requests/server-signed.pem -infiles requests/server.pem

Apache expects PEM format; it is mandatory to convert to this format:

$ openssl x509 -in requests/server-signed.pem -out requests/server.crt

Apache configuration

Copy server.crt and server.key into /etc/apache2/ssl (if the SSL folder does not exist, create it). Change file permissions (server.key should only be readable by the root user; server.crt should be readable by everybody):

$ chmod 400 server.key
$ chmod 444 server.crt

If Apache is not listening on the SSL port, enable it by configuring /etc/apache2/ports.conf:

Listen 80
Listen 443 

Enable Apache SSL support:

$ apt-get install libapache-mod-ssl

Tell Apache to load SSL modules:

$ a2enmod ssl

Configure website:

Link the default-ssl file to enable SSL:

$ ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl

Edit /etc/apache2/sites-available/default-ssl (enable the SSL engine and set SSLCertificateFile and SSLCertificateKeyFile)

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Create user certificate:

To create certificates and sign them with the CA, first create the pair of keys. You will need to specify a password and certificate data. This will create a key (user.key) and a certificate request (user.pem):

$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout user.key -out user.pem

With the CA, you need to sign the certificates:

$ cp /tmp/usuario.pem /opt/ca/requests
$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_client[/b] -out requests/user-signed.pem -infiles requests/user.pem

Convert the certificate to PKCS#12 to be recognized by the browser.

$ openssl pkcs12 -export -clcerts -in user-signed.pem -inkey usuario.key -out user.p12

The files user-signed.pem, user.pem, and user.key can be deleted.

$ wipe user-signed.pem user.key user.pem

The user.p12 should be installed to allow the user's browser to use it.

Certification revocation

If the server has been compromised, the CA should revoke certificates. To revoke a certificate, check the serial number in /opt/ca/index.txt.

$ openssl ca -config /etc/ssl/openssl.cnf -revoke newcerts/<serial-number>.pem

Create a list of revoked certificates (CRL).

$ openssl ca -config /etc/ssl/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl.pem

To send the list to the browser, it should be converted to DER format:

$ openssl crl -in crl.pem -out ca.crl -outform DER

Now it can be sent to the browser.

Add CRL to Apache

Copy the CRL file to the Apache SSL folder:

$ cp /tmp/crl.pem /etc/apache2/ssl/ca.crl

Modify /etc/apache2/sites-available/default-ssl and add SSLCARevocationFile:

SSLCARevocationFile /etc/apache2/ssl/ca.crl

Restart Apache service.