| |
Online consumer sites, company intranets, Passport, and MSDN: all these types of sites have one thing in common: encrypted communications with SSL. The Secure Sockets Layer, or SSL, is a means of encrypting files and network streams to protect you, your credit card, and your transactions.
This tutorial will cover how to setup encryption capabilities for your web server and email server, and will discuss a little how to configure your web server be it IIS or Apache. I will not go into great depth with advanced topics for either web server, but will cover the basics which will hopefully lead you to research additional means of encrypting your servers and setting up user authentication with SSL personal certificates.
Tools Needed
Before we begin, please download my hacked (the good kind) copy of OpenSSL, a free SSL tool, that has been compiled for Windows and includes a customized configuration file that will be used here. If you download the OpenSSL sources and want to compile them yourself, the base configuration file that is included with the source will not be compatible with this tutorial.
Download my OpenSSL
A Little about SSL
SSL uses a symmetric-key infrastructure. This means that there is a split key: one is your private key that you must keep secure; the other is the public key that you distribute.
When a client (such as a browser) makes an SSL connection to your web server, the server sends the public key to the client, which then negotiates an encrypted session with the server, using the public key to encrypt data while the server uses its public key to decrypt it. See why the private key must be protected?
In the case of email, encryption is done similarily, although the sender must send the public key either in a vCard or via email to the recipient first. The send encrypts the email with the recipient's public key the recipient decrypts the email with his or her private key. When you sign an email, this process is reversed. A signature - which is a has appended to the email - is generate using the sender's private key while the recipient uses the sender's public key to make sure that hash is valid. The hash is like a checksum for the email, so that if the email is changed, the signature is invalid.
Be careful, though! Many web mail clients and mail list servers append advertisements or information to the bottom of email messages, which will, of course, invalidate your email's signature.
Creating your Root Certificate Authority
Certificate Authorities, or CAs, are entities (i.e., companies, organizations, etc.) that sign your certificate, making the certificate valid. This setup ensures that no one can just create a certificate and use it for malicious purposes. By creating our own CA, however, you get around having to pay hundreds of dollars, which is supposed to be a deterrent for would-be crackers. Keep in mind, however, because you are setting up a non-trusted CA (such as the ones that come installed with all the popular browsers), you will be responsible for distributing your CA certificate before users can easily make a connection to your server or validate the signature of your email.
Currently, my test server I have running Apache/Tomcat has a directory where I have placed my public CA certificate. If users need to make an encrypted connection (via HTTPS), I instruct them to download and install the certificate.
For fun - and for benefits of large companies that want to let departments manage their own CAs - I made a certificate chain that uses a root CA that signs child CAs, which can then sign server certificates, email certificates (commonly referred to as personal or S/MIME certificates), and object-signing certificates that are compatible with Microsoft Authenticode and Netscape Object Signing. This is the setup you will be using with my customized configuration file.
To begin, extract the files from the OpenSSL tool ZIP file linked above. Open a command window (command.com in Windows 95/98/ME and cmd.exe in Windows NT/2000/XP) and change to the directory where you extracted the files. The following commands will generate a passphrase-protected private key (recommended for CAs but not server certificates, which I'll explain later):
openssl genrsa –des3 –out private\root.key
openssl req -config openssl.cnf –new –key private\root.key –out newcerts\root.csr
openssl x509 –req –days 1826 –extfile openssl.cnf –extensions root_ext –in newcerts\root.csr –signkey private\root.key –out certs\root.crt
- The first command generates a passphrase protected private key. Remember this passphrase as you'll need it to sign the child CAs.
- The second command generates a certificate request. Use the same organization name as you did when you created your Root CA. You will be prompted for information. For the Common Name, use a name that will be displayed in the certificate manager, such as "DevHood Root CA".
- The third command self-signs the certificate so that it can be used to sign other certificates.
Now you have your Root CA and you can now sign child CAs, which can then be used to sign server, personal, and object-signing certificates. For large entities, this works great as it allows departments to manage their own certificates but only the Root CA needs to be installed on client computers!
Creating your Certificate Authority
Now we are going to create the "child" certificate authorities. Please note that only the Root CA needs to be installed using this model. The following commands will create the CA request file, which you will then sign with the Root CA:
openssl req -config openssl.cnf –new –out newcerts\ca.csr –keyout private\ca.key
openssl ca -config openssl.cnf –name cacert –in newcerts\ca.csr –out certs\ca.crt
- The first command creates the certificate request and generates a passphrase-protected private key. Remember this passphrase as you'll need it to sign the server, email, and object-signing certificates. Use the same organization name as you did when you created your CA. Also choose a Common Name that identifies your CA, such as "DevHood CA".
- The second command signs the certificate request using the Root CA (use the passphrase you gave to your Root CA here).
Now you want to PEM encode your file (plain-text hash with headers) so that IIS and Apache can undersand it. Run the following commands to re-encode both the Root CA and CA you just now created, putting the public keys in a directory for distribution. Since this is primarily a Microsoft site, we will use the document publishing root for IIS:
openssl x509 –in certs\root.crt –out C:\Inetpub\wwwroot -outform PEM
openssl x509 –in certs\ca.crt –out C:\Inetpub\wwwroot -outform PEM
Clients can download and install these files, but really only need to download the Root CA (root.crt). Using Internet Explorer or Netscape Navigator, they need to just access the file like a regular URL, select "Open", and choose "Install Certificate" (Command is different for various browsers and versions).
Creating your Server Certificate
Now the good stuff begins where you can generate a certificate to install on your web server, which will be covered after this topic. Up until now, you've created certificates to sign other certificates and public keys to distribute, which really only the Root CA certificate needs to be signed.
Additionally, you will not want to use a passphrase on your private keys because IIS will not be able to start (or will start after erroring-out on the private key passphrase without SSL encryption enabled) and Apache will prompt you for a passphrase, which could be a problem if you're not sitting in front of your machine when it starts. The following commands create your private key, creates a certificate request, and signs the certificate using the CA. Use the server name (such as www.devhood.com) for the Common Name.
Because IIS would rather handle certificate requests itself, skip to the next section on installing the certificate into your web server and make sure to specify the same Common Name as you did when you created your Root CA.
openssl req -config openssl.cnf –new –nodes –out newcerts\server.csr –keyout private\server.key
openssl ca -config openssl.cnf –name server –in newcerts\server.csr –out certs\server.crt
- The first command generates a certificate request and private key without a passphrase so that the web server can startup without problems. Remember to use your server name for the Common Name, such as www.devhood.com.
- The second command uses your CA (not the Root CA) to sign your certificate request, so you'll have to use your CA passphrase here.
Now we again PEM-encode these files to make them usable in a web server:
openssl x509 –in certs\server.crt –out certs\server.pem –outform PEM
- This command PEM-encodes your file and places it in the "certs" subdirectory of your current directory. Remember this location as you'll need it when you setup SSL on your web server.
Installing the Server Certificate
This next section will focus on installing the certificate into IIS and Apache. First we'll take a look at IIS:
- Open the Internet Information Services console.
- Find your web site and right-click on it, selecting "Properties".
- Click on the "Directory Security" tab.
- Click the "Server Ceritificate..." button.
- Click the "Next" button.
- Select "Create a new certificate" and click "Next".
- Go through the wizard and choose the output file to be in the subdirectory "newcerts" of the directory where you extracted OpenSSL, and call the certificate server.csr. Make sure to run the command to PEM-encode the certificate, too, or else IIS won't understand the format.
- See the section above about how to sign the certificate, using the second command under the section "Creating your Server Certificate".
- Come back to the Internet Information Services properties for your web site.
- Click on the "Server Certificate..." button again.
- Follow the wizard to finish your pending request, using the server.pem file in the "certs" subdirectory of the directory where you extract OpenSSL.
You now have your server setup and ready to receive communications via SSL on the default port 443 for HTTPS. Just access https://localhost to give it a try. Remember to install the Root CA first (double-click on the "root.crt" file to install it), otherwise you'll receive a warning about the CA not being trusted.
With Apache, it's not quite so hard because you can generate the request as we did in the above section and use that key file. There is quite a bit to type, though, so it's recommend that you understand your Apache config file, which is typically /etc/httpd/conf/httpd.conf in linux. If you don't know where this file is, type "find / -name httpd.conf" to find it.
- Generate your key pairs first using the section above on creating your server certificate.
- Open your httpd.conf file and find the "Listen" directive. Add "Listen 443" (HTTPS default port) after the "Listen 80" directive. If you do not find this directive, add it.
- Go to the end of the file and add the "NameVirtualHost <your ip address>:443" directive.
- Type in the following lines and restart Apache using "service httpd restart" or "httpdctrl restart" for BSD (I believe). You should be good to go.
Add this to your httpd.conf file:
<VirtualHost <your ip address>:443>
ServerName mail.esotericrealm.com
DocumentRoot /var/www/mail
SSLEngine on
SSLCertificateFile /usr/share/ssl/certs/server.crt
SSLCertificateKeyFile /usr/share/ssl/private/server.key
SSLCACertificateFile /usr/share/ssl/certs/ca.crt
SSLCACertificatePAth /usr/share/ssl/certs
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Of course, your directories will vary. This is the location I have OpenSSL setup on my linux box. Apache can also be installed on Windows, in which case I don't remember the default location, although you can also change that as with anything. You'll also want to make sure in *nix machines that the directory is only read/write by "root", so run the following commands from your openssl directory, or else many daemons (like sendmail) will refuse to start with SSL support or will not start at all!
find . -type d -print | xargs chmod 700
find . -type f -print | xargs chmod 600
Keep in mind that Apache must be built with SSL support, or build the mod_ssl DSO to include in Apache. Consult the documents online at http://www.modssl.org/docs/, which is the mod_ssl web site. Keep in mind that the certificate generation docs are different and use PERL script files to do certain tasks, as well as use the default OpenSSL configuration file, which isn't compatible with this tutorial.
Hopefully this gives you some idea of how to create and install web server certificates. You can also use SSL in your email server in this way, too. Currently, my SMTP and IMAP communications use SSL authentication so that I can get email from anywhere using Passowrd authentication and STARTTLS. If you're interested in doing this, please contact me directly as the directions for this project are lengthy and difficult. Don't even bother to ask me about setting SSL up in Exchange because my experience with Exchange is not that in-depth. Only ask me about http://www.sendmail.org and WU-IMAPv4 (or their implementation of POP3, which is similar, but I don't like that kind of POP.).
Creating your Personal Certificate
Now we are going to create a certificate you can use to sign email, enabling S/MIME. First we will create the certificate, then package it using the PKCS#12 standards, then we will install it into the Windows Certificate Manager. After that, we'll export the public key (so that you can include it in your vCard) and setup Outlook Express to use your SSL certificate. If you use a different email reader (which seems very likely), the steps to install the certificate are usually similar, but you're on your own for exactly how to do this. I can tell you that Outlook installs very similarily to Outlook Express, however.
First, we'll create the email certificate using the following commands. Use your name (eg, Heath Stewart) for the Common Name and your email address you want to secure for the Email Address.
openssl req -config openssl.cnf –new –out newcerts\mail.csr –keyout private\mail.key
openssl ca -config openssl.cnf –name emailcli –in newcerts\mail.csr –out certs\mail.crt
- The first command creates your certificate request and passphrase-protected private key. You will want to use a passphrase here as this key uniquely identifies you.
- The second command signs your email certificate with the CA, so use your "child" CA's passphrase when prompted during signing.
Packaging and Installing your Personal Certificate
After generating the S/MIME certificate above, we'll package it using PKCS#12 and install it into Windows, then Outlook Express. To package, run the following commands:
openssl pkcs12 -export -in certs\mail.crt -inkey private\mail.key -out mail.pfx -name “<Your Name>” –des3
You'll be prompted for a new passphrase to encrypt the package. You can use the same passphrase as your private key passphrase, but I don't recommend that. The more levels of encryption you have, the better.
To install the file in Windows, simply double-click it and follow the wizard. During the first few steps, there'll be an option to mark the private key as exportable. Do this, or you won't be able to export your personal certificate pair later - only your public key.
Once that package is installed, follow the directions below to export the public key for inclusion into your vCard file, or Address Book for this example:
- Open your "Internet Properties" control panel, which you can also get to by right-clicking on Internet Explorer and selecting "Properties".
- Click on the "Content" tab.
- Click on the "Certificates" button in the middle.
- Select your newly import key and click the "Export..." button.
- Follow the directions in the wizard but do not export your private key. You only want to give people your public key!
Now open your Windows Address Book, find your address, and open it. Click the "Digital IDs" tab and import the file you just exported. This will associate the public key with your email address you specified while creating your personal (or S/MIME) key. You can now distribute your vCard file, although the recipient will still have to install the Root CA to use the certificate without warnings.
Follow the steps below to install the certificate in Outlook Express so that you can send encrypted and / or signed email:
- Open Outlook Express.
- Click on Tools->Options from the menu.
- Click on the security tab.
- Click on the "Digital IDs..." button in the middle.
- Select your certificate and click "Close".
- Click "OK" and your set!
Summation
I hope this has given you some idea of how to create SSL certificates for use in your situation. Ultimately, if you work for a company you should look at buy chained certificates, which are valid. If you run an eCommerce site, you'll definitely want to buy a certificate from Thawte (much cheaper than VeriSign, although VeriSign now owns them) or VeriSign. You might turn away customers who are confused by your directions to install a simple certificate.
There is much more you can do with SSL, and I hope you research these opportunities. For example, I have several SSL-protected virtual hosts and directories in Apache that are only accessible to people who have personal certificates signed by my CA and who are a member of a particular department. You can do the same in IIS, though it's a little more difficult to setup.
Always remember to distribute your Root CA to anyone who might use your web server, encrypt email messages to you, or verify signatures on your email. You can also use this to sign ActiveX controls, assemblies, or Java archives (JAR files). The steps are similar to creating a server certificate, but I leave it to you to figure it out by looking at the configuratoin file, "openssl.cnf".
One one last note, while I was testing these command to make sure I wasn't putting bogus command in this tutorial (unless I missed some typos), there may be a chance that I named the "openssl.cnf" file "openssl.cnd" in the zip file. If this is true, I apologize and urge you to rename the file for the command to work above.
I hope you've found this tutorial helpful and that you have a new found love for SSL now that you don't have to pay hundreds of dollar to use it!
|
|