[CentOS] https

R P Herrold herrold at owlriver.com
Thu Sep 16 13:19:22 EDT 2010

On Thu, 16 Sep 2010, Matthew Miller wrote:

> Or get one from: http://cert.startcom.org/

I had seen this cross as well from another poster:

> Sorry, but you need to buy a certificate.


I am firmly with Matthew on this one.  When I saw the initial 
post hit my email inbound queue (not sure what time -- 
something after 11:45), I started the process of 
deploying a test box, and setting up a new certificate with 
them (I have previously gone through their Class I and II 
authentication processes and have an account with them).  I 
post this around 13:15 [the spell checker is very unhappy 
with that key ... ]

This rough outline will get some parkup, and turn into a blog 
post later this week, and I'll mark it so: 
http://planet.centos.org picks it up.  The timestamps of this 
email and of the certificate on that page show how quickly 
this may be done (and with startcom, with no additional 
per-certificate issuance fees other than as related to the 
authentication process)


1. Deploy, secure and name a box

2. Set the A record in DNS

3. Set the PTR

4. Install the mod_ssl package
    (which pulls in httpd and its dependencies)
also useful is: crypto-utils as it will 'watch' for upcoming 

5. Position a placeholder page to look for in a test
    ... I installed php as well, and here use a php scriptlet 
that does a redirect into https on the fly when a connection 
comes in on http

[root at vm178231140 html]# cat index.php
if ("$SERVER_PORT" != "443")
   header("Location: https://$SITE");
print "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 
Transitional//EN\" >";
print "<html><head><title>CentOS and SSL are 
print "<body><h4>CentOS and SSL are easy</h4>";
print "<p>This example lives at: <a href=\"";
print "https://" . $SITE ;
print "\">https://" . $SITE . "</a> on a box provided by: ";
print "<a href=\"http://www.pmman.com\" target=\"_blank\">";
print "pmman.com</a></p></body></html>";

6. Open up port 80/tcp and 443/tcp in iptables

7. Read: /etc/httpd/conf.d/ssl.conf

[root at victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
[root at victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$ | wc
      32      77    1089


... the lines starting: ^SSL and containing the fragment File 
are what need to be configured (and in the case with one from 
startcom, a chained key file)

8. Set up a place to make the keys. signing request, and 
pemfile, along with key chains

mkdir attic
cd attic

#	we intentionally make one without a passphrase here
# to simplify the discussion
openssl genrsa -out victim-centos.pmman.net-2010.key 2048

openssl req -new -key victim-centos.pmman.net-2010.key -out 

9. Get the CSR onto the clipboard so it may be pasted into the 
web GUI at startcom

[root at victim-centos attic]# cat 
  ... snippage ...
[root at victim-centos attic]#

... startcom will indicate the CSR has been countersigned, and 
a CRT may be retrieved

10. While you are waiting, retrieve the certificate chaining
    back to the CA roots in any modern browser

wget -O sub.class1.server.ca.pem  \
wget -O sub.class2.server.ca.pem  \
wget -O ca.pem  http://www.startssl.com/certs/ca.pem

... and copy them into place

cp sub.class2.server.ca.pem /etc/pki/tls/certs/
cp ca.pem /etc/pki/tls/certs/

11. Edit /etc/httpd/conf.d/ssl.conf and adjust the values for:

SSLCertificateFile \
SSLCertificateKeyFile \
SSLCertificateChainFile \
SSLCACertificateFile /etc/pki/tls/certs/ca.pem

# we also need to add:
SSLCertificateChainFile \

... and look at the config file edits:

[root at victim-centos conf.d]# grep ^SSL   ssl.conf  | grep File
SSLCertificateFile /etc/pki/tls/certs/victim-centos.pmman.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/victim-centos.pmman.net-2010.key
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
SSLCACertificateFile /etc/pki/tls/certs/ca.pem
[root at victim-centos conf.d]#

12.  Retrieve that countersigned CRT from Startcom, and
place into a file: victim-centos.pmman.net.crt

13.  Position and set perms on the key, and the certificate:

cp victim-centos.pmman.net-2010.key /etc/pki/tls/private/
cp victim-centos.pmman.net.crt /etc/pki/tls/certs/
chmod 600 /etc/pki/tls/certs/*.crt

14.  Restart the webserver, and tail the logs in 

15.  View the web page (here: https://victim-centos.pmman.net/ 
), and make sure no errors appear; check the certificate chain 
in your local browser.  This chain is present in Windows 7 
Internet Explorer, Firefox, and Safari

16.  All done

  .-- -... ---.. ... -.- -.--
Copyright (C) 2010 R P Herrold
       herrold at owlriver.com
    My words are not deathless prose,
       but they are mine.

More information about the CentOS mailing list