On 09/16/2010 05:53 PM, Kevin Thorpe wrote:

On 16/09/2010 16:45, Jerry Geis wrote:

...

hi all,

I wish to just have secure browsing for my application. no credit cards or anything like that just secure browser usage is the goal.

I can self sign a certificate (I already have) on my servers but for "anyone" accessing the server you see this "nasty" message about "untrusted sight " and all that. This will all be intranet type usage for the server.

What is the best method to not see that "untrusted sight" and have the certificate load without and exception?

Sorry, but you need to buy a certificate. It needs to be signed by an authority which already has a master certificate in the end user's browser. We use Thawte but there are cheaper options such as<cough> GoDaddy who offer them for less than GBP 10.

Or you make sure that all browsers of the users on your Intranet have imported the CA certificate that signed the webservers certificate. I'm afraid I don't know how to do that automagically.

Regards, Patrick

On Thu, Sep 16, 2010 at 04:53:17PM +0100, Kevin Thorpe wrote:

Sorry, but you need to buy a certificate. It needs to be signed by an authority which already has a master certificate in the end user's browser. We use Thawte but there are cheaper options such as <cough> GoDaddy who offer them for less than GBP 10.

Or get one from: http://cert.startcom.org/

On Thu, 16 Sep 2010, Matthew Miller wrote:

Or get one from: http://cert.startcom.org/

I had seen this cross as well from another poster:

Sorry, but you need to buy a certificate.

Bzzzrttt

I am firmly with Matthew on this one. When I saw the initial post hit my email inbound queue (not sure what time -- something after 11:45), I started the process of deploying a test box, and setting up a new certificate with them (I have previously gone through their Class I and II authentication processes and have an account with them). I post this around 13:15 [the spell checker is very unhappy with that key ... ]

This rough outline will get some parkup, and turn into a blog post later this week, and I'll mark it so: http://planet.centos.org picks it up. The timestamps of this email and of the certificate on that page show how quickly this may be done (and with startcom, with no additional per-certificate issuance fees other than as related to the authentication process)

==============================================

1. Deploy, secure and name a box victim-centos.pmman.net

2. Set the A record in DNS 198.178.231.140

3. Set the PTR

4. Install the mod_ssl package (which pulls in httpd and its dependencies) also useful is: crypto-utils as it will 'watch' for upcoming expirations

5. Position a placeholder page to look for in a test ... I installed php as well, and here use a php scriptlet that does a redirect into https on the fly when a connection comes in on http

[root@vm178231140 html]# cat index.php <?php $SITE="victim-centos.pmman.net"; $SERVER_PORT = $_SERVER[SERVER_PORT]; if ("$SERVER_PORT" != "443") header("Location: https://$SITE"); print "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\" >"; print "<html><head><title>CentOS and SSL are easy</title></head>"; print "<body><h4>CentOS and SSL are easy</h4>"; print "<p>This example lives at: <a href=\""; print "https://" . $SITE ; print "\">https://" . $SITE . "</a> on a box provided by: "; print "<a href=\"http://www.pmman.com\" target=\"_blank\">"; print "pmman.com</a></p></body></html>"; ?>

6. Open up port 80/tcp and 443/tcp in iptables

7. Read: /etc/httpd/conf.d/ssl.conf

[root@victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$ LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key <Files ~ ".(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b" </VirtualHost> [root@victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$ | wc 32 77 1089

-----------

... the lines starting: ^SSL and containing the fragment File are what need to be configured (and in the case with one from startcom, a chained key file)

8. Set up a place to make the keys. signing request, and pemfile, along with key chains

mkdir attic cd attic

# we intentionally make one without a passphrase here # to simplify the discussion openssl genrsa -out victim-centos.pmman.net-2010.key 2048

openssl req -new -key victim-centos.pmman.net-2010.key -out victim-centos.pmman.net-2010.csr

9. Get the CSR onto the clipboard so it may be pasted into the web GUI at startcom

[root@victim-centos attic]# cat victim-centos.pmman.net-2010.csr -----BEGIN CERTIFICATE REQUEST----- MIIC7TCCAdUCAQAwgacxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UE BxMIQ29sdW1idXMxHDAaBgNVBAoTEzc4MSBSZXNvbHV0aW9uLCBMTEMxDjAMBgNV ... snippage ... eKGhP2r4C8kVBrK13lgmlOt1OYLn+rvV8y/hkrlPbDSRoW4cNmoX3F4hFWUKxWZc hvtc52ImrMe4vikYYIZGPk6Lhw3xSnVwZzoU0QxgR1XN -----END CERTIFICATE REQUEST----- [root@victim-centos attic]#

... startcom will indicate the CSR has been countersigned, and a CRT may be retrieved

10. While you are waiting, retrieve the certificate chaining back to the CA roots in any modern browser

wget -O sub.class1.server.ca.pem \ http://www.startssl.com/certs/sub.class1.server.ca.pem wget -O sub.class2.server.ca.pem \ http://www.startssl.com/certs/sub.class2.server.ca.pem wget -O ca.pem http://www.startssl.com/certs/ca.pem

... and copy them into place

cp sub.class2.server.ca.pem /etc/pki/tls/certs/ cp ca.pem /etc/pki/tls/certs/

11. Edit /etc/httpd/conf.d/ssl.conf and adjust the values for:

SSLCertificateFile \ /etc/pki/tls/certs/victim-centos.pmman.net.crt SSLCertificateKeyFile \ /etc/pki/tls/private/victim-centos.pmman.net-2010.key SSLCertificateChainFile \ /etc/pki/tls/certs/sub.class2.server.ca.pem SSLCACertificateFile /etc/pki/tls/certs/ca.pem

# we also need to add: SSLCertificateChainFile \ /etc/pki/tls/certs/sub.class2.server.ca.pem

... and look at the config file edits:

[root@victim-centos conf.d]# grep ^SSL ssl.conf | grep File SSLCertificateFile /etc/pki/tls/certs/victim-centos.pmman.net.crt SSLCertificateKeyFile /etc/pki/tls/private/victim-centos.pmman.net-2010.key SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem SSLCACertificateFile /etc/pki/tls/certs/ca.pem [root@victim-centos conf.d]#

12. Retrieve that countersigned CRT from Startcom, and place into a file: victim-centos.pmman.net.crt

13. Position and set perms on the key, and the certificate:

cp victim-centos.pmman.net-2010.key /etc/pki/tls/private/ cp victim-centos.pmman.net.crt /etc/pki/tls/certs/ chmod 600 /etc/pki/tls/certs/*.crt

14. Restart the webserver, and tail the logs in /var/log/httpd

15. View the web page (here: https://victim-centos.pmman.net/ ), and make sure no errors appear; check the certificate chain in your local browser. This chain is present in Windows 7 Internet Explorer, Firefox, and Safari

16. All done

-- end ================================== .-- -... ---.. ... -.- -.-- Copyright (C) 2010 R P Herrold herrold@owlriver.com My words are not deathless prose, but they are mine.