On Thu, 16 Sep 2010, Matthew Miller wrote: > Or get one from: http://cert.startcom.org/ I had seen this cross as well from another poster: > Sorry, but you need to buy a certificate. Bzzzrttt I am firmly with Matthew on this one. When I saw the initial post hit my email inbound queue (not sure what time -- something after 11:45), I started the process of deploying a test box, and setting up a new certificate with them (I have previously gone through their Class I and II authentication processes and have an account with them). I post this around 13:15 [the spell checker is very unhappy with that key ... ] This rough outline will get some parkup, and turn into a blog post later this week, and I'll mark it so: http://planet.centos.org picks it up. The timestamps of this email and of the certificate on that page show how quickly this may be done (and with startcom, with no additional per-certificate issuance fees other than as related to the authentication process) ============================================== 1. Deploy, secure and name a box victim-centos.pmman.net 2. Set the A record in DNS 198.178.231.140 3. Set the PTR 4. Install the mod_ssl package (which pulls in httpd and its dependencies) also useful is: crypto-utils as it will 'watch' for upcoming expirations 5. Position a placeholder page to look for in a test ... I installed php as well, and here use a php scriptlet that does a redirect into https on the fly when a connection comes in on http [root at vm178231140 html]# cat index.php <?php $SITE="victim-centos.pmman.net"; $SERVER_PORT = $_SERVER[SERVER_PORT]; if ("$SERVER_PORT" != "443") header("Location: https://$SITE"); print "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\" >"; print "<html><head><title>CentOS and SSL are easy</title></head>"; print "<body><h4>CentOS and SSL are easy</h4>"; print "<p>This example lives at: <a href=\""; print "https://" . $SITE ; print "\">https://" . $SITE . "</a> on a box provided by: "; print "<a href=\"http://www.pmman.com\" target=\"_blank\">"; print "pmman.com</a></p></body></html>"; ?> 6. Open up port 80/tcp and 443/tcp in iptables 7. Read: /etc/httpd/conf.d/ssl.conf [root at victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$ LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> [root at victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$ | wc 32 77 1089 ----------- ... the lines starting: ^SSL and containing the fragment File are what need to be configured (and in the case with one from startcom, a chained key file) 8. Set up a place to make the keys. signing request, and pemfile, along with key chains mkdir attic cd attic # we intentionally make one without a passphrase here # to simplify the discussion openssl genrsa -out victim-centos.pmman.net-2010.key 2048 openssl req -new -key victim-centos.pmman.net-2010.key -out victim-centos.pmman.net-2010.csr 9. Get the CSR onto the clipboard so it may be pasted into the web GUI at startcom [root at victim-centos attic]# cat victim-centos.pmman.net-2010.csr -----BEGIN CERTIFICATE REQUEST----- MIIC7TCCAdUCAQAwgacxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UE BxMIQ29sdW1idXMxHDAaBgNVBAoTEzc4MSBSZXNvbHV0aW9uLCBMTEMxDjAMBgNV ... snippage ... eKGhP2r4C8kVBrK13lgmlOt1OYLn+rvV8y/hkrlPbDSRoW4cNmoX3F4hFWUKxWZc hvtc52ImrMe4vikYYIZGPk6Lhw3xSnVwZzoU0QxgR1XN -----END CERTIFICATE REQUEST----- [root at victim-centos attic]# ... startcom will indicate the CSR has been countersigned, and a CRT may be retrieved 10. While you are waiting, retrieve the certificate chaining back to the CA roots in any modern browser wget -O sub.class1.server.ca.pem \ http://www.startssl.com/certs/sub.class1.server.ca.pem wget -O sub.class2.server.ca.pem \ http://www.startssl.com/certs/sub.class2.server.ca.pem wget -O ca.pem http://www.startssl.com/certs/ca.pem ... and copy them into place cp sub.class2.server.ca.pem /etc/pki/tls/certs/ cp ca.pem /etc/pki/tls/certs/ 11. Edit /etc/httpd/conf.d/ssl.conf and adjust the values for: SSLCertificateFile \ /etc/pki/tls/certs/victim-centos.pmman.net.crt SSLCertificateKeyFile \ /etc/pki/tls/private/victim-centos.pmman.net-2010.key SSLCertificateChainFile \ /etc/pki/tls/certs/sub.class2.server.ca.pem SSLCACertificateFile /etc/pki/tls/certs/ca.pem # we also need to add: SSLCertificateChainFile \ /etc/pki/tls/certs/sub.class2.server.ca.pem ... and look at the config file edits: [root at victim-centos conf.d]# grep ^SSL ssl.conf | grep File SSLCertificateFile /etc/pki/tls/certs/victim-centos.pmman.net.crt SSLCertificateKeyFile /etc/pki/tls/private/victim-centos.pmman.net-2010.key SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem SSLCACertificateFile /etc/pki/tls/certs/ca.pem [root at victim-centos conf.d]# 12. Retrieve that countersigned CRT from Startcom, and place into a file: victim-centos.pmman.net.crt 13. Position and set perms on the key, and the certificate: cp victim-centos.pmman.net-2010.key /etc/pki/tls/private/ cp victim-centos.pmman.net.crt /etc/pki/tls/certs/ chmod 600 /etc/pki/tls/certs/*.crt 14. Restart the webserver, and tail the logs in /var/log/httpd 15. View the web page (here: https://victim-centos.pmman.net/ ), and make sure no errors appear; check the certificate chain in your local browser. This chain is present in Windows 7 Internet Explorer, Firefox, and Safari 16. All done -- end ================================== .-- -... ---.. ... -.- -.-- Copyright (C) 2010 R P Herrold herrold at owlriver.com My words are not deathless prose, but they are mine.