Configurando SSL en un web server con OpenSSL

1. Generación de los certificados SSL en el servidor

Nota: si no estamos como root ejecutaremos los comandos con "sudo"
Instalamos openssl si no lo tenemos instalado ya en el servidor:# apt-get install openssl

Podemos generar todo con un solo comando:# openssl req -new -newkey rsa:2048 -nodes -keyout nombrecertificado_clave.key -out nombrecertificado_request.csr

Country Name (2 letter code) AU: ES para EspañaState or Province Name (full name) Some-State: Estado o provincia
Locality Name (eg, city) []: Ciudad
Organization Name (eg, company) Internet Widgits Pty Ltd: <Tu organización>
Organizational Unit Name (eg, section) []: <Tu departamento>
Common Name (eg, YOUR name) []: <Nombre del servidor o dominio en el DNS o Direccion IP>
Email Address []: <email>
# No poner nada en los siguientes campos, dejar en blanco
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Método antiguo:

Generar la clave privada RSA de 1024 bits usando triple DES:# openssl genrsa -des3 -out servidor.key 1024

Quitamos la contraseña y que no la pida al reiniciar apache. Pide introducir la pass metida antes:# mv servidor.key servidor.key.old
# openssl rsa -in servidor.key.old -out servidor.key

Enter pass phrase for servidor.old.key: <contraseña>
writing RSA key

Creamos el certificado (CSR):# openssl req -new -key servidor.key -out servidor.csr

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) AU:ES
State or Province Name (full name) Some-State:Madrid
Locality Name (eg, city) []:Madrid
Organization Name (eg, company) Internet Widgits Pty Ltd: <Tu organización>
Organizational Unit Name (eg, section) []: <Tu departamento>
Common Name (eg, YOUR name) []: <Nombre del servidor en el DNS o Direccion IP>
Email Address []: <email>
# No poner nada en los siguientes campos, dejar en blanco
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

El siguiente paso debería hacerlo una autoridad certficadora (CA), para obtener el CRT, pero nosotros vamos generar un certificado autofirmado. Los navegadores no reconocerán el certificado, mostrando un aviso de advertencia al usuario y permitiendo añadir la excepción:# openssl x509 -req -days 365 -in servidor.csr -signkey servidor.key -out servidor.crt

Creamos la carpeta /etc/apache2/ssl y copiamos los ficheros:# mkdir /etc/apache2/ssl
# mv servidor.key servidor.crt /etc/apache2/ssl

2. Configuración de servidor Apache

Ahora instalamos el módulo SSL en apache:# a2enmod ssl

Revisamos que esté descomentada la entrada que hace referencia el puerto 443 en el fichero  "/etc/apache2/ports.conf"

NameVirtualHost *:80
NameVirtualHost *:8080
Listen 80
Listen 8080
<IfModule mod_ssl.c>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

Ahora, editamos el fichero "/etc/apache2/sites-available/default-ssl" y lo configuramos añadiendo o editando el apartado "configuración ssl":* * * * RECORDAR * * * *
PARA QUE FUNIONEN los .htaccess
# AllowOverride None
AllowOverride All
* * * * RECORDAR * * * *

<VirtualHost *:443>
ServerAdmin <<webmaster@tudomonio>>
ServerName  <<www.tudominio.com>>
ServerAlias <<tudominio.com>>

# Ficheros Index
DirectoryIndex index.html index.php
DocumentRoot /rutadominio

#########################################
# ESTO ES LO QUE AÑADIMOS O EDITAMOS
# Configuracion SSL
SSLEngine on
SSLCertificateFile /etc/ssl/certs/MIS_SSL/servidor.crt
SSLCertificateKeyFile /etc/ssl/certs/MIS_SSL/servidor.key
SSLCACertificateFile /etc/ssl/certs/MIS_SSL/certificadoDelIntermediario.pem
#Fin configuracion SSL
#########################################

<Directory / >
# PARA QUE FUNIONEN los .htaccess
# AllowOverride None
AllowOverride All
Order allow,deny
allow from all
</Directory>

# Ficheros Log
LogLevel warn
ErrorLog  /turuta/log/error.log
CustomLog /turuta/log/access.log combined
</VirtualHost>

Por último, activamos la configuración del sitio con SSL y se reinicia el servidor apache:# a2ensite default-ssl
# service apache2 restart

English version

 

1. Getting the required software
For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL. Use yum to get them if you need them.

yum install mod_ssl openssl

Yum will either tell you they are installed or will install them for you.

2. Generate a self-signed certificate
Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands

# Generate private key

openssl genrsa -out ca.key 1024

 

# Generate CSR

openssl req -new -key ca.key -out ca.csr

 

# Generate Self Signed Key

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

 

# Copy the files to the correct locations

cp ca.crt /etc/pki/tls/certs

cp ca.key /etc/pki/tls/private/ca.key

cp ca.csr /etc/pki/tls/private/ca.csr

If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.

restorecon -RvF /etc/pki

Then we need to update the Apache SSL configuration file

vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored. If you've used the method above it will be

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Quit and save the file and then restart Apache

/etc/init.d/httpd restart

All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate. Firefox 3 won't let you connect at all but you can override this.

3. Setting up the virtual hosts
Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this

<VirtualHost *:80>

<Directory /var/www/vhosts/yoursite.com/httpdocs>

AllowOverride All

</Directory>

DocumentRoot /var/www/vhosts/yoursite.com/httpdocs

ServerName yoursite.com

</VirtualHost>

To add a sister site on port 443 you need to add the following at the top of your file

NameVirtualHost *:443

and then a VirtualHost record something like this:

<VirtualHost *:443>

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/ca.crt

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

<Directory /var/www/vhosts/yoursite.com/httpsdocs>

AllowOverride All

</Directory>

DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs

ServerName yoursite.com

</VirtualHost>

Restart Apache again using

/etc/init.d/httpd restart

4. Configuring the firewall
You should now have a site working over https using a self-signed certificate. If you can't connect you may need to open the port on your firewall. To do this amend your iptables rules:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/service iptables save

iptables -L -v