NSLU2-Linux
view · edit · print · history

HowTo.EnableHTTPSforApache History

Hide minor edits - Show changes to markup

October 14, 2008, at 11:39 PM by RalphFinch -- spelling
Changed lines 359-360 from:

This script has broadly been incorporated in the script above, although the script above does not attempt to varify the signing since it is problematic on the NSLU2.

to:

This script has broadly been incorporated in the script above, although the script above does not attempt to verify the signing since it is problematic on the NSLU2.

October 15, 2005, at 08:21 PM by MattMcNeill -- Added an automated script which now works.
Changed lines 9-10 from:
to:

At the bottom of this HowTo is a detailed script which will automate the creation and signing of all the keys and certificates. All that remains is the configuration of the apache configuration files.

Changed lines 114-115 from:

sign.sh

to:

Automated CA and key setup script

I couldn't get the self signing script above to work, so I wrote a more comprehensive alternative which creates the CA and server key and signs it.

Copy this script to your NSLU2, ensure that it is executable (chmod +x apache2-ssl-setup.sh). Edit it to add your specific details and then execute it. This script will build all your directories and keys and certificates for you automatically. It will create and then request you to edit certain paramater files when first run. Just follow the on-screen instructions.

By default it does not remove the security from the server key.

I actually got a set of working ssl keys out of this.

Changed lines 129-138 from:
  1. !/bin/sh
    1. sign.sh -- Sign a SSL Certificate Request (CSR)
    2. Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
  2. argument line handling

CSR=$1 if [ $# -ne 1 ]; then

    echo "Usage: sign.sign <whatever>.csr"; exit 1
to:
  1. !/bin/sh -e
  2. detailed comments extracts from http://www.tc.umn.edu/~brams006/selfsign.html
  3. inspired by the debian apache2-ssl-certificate script
  4. inspired by openssl sign.sh script

KEY_SIZE=4096

TARGET_ROOT=/opt/etc/apache2 TARGET_CA_KEY=$TARGET_ROOT/ssl.key/ca.key TARGET_CA_CRT=$TARGET_ROOT/ssl.crt/ca.crt TARGET_SRV_KEY=$TARGET_ROOT/ssl.key/server.key TARGET_SRV_CSR=$TARGET_ROOT/ssl.key/server.csr TARGET_SRV_CRT=$TARGET_ROOT/ssl.crt/server.crt

  1. Challenge passwords used in the script

CA_CHPWD=<password> SRV_CHPWD=<password>

if [ "$1" != "--force" -a -f $TARGET_CA_CRT ]; then

  echo "$TARGET_CA_CRT exists!  Use \"$0 --force.\""
  exit 0
Changed lines 152-153 from:

if [ ! -f $CSR ]; then

    echo "CSR not found: $CSR"; exit 1
to:

if [ "$1" = "--force" ]; then

  shift

fi

echo echo creating selfsigned certificate echo "replace it with one signed by a certification authority (CA)" echo echo If you want your certificate to expire after x days call this programm echo with "-days x" echo

  1. create the folders

if [ -d $TARGET_ROOT/ssl.key ]; then

    echo "$TARGET_ROOT/ssl.key folder already exists"

else

    echo "creating $TARGET_ROOT/ssl.key folder"
    mkdir $TARGET_ROOT/ssl.key
Changed lines 172-179 from:

case $CSR in

   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;

esac

  1. make sure environment exists

if [ ! -d ca.db.certs ]; then

    mkdir ca.db.certs
to:

if [ -d $TARGET_ROOT/ssl.crt ]; then

    echo "$TARGET_ROOT/ssl.crt folder already exists"

else

    echo "creating $TARGET_ROOT/ssl.crt folder"
    mkdir $TARGET_ROOT/ssl.crt
Changed lines 179-180 from:

if [ ! -f ca.db.serial ]; then

    echo '01' >ca.db.serial
to:
  1. --- CREATE CERTIFICATE AUTHORITY ---
  2. use special .cnf, because with normal one no valid selfsigned
  3. server certificate is created
  4. It's been noted that the organizational name, unit name and common
  5. name should not match what you supply when you create your server key
  6. These fields for the CA are not quite as crucial
  7. as your server key fields. For
  8. instance, if your common name is "www.somesite.edu" you might want to
  9. provide something like "Somesite Cert Authority" for the common name
  10. of the CA in this step, and "www.somesite.edu" -- the fully qualified
  11. domain name (or IP) for the common name in the server key generating
  12. step. Do something similar with the unit and organizational
  13. names also. Just make sure the entries for these three fields don't
  14. match what you provide while generating a CA (this step) and the
  15. server key (next step).

if [ ! -f ~/ca.config ]; then

  1. create a config file for req

cat >~/ca.config <<EOT [ req ] distinguished_name = req_distinguished_name attributes = req_attributes prompt = no

[ req_distinguished_name ] C = <Country Name (2 letter code)> ST = <State or Province Name (full name)> L = <localityName = Locality Name (eg, city)> O = <Organization Name (eg, company; recommended) -- MUST BE DIFFERENT FROM SERVER KEY VALUE > OU = <Organizational Unit Name (eg, section)-- MUST BE DIFFERENT FROM SERVER KEY VALUE > CN = <common name (eg. Somesite Certificate Authority; required!!!)-- MUST BE DIFFERENT FROM SERVER KEY VALUE > emailAddress = <email address>

[ req_attributes ] unstructuredName = <unstructured name> EOT

echo echo "Please edit and configure the file '~/ca.config' with your server details and then try again" exit 1

Changed lines 225-226 from:

if [ ! -f ca.db.index ]; then

    cp /dev/null ca.db.index
to:
  1. export RANDFILE=/dev/random
  2. openssl req $@ -config ~/ca.config # -new # -x509 # -nodes # -out $TARGET_CA_CRT # -keyout $TARGET_CA_CRT
  3. chmod 600 $TARGET_CA_CRT
  4. ln -sf /etc/apache2/ssl/apache.pem # /etc/apache2/ssl/`/usr/bin/openssl # x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0

echo echo "Creating CA Key: $TARGET_CA_KEY" echo openssl genrsa -des3 -passout pass:$CA_CHPWD -out $TARGET_CA_KEY $KEY_SIZE echo echo "Creating CA Certificate: $TARGET_CA_CRT" echo openssl req $@ -new -x509 -config ~/ca.config -passin pass:$CA_CHPWD -key $TARGET_CA_KEY -out $TARGET_CA_CRT

  1. -- CREATE SERVER KEY --
  1. Think carefully when inputting a Common Name (CN) as you generate the
  2. .csr file below. This should
  3. match the DNS name, or the IP address you specify in the httpd.conf or
  4. ssl.conf (if this portion is separated outside of httpd.conf) for your
  5. server. If they don't match, client browsers will get a "domain
  6. mismatch" message when going to your https web server. If you're doing
  7. this for home use, and you don't have a static IP or DNS name, you
  8. might not even want worry about the message (but you sure will need to
  9. worry if this is a production/public server). For example, you could
  10. match it to an internal and static IP you use behind your router, so
  11. that you'll never get the "domain mismatch" message if you're
  12. accessing the computer on your home LAN, but will always get that
  13. message when accessing it elsewhere. Your call -- is your IP stable,
  14. do you want to repeat these steps every time your IP changes, do you
  15. have a DNS name, do you mainly use it inside your home or LAN, or
  16. outside?

if [ ! -f ~/server.config ]; then

  1. create a config file for req

cat >~/server.config <<EOT [ req ] distinguished_name = req_distinguished_name attributes = req_attributes prompt = no

[ req_distinguished_name ] C = <Country Name (2 letter code)> ST = <State or Province Name (full name)> L = <localityName = Locality Name (eg, city)> O = <Organization Name (eg, company; recommended)> OU = <Organizational Unit Name (eg, section)> CN = <server name (eg. ssl.domain.tld; required!!!)> emailAddress = <email address>

[ req_attributes ] unstructuredName = <unstructured name> EOT

echo echo "Please edit and configure the file '~/server.config' with your server details and then try again" exit 1

Changed lines 298-359 from:
  1. create an own SSLeay? config

cat >ca.config <<EOT [ ca ] default_ca = CA_own [ CA_own ] dir = . certs = \$dir new_certs_dir = \$dir/ca.db.certs database = \$dir/ca.db.index serial = \$dir/ca.db.serial RANDFILE = \$dir/ca.db.rand certificate = \$dir/ca.crt private_key = \$dir/ca.key unique_subject = no default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOT

  1. sign the certificate

echo "CA signing: $CSR -> $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile? ca.crt $CERT

  1. cleanup after SSLeay?

rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old

  1. die gracefully

exit 0

=] (:tableend:)

An alternative script

I couldn't get the self signing script above to work, so I wrote a more comprehensive alternative.

Drop this script in /opt/etc/apache, ensure that it is executable (chmod +x setupSSL.sh) . Edit it to add your specific details and then execute it, passing a challenge password as a parameter. This script will build all your directories and keys and certificates for you automatically.

  • WORK IN PROGRESS ***

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 [=
  1. !/bin/sh
    1. setupSSL.sh -- Create the keys
    2. Matt McNeill?
to:

echo echo "Creating Server Key: $TARGET_SRV_KEY" echo openssl genrsa -des3 -passout pass:$SRV_CHPWD -out $TARGET_SRV_KEY $KEY_SIZE echo echo "Creating Server Key Signing Request: $TARGET_SRV_CSR" echo openssl req -new -config ~/server.config -passin pass:$SRV_CHPWD -key $TARGET_SRV_KEY -out $TARGET_SRV_CSR

  1. --- SIGN SERVER KEY USING CA ---
Changed lines 309-312 from:
  1. parameters

CHPWD=$1

to:
  1. Note also that I set the serial number of the signed server
  2. certificate to "01". Each time you do this, especially if you do this
  3. before a previously-signed certificate expires,
  4. you'll need to change the serial key to something else -- otherwise
  5. everyone who's visited your site with a cached version of your certificate
  6. will get a warning message to the effect that your certificate signing
  7. authority has screwed up -- they've signed a new key/request, but kept
  8. the old serial number.
  9. The command below does a number of things. It takes your signing
  10. request (csr) and makes a one-year valid signed server certificate (
  11. crt) out of it. In doing so, we need to tell it which certificate
  12. authority (ca) to use, which ca key to use, and which server key to
  13. sign. We set the serial number to 01, and output the signed key in the
  14. file named server.crt. If you do this again after people have visited
  15. your site and trusted your CA (storing it in their browser), you might
  16. want to use 02 for the next serial number, and so on.

echo echo "Creating Signed Server Certificate: $TARGET_SRV_CRT" echo openssl x509 -req $@ -passin pass:$SRV_CHPWD -in $TARGET_SRV_CSR -CA $TARGET_CA_CRT -CAkey? $TARGET_CA_KEY -set_serial 01 -out $TARGET_SRV_CRT

  1. --- UNSECURE KEY ---
  2. Make a server.key which doesn't cause apache to prompt for a password.
  3. Here we create an insecure version of the server.key. The insecure one
  4. will be used for when Apache starts, and will not require a password
  5. with every restart of the web server. But keep in mind that while this
  6. means you don't have to type in a password when restarting Apache (or
  7. worse -- coding it somewhere in plaintext), it does mean that anyone
  8. obtaining this insecure key will be able to decrypt your
  9. transmissions. Guard it for permissions VERY carefully.
  10. uncomment if you want this option
  11. openssl rsa -in $TARGET_SRV_CRT -out $TARGET_SRV_CRT.insecure
  12. mv $TARGET_SRV_CRT $TARGET_SRV_CRT.secure
  13. mv $TARGET_SRV_CRT.insecure $TARGET_SRV_CRT

exit 0

=] (:tableend:)

sign.sh

This script has broadly been incorporated in the script above, although the script above does not attempt to varify the signing since it is problematic on the NSLU2.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 [=
  1. !/bin/sh
    1. sign.sh -- Sign a SSL Certificate Request (CSR)
    2. Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
  2. argument line handling

CSR=$1

Changed line 374 from:
    echo "Usage: setupSSL.sh <challenge password>"; exit 1
to:
    echo "Usage: sign.sign <whatever>.csr"; exit 1
Changed lines 376-382 from:
  1. create the folders

if [ -d ssl.key ]; then

    echo "ssl.key folder already exists"

else

    echo "creating ssl.key folder"
    mkdir ssl.key
to:

if [ ! -f $CSR ]; then

    echo "CSR not found: $CSR"; exit 1
Changed lines 379-384 from:

if [ -d ssl.crt ]; then

    echo "ssl.crt folder already exists"

else

    echo "creating ssl.crt folder"
    mkdir ssl.crt
to:

case $CSR in

   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;

esac

  1. make sure environment exists

if [ ! -d ca.db.certs ]; then

    mkdir ca.db.certs
Changed lines 388-394 from:
  1. create the keys

if [ -f ssl.key/server.key ]; then

    echo "server key already exists"

else

    echo "creating the server key"
    openssl genrsa -des3 -passout pass:$CHPWD -out ssl.key/server.key 1024 
to:

if [ ! -f ca.db.serial ]; then

    echo '01' >ca.db.serial
Changed lines 391-396 from:

if [ -f ssl.key/ca.key ]; then

    echo "CA key already exists"

else

    echo "creating the CA key"
    openssl genrsa -des3 -passout pass:$CHPWD -out ssl.key/ca.key 1024 
to:

if [ ! -f ca.db.index ]; then

    cp /dev/null ca.db.index
Changed lines 395-412 from:
  1. create a config file for req

cat >ssl.key/csr.config <<EOT [ req ] distinguished_name = req_distinguished_name attributes = req_attributes prompt = no

[ req_distinguished_name ] C = <2 char country code> ST = <state or region> L = <town, city> O = <owner name> OU = <unit name> CN = <contact name - usually web server address www.myaddress.com> emailAddress = none@nospam.com

[ req_attributes ] unstructuredName = <alternative unstructured name>

to:
  1. create an own SSLeay? config

cat >ca.config <<EOT [ ca ] default_ca = CA_own [ CA_own ] dir = . certs = \$dir new_certs_dir = \$dir/ca.db.certs database = \$dir/ca.db.index serial = \$dir/ca.db.serial RANDFILE = \$dir/ca.db.rand certificate = \$dir/ca.crt private_key = \$dir/ca.key unique_subject = no default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional

Changed lines 425-435 from:

echo "creating server CSR" openssl req -new -config ssl.key/csr.config -passin pass:$CHPWD -passout pass:$CHPWD -key ssl.key/server.key -out ssl.key/server.csr

  1. echo "creating the CA CRT"
  2. openssl req -new -config csr.config -x509 -days 365 -key ca.key -out ca.crt

openssl x509 -req -days 365 -passin pass:$CHPWD -in ssl.key/server.csr -signkey ssl.key/server.key -out ssl.crt/ca.crt

  1. cleanup

echo "Cleaning up" rm -f ssl.key/csr.config

to:

echo "CA signing: $CSR -> $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile? ca.crt $CERT

  1. cleanup after SSLeay?

rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old

Changed lines 439-440 from:

(:tableend:)

to:

(:tableend:)

October 14, 2005, at 04:07 PM by MattMcNeill --
Added lines 201-202:
  • WORK IN PROGRESS ***
October 14, 2005, at 03:55 PM by MattMcNeill -- Added an automated script to do the whole lot
Added lines 194-284:

An alternative script

I couldn't get the self signing script above to work, so I wrote a more comprehensive alternative.

Drop this script in /opt/etc/apache, ensure that it is executable (chmod +x setupSSL.sh) . Edit it to add your specific details and then execute it, passing a challenge password as a parameter. This script will build all your directories and keys and certificates for you automatically.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 

#!/bin/sh
##
##  setupSSL.sh -- Create the keys
##  Matt McNeill
#

# parameters

CHPWD=$1
if [ $# -ne 1 ]; then
    echo "Usage: setupSSL.sh <challenge password>"; exit 1
fi

# create the folders
if [ -d ssl.key ]; then
    echo "ssl.key folder already exists"
else
    echo "creating ssl.key folder"
    mkdir ssl.key
fi

if [ -d ssl.crt ]; then
    echo "ssl.crt folder already exists"
else
    echo "creating ssl.crt folder"
    mkdir ssl.crt
fi

#  create the keys
if [ -f ssl.key/server.key ]; then
    echo "server key already exists"
else
    echo "creating the server key"
    openssl genrsa -des3 -passout pass:$CHPWD -out ssl.key/server.key 1024 
fi

if [ -f ssl.key/ca.key ]; then
    echo "CA key already exists"
else
    echo "creating the CA key"
    openssl genrsa -des3 -passout pass:$CHPWD -out ssl.key/ca.key 1024 
fi

#   create a config file for req
cat >ssl.key/csr.config <<EOT
[ req ]
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no

[ req_distinguished_name ]
C                      = <2 char country code>
ST                     = <state or region>
L                      = <town, city>
O                      = <owner name>
OU                     = <unit name>
CN                     = <contact name - usually web server address www.myaddress.com>
emailAddress           = none@nospam.com

[ req_attributes ]
unstructuredName       = <alternative unstructured name>
EOT

#  sign the certificate
echo "creating server CSR"
openssl req -new -config ssl.key/csr.config -passin pass:$CHPWD -passout pass:$CHPWD -key ssl.key/server.key -out ssl.key/server.csr

#echo "creating the CA CRT"
#openssl req -new -config csr.config -x509 -days 365 -key ca.key -out ca.crt
openssl x509 -req -days 365 -passin pass:$CHPWD -in ssl.key/server.csr -signkey ssl.key/server.key -out ssl.crt/ca.crt

#  cleanup
echo "Cleaning up"
rm -f ssl.key/csr.config

#  die gracefully
exit 0


(:tableend:)

August 22, 2005, at 08:17 PM by tman --
Deleted lines 0-1:

If Apache isn't installed already, follow the "How To Install Apache" instructions from FAQ#31

Deleted lines 112-116:
May 19, 2005, at 10:27 PM by RobHam -- unique_subject added to sign.sh script
Added line 169:

unique_subject = no

May 19, 2005, at 09:02 AM by pTweety -- changed the link to FAQ
Changed lines 1-2 from:

If Apache isn't installed already, follow the "How To Install Apache" instructions from FAQ#30

to:

If Apache isn't installed already, follow the "How To Install Apache" instructions from FAQ#31

May 18, 2005, at 07:46 PM by RobHam --
Changed lines 55-56 from:

Now, you can sign your server key. Therefore you should use a script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page. Note that if you use the script at the bottom of the page, you must remove the first two spaces at the beginning of each line that the Wiki puts in.

to:

Now, you can sign your server key. Therefore you should use a script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page.

Changed lines 122-126 from:
 #!/bin/sh
 ##
 ##  sign.sh -- Sign a SSL Certificate Request (CSR)
 ##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
 ##
to:

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 [=
  1. !/bin/sh
    1. sign.sh -- Sign a SSL Certificate Request (CSR)
    2. Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
Changed lines 132-196 from:
 #   argument line handling
 CSR=$1
 if [ $# -ne 1 ]; then
     echo "Usage: sign.sign <whatever>.csr"; exit 1
 fi
 if [ ! -f $CSR ]; then
     echo "CSR not found: $CSR"; exit 1
 fi
 case $CSR in
    *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
        * ) CERT="$CSR.crt" ;;
 esac

 #   make sure environment exists
 if [ ! -d ca.db.certs ]; then
     mkdir ca.db.certs
 fi
 if [ ! -f ca.db.serial ]; then
     echo '01' >ca.db.serial
 fi
 if [ ! -f ca.db.index ]; then
     cp /dev/null ca.db.index
 fi

 #   create an own SSLeay? config
 cat >ca.config <<EOT
 [ ca ]
 default_ca              = CA_own
 [ CA_own ]
 dir                     = .
 certs                   = \$dir
 new_certs_dir           = \$dir/ca.db.certs
 database                = \$dir/ca.db.index
 serial                  = \$dir/ca.db.serial
 RANDFILE                = \$dir/ca.db.rand
 certificate             = \$dir/ca.crt
 private_key             = \$dir/ca.key
 default_days            = 365
 default_crl_days        = 30
 default_md              = md5
 preserve                = no
 policy                  = policy_anything
 [ policy_anything ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
 EOT

 #  sign the certificate
 echo "CA signing: $CSR -> $CERT:"
 openssl ca -config ca.config -out $CERT -infiles $CSR
 echo "CA verifying: $CERT <-> CA cert"
 openssl verify -CAfile ca.crt $CERT

 #  cleanup after SSLeay?
 rm -f ca.config
 rm -f ca.db.serial.old
 rm -f ca.db.index.old

 #  die gracefully
 exit 0
to:
  1. argument line handling

CSR=$1 if [ $# -ne 1 ]; then

    echo "Usage: sign.sign <whatever>.csr"; exit 1

fi if [ ! -f $CSR ]; then

    echo "CSR not found: $CSR"; exit 1

fi case $CSR in

   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;

esac

  1. make sure environment exists

if [ ! -d ca.db.certs ]; then

    mkdir ca.db.certs

fi if [ ! -f ca.db.serial ]; then

    echo '01' >ca.db.serial

fi if [ ! -f ca.db.index ]; then

    cp /dev/null ca.db.index

fi

  1. create an own SSLeay? config

cat >ca.config <<EOT [ ca ] default_ca = CA_own [ CA_own ] dir = . certs = \$dir new_certs_dir = \$dir/ca.db.certs database = \$dir/ca.db.index serial = \$dir/ca.db.serial RANDFILE = \$dir/ca.db.rand certificate = \$dir/ca.crt private_key = \$dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOT

  1. sign the certificate

echo "CA signing: $CSR -> $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile? ca.crt $CERT

  1. cleanup after SSLeay?

rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old

  1. die gracefully

exit 0

=] (:tableend:)

April 19, 2005, at 09:52 PM by barrym --
Changed lines 100-101 from:

and restart the server:

to:

... change any required settings for SSL page serving...

 $ vi /opt/etc/apache2/ssl.conf

... and restart the server:

April 19, 2005, at 09:43 PM by barrym --
Added lines 45-50:

Just like above, if you want to remove the passphrase from the key, you can do it like this:

 $ mv ca.key ca.key.orig
 $ openssl rsa -in ca.key.orig -out ca.key
 $ chmod 400 ca.key
Changed lines 55-56 from:

Now, you can sign your server key. Therefore you should use a script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page.

to:

Now, you can sign your server key. Therefore you should use a script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page. Note that if you use the script at the bottom of the page, you must remove the first two spaces at the beginning of each line that the Wiki puts in.

April 19, 2005, at 09:36 PM by barrym --
Changed lines 36-38 from:
to:

If you want to make it work, use localhost for your CommonName.

Added lines 53-79:

You should see something like this:

CA signing: server.csr -> server.crt:
Using configuration from ca.config
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'ZZ'
stateOrProvinceName :PRINTABLE:'Blah'
localityName :PRINTABLE:'Blah Blah'
organizationName :PRINTABLE:'Bogotron Ltd'
organizationalUnitName:PRINTABLE:'NSLU2 Division'
commonName :PRINTABLE:'localhost'
Certificate is to be certified until Apr 19 21:11:57 2006 GMT (365 days)
Sign the certificate? [y/n]:

Double-check that your commonName is actually a verifyable hostname by the NSLU2 and press Y...

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

If you see anything else, chances are that it won't work properly and you may have to regenerate your keys with a proper commonName.

April 19, 2005, at 08:26 PM by barrym --
Deleted lines 2-3:

When you install PHP it will install both itself and Apache.

April 19, 2005, at 08:25 PM by barrym --
Added lines 72-82:

Testing

To see that SSL is working correctly, issue the following command:

 $ openssl s_client -connect localhost:443 -state -debug
April 19, 2005, at 07:59 PM by barrym --
Changed lines 53-54 from:

Copy the reslut to the right place:

to:

Copy the result to the right place:

Changed line 136 from:
 openssl verify -CAfile? ca.crt $CERT
to:
 openssl verify -CAfile ca.crt $CERT
April 04, 2005, at 12:36 PM by barrym --
Changed line 1 from:

After installing the apache http server with

to:

If Apache isn't installed already, follow the "How To Install Apache" instructions from http://www.nslu2-linux.org/wiki/Main/FAQ FAQ#30

Changed line 3 from:
 $ ipkg install apache
to:

When you install PHP it will install both itself and Apache.

Changed line 5 from:

you have to do three things to enable the https server:

to:

Once Apache is running correctly, you have to do three things to enable the https server:

February 26, 2005, at 11:12 PM by pTweety --
Changed line 24 from:
 $ openssl genrsa -des3 -out server.key.orig 1024
to:
 $ openssl genrsa -des3 -out server.key 1024
February 26, 2005, at 11:05 PM by pTweety --
Changed lines 1-144 from:

Describe EnableHTTPSforApache here.

to:

After installing the apache http server with

 $ ipkg install apache

you have to do three things to enable the https server:

  • create your server key
  • create your certificate authority (CA)
  • enable SSL in the init script and reload apache

Remark: this small HowTo is an aggregation of the Apache http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html SSL-FAQ.

server key

Navigate to /opt/etc/apache2, create two new directories:

 $ mkdir ssl.key
 $ mkdir ssl.crt

and your server key:

 $ cd ssl.key
 $ openssl genrsa -des3 -out server.key.orig 1024

If you want to remove the passphrase from the key, you can do it like this:

 $ mv server.key server.key.orig
 $ openssl rsa -in server.key.orig -out server.key
 $ chmod 400 server.key

Now, prepare a certificate signing request (CSR):

 $ openssl req -new -key server.key -out server.csr

Important: you will be asked for the CommonName. Enter your web servers name, i.e. www.example.com.

certificate authority

You have to create a new key for your CA:

 $ openssl genrsa -des3 -out ca.key 1024

and generate a self signed certificate it:

 $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Now, you can sign your server key. Therefore you should use a script that is shipped with http://www.modssl.org/ mod_ssl. For your convenience the script can be found at the end of this page.

 $ ./sign.sh server.csr

Copy the reslut to the right place:

 $ cp server.crt ../ssl.crt/

enable SSL in the init script

Last but not least you have to add a directive to the S80apache script

 $ vi /opt/etc/init.d/S80apache

 -/opt/sbin/httpd -k restart
 +/opt/sbin/httpd -DSSL -k restart

and restart the server:

 $ /opt/etc/init.d/S80apache

sign.sh

 #!/bin/sh
 ##
 ##  sign.sh -- Sign a SSL Certificate Request (CSR)
 ##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
 ##

 #   argument line handling
 CSR=$1
 if [ $# -ne 1 ]; then
     echo "Usage: sign.sign <whatever>.csr"; exit 1
 fi
 if [ ! -f $CSR ]; then
     echo "CSR not found: $CSR"; exit 1
 fi
 case $CSR in
    *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
        * ) CERT="$CSR.crt" ;;
 esac

 #   make sure environment exists
 if [ ! -d ca.db.certs ]; then
     mkdir ca.db.certs
 fi
 if [ ! -f ca.db.serial ]; then
     echo '01' >ca.db.serial
 fi
 if [ ! -f ca.db.index ]; then
     cp /dev/null ca.db.index
 fi

 #   create an own SSLeay? config
 cat >ca.config <<EOT
 [ ca ]
 default_ca              = CA_own
 [ CA_own ]
 dir                     = .
 certs                   = \$dir
 new_certs_dir           = \$dir/ca.db.certs
 database                = \$dir/ca.db.index
 serial                  = \$dir/ca.db.serial
 RANDFILE                = \$dir/ca.db.rand
 certificate             = \$dir/ca.crt
 private_key             = \$dir/ca.key
 default_days            = 365
 default_crl_days        = 30
 default_md              = md5
 preserve                = no
 policy                  = policy_anything
 [ policy_anything ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
 EOT

 #  sign the certificate
 echo "CA signing: $CSR -> $CERT:"
 openssl ca -config ca.config -out $CERT -infiles $CSR
 echo "CA verifying: $CERT <-> CA cert"
 openssl verify -CAfile? ca.crt $CERT

 #  cleanup after SSLeay?
 rm -f ca.config
 rm -f ca.db.serial.old
 rm -f ca.db.index.old

 #  die gracefully
 exit 0
view · edit · print · history · Last edited by RalphFinch.
Based on work by MattMcNeill, tman, RobHam, pTweety, and barrym.
Originally by pTweety.
Page last modified on October 14, 2008, at 11:39 PM