3.1. Securing Internet Protocols.
3.1.1. Using a certificate with mod_ssl in apache
First never use your self-signed root CA Certificate with any application and especially with apache as it requires you to remove the passphrase on your private key.
First generate and sign a certificate request with the Common Name (CN) as www.mysite.com. Remove any extra information to keep only the ---CERTIFCATE --- part.
The key needs to be made insecure, so no password is required when reading the private key. Take the newreq.pem files that contains your private key and remove the passphrase from it.
openssl rsa -in newreq.pem -out wwwkeyunsecure.pem |
Because the key (PRIVATE Key) is insecure, you must know what you are doing: check file permissions, etc... If someone gets its hand on it, your site is compromised (you have been warned). Now you can use the newcert and cakeyunsecure.pem for apache.
Copy wwwkeyunsecure.pem and newcert.pem in the directory /etc/httpd/conf/ssl/ as wwwkeyunsecure.pem and wwwcert.crt respectively.
Edit /etc/httpd/conf/ssl/ssl.default-vhost.conf.
---- # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. #SSLCertificateFile conf/ssl/ca.crt SSLCertificateFile wwwcert.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. #SSLCertificateKeyFile conf/ssl/ca.key.unsecure SSLCertificateKeyFile wwwkeyunsecure.pem ---- |
Stop and start httpd (/etc/rc.d/init.d/httpd stop) ensure that all processes are dead (killall httpd) and start httpd (/etc/rc.d/init.d/httpd start)
3.1.2. Using a certificate with IMAPS
Read the paragraph on “Using a certificate with POPS”, for more information.
3.1.3. Using a certificate with POPS
A pem file for ipop3sd can be created by generating a certificate, unsecuring the private key and combining the two into /etc/ssl/imap/ipop3sd.pem. This is the location where the imap rpm on Mandrake 9.0 expects to find the file. A similar procedure can be used for imap and putting the file in /etc/ssl/imap/imapsd.pem.
The CN should be the name that the mail client connects to (e.g mail.xyz.org). In MS-Outlook, on the server tab, enter for the incoming mail server mail.xyz.org and on the Advanced tab check the “This server requires a secure connection (SSL)”, this will change the connection port to 995 (imaps). The trusted root CA must be installed in MS Internet Explorer to validate the certificate from mail.xyz.org.
3.1.6. Generate and Sign a key with Microsoft Key Manager
In Microsoft Key Manager, select the service you want to create a key for, for instance IMAP (or WWW). Use the wizard to generate a new key. Ensure that the distinguished name won't be identical to previous generated keys, for Instance for the Common Name (CN) use imap.mycompany.com. The wizard will place the request in the file C:\NewKeyRq.txt. Key Manager shows a Key with a strike to indicate the key is not signed.
Import this file in the OpenSSL /var/ssl directory, rename it to newreq.pem and sign the request as usual.
CA.pl -sign |
The file newcert.pem is not yet suitable for key manager as it contains some text and the -CERTIFICATE- section. We have to remove the text, the easy way is to do:
openssl x509 -in newcert.pem -out newcertx509.pem |
Using a text editor is also suitable to delete everything outside the -CERTIFICATE- section.
The newcertx509.pem file now contains only the -CERTIFICATE- section.
Export the file newcertx509.pem to the Computer running key Manager and while selecting the key icon in the Key Manager application, right click and click on Install the Key Certificate, select this file, enter the passphrase. The key is now fully functional.