Laboratory Exercises VI: SSL/TLS - Configuring Apache Server



Similar documents
CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

Browser-based Support Console

Using Client Side SSL Certificate Authentication on the WebMux

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

How to: Install an SSL certificate

Application Note AN1502

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

etoken Enterprise For: SSL SSL with etoken

SSL Insight Certificate Installation Guide

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Laboratory Exercises V: IP Security Protocol (IPSec)

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

SecuritySpy Setting Up SecuritySpy Over SSL

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Securing the OpenAdmin Tool for Informix web server with HTTPS

Enterprise SSL Support

SolarWinds Technical Reference

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

ADFS Integration Guidelines

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Apache SSL Certificate Deployment Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Wavecrest Certificate

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

esync - Receiving data over HTTPS

10gAS SSL / Certificate Based Authentication Configuration

EventTracker Windows syslog User Guide

Scenarios for Setting Up SSL Certificates for View

Generating an Apple Push Notification Service Certificate

How to setup HTTP & HTTPS Load balancer for Mediator

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

# openssl genrsa -out /etc/ssl/private/ca.key 1024 Generating RSA private key, 1024 bit long modulus e is (0x10001

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Clearswift Information Governance

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Generating an Apple Enterprise MDM Certificate

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

SSL Decryption Certificates

HP ALM. Software Version: External Authentication Configuration Guide

e-cert (Server) User Guide For Apache Web Server

To enable https for appliance

Generating and Installing SSL Certificates on the Cisco ISA500

How to Back Up and Restore an ACT! Database Answer ID 19211

X.509 Certificate Generator User Manual

Secure IIS Web Server with SSL

Using Entrust certificates with Microsoft Office and Windows

Using Microsoft s CA Server with SonicWALL Devices

Obtaining SSL Certificates for VMware Horizon View Servers

LoadMaster SSL Certificate Quickstart Guide

Zenprise Device Manager 6.1

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

Server Certificate: Apache + mod_ssl + OpenSSL

Obtaining SSL Certificates for VMware View Servers

App Orchestration 2.5

Steps to configure SiteMinder Policy Server to connect to CA Directory using LDAPS

Microsoft IIS 4 Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

OpenEyes - Windows Server Setup. OpenEyes - Windows Server Setup

Configuring TLS Security for Cloudera Manager

Outlook Express. Make Changes in Red: Open up Outlook Express. From the Menu Bar. Tools to Accounts - Click on Mail Tab.

Shellfire L2TP-IPSec Setup Windows XP

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

SSL Certificate Generation

SSL Interception on Proxy SG

RoomWizard Synchronization Software Manual Installation Instructions

Setting Up SSL on IIS6 for MEGA Advisor

Configuring SSL VPN with Mac OS X and iphone Clients. Configuration tested. Network Diagram

RSA Security Analytics

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

SSL Installing your new Certificate

Exchange 2010 PKI Configuration Guide

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Securing Your Apache Web Server With a Thawte Digital Certificate

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates

SQL Server 2008 and SSL Secure Connection

Secure Web Appliance. SSL Intercept

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

How-to-Guide: SAP Web Dispatcher for Fiori Applications

Crypto Lab Public-Key Cryptography and PKI

FireBLAST Marketing Solution v2

App Orchestration 2.0

SWITCHBOARD SECURITY

Transcription:

University of Split, FESB, Croatia Laboratory Exercises VI: SSL/TLS - Configuring Apache Server Keywords: digital signatures, public-key certificates, managing certificates M. Čagalj, T. Perković {mcagalj, toperkov}@fesb.hr June, 2014

FESB Computer and Data Security Course 1 Introduction Whenever you visit an SSL protected page, your browser usually checks the identity of the remote site by checking their certificate. In this exercise we will show how to integrate public-key certificates with a web server so to enable secure SSL/TLS sessions. Our goal is to set up the system (client, server, certificates, SSL/TLS server) such that an end user does not receive certificate warning messages as the one shown in Figure 1. Figure 1: A warning message that informs a user about potential problems with a digital certificate presented by a web server. We will also show how can the remote site check your identity using a previously issued certificate, called SSL client side certificate. To accomplish our goal we will use two software products: XCA or OpenSSL (for key and certificate (X.509) management), Apache (web server) and PHP. NOTE: Before proceeding with this exercise, please make sure that XCA, OpenSSL, Apache web server and PHP are all installed on your machine. Task 1.2. Creating a Certification Authority (CA) using XCA In this task, we will first create a CA. The role of CA is to issue public-key certificates to end entities (e.g., our web server). In other words, the CA digitally signs a public key of a web server and embeds it into the server s certificate. The CA uses its private key for signing. In practice, the CA certificate manager (a certificate server) should be installed on a secure machine (potentially disconnected from the network); the CA s private key should be kept highly secure. The CA also issues a self-signed public-key certificate, whereby the CA digitally signs its own public key. This certificate is distributed, in a secure way (the integrity of the CA s certificate must be protected), to all users who use a certificate issued by the CA to verify the authenticity of the certificate holder (e.g., a web server).

FESB Computer and Data Security Course 2 Figure 2: X Certificate and Key management application. 1. Open XCA and click the New Certificate button to start X.509 certificate creation procedure (Figure 2). 2. Make sure that you select SHA-1 as the Signature algorithm ; the default algorithm is set to SHA 256 that is not supported by some Windows-based operating systems. Also, select CA template for this certificate (we are creating a CA). 3. Select the Subject tab and fill in the fields such as Internal name, Country code, etc. with appropriate values (for an example please refer to Figure 3). Generate a new private key by clicking on the Generate a new key button. Note that this is the signing key of the CA. Figure 3: Creating a X.509 certificate for the CA.

FESB Computer and Data Security Course 3 4. Select the Extensions tab and set the Type of the certificate to Certification Authority (see Figure 3). Click OK to finish the certificate creation procedure. You can check the details of the created CA certificate by double-clicking on it in the main XCA window under the Certificate tab. Task 1.3. Creating a Web Server Certificate In this task we create a public-key certificate for a web server. This certificate will be digitally signed by the previously created Certification Authority (CA). 1. Again, click the New Certificate button in the main XCA window. Select the Source tab and configure the web server certificate properties as follows. Check Use this Certificate for signing and set it to the name of the CA created in the previous task. Set the Signature algorithm to SHA-1 and choose HTTPS server template from the list of available templates (Figure 5). Figure 4: Creating a X.509 certificate for the Web Server. 2. Select the Subject tab and fill in appropriately the available fields (Figure 4). It is particularly important that you set the Common name value to localhost. This will be the IP address (or the corresponding URL) of your web server. Finally, generate a new private key for the web server certificate by clicking Generate a new key. 3. Optionally, under the Extensions tab you may want to set the type to End Entity. Click OK to finish the certificate creation procedure.

FESB Computer and Data Security Course 4 Task 1.4. Creating a Client Certificate In this task we create a public-key certificate for a client. This certificate will be also digitally signed by the previously created Certification Authority (CA). 1. Again, click the New Certificate button in the main XCA window. Select the Source tab and configure the web server certificate properties as follows. Check Use this Certificate for signing and set it to the name of the CA created in the previous task. Set the Signature algorithm to SHA-1 and choose HTTPS client template from the list of available templates (Figure 5). Figure 5: Creating a X.509 certificate for the client. 2. Select the Subject tab and fill in appropriately the available fields (Figure 5). It is particularly important that you set the Common name value to your client name (e.g. User ID). This can be for example a username. If not set or if this value does not correspond to the username each time you try to establish a secure (SSL/TLS) session with this server, your web browser will give you a warning message about this mismatch. Finally, generate a new private key for the web server certificate by clicking Generate a new key. 3. Optionally, under the Extensions tab you may want to set the type to End Entity. Click OK to finish the certificate creation procedure. Task 1.5. Exporting Certificates In this task, we will export the certificates created in the previous tasks, that is, the CA public-key certificate (without the private key), the web server public-key certificate including its private key, as well as the client public-key certificate with its private key.

FESB Computer and Data Security Course 5 1. Open the Certificates tab in the main XCA window. Select the certificate that belongs to the CA and click Export. Select a destination and filename where you want to store the certificate and click OK. 2. Repeat the previous step but now export the public-key certificate of the web server and a client certificate. 3. Finally, we export the private key of the web server and of the client. To accomplish this, open the Private Keys tab and select the private key of the web server. The Key export window pops-up. Check the box Export the private part of the Key too and uncheck Encrypt the Key with a password. In a similar fashion export the private key of the client. 4. After exporting the public-key certificate and private key for the client, we need to convert the client certificate to pkcs12 for import in the browser. To accomplish this you can utilize OpenSSL as explained in the following section. Task 1.6. Creating a CA, an SSL Server and an SSL Client Certificate Using OpenSSL We can also create and export all the previously created public-key certificates (CA, SSL server and SSL Client) using OpenSSL. To accomplish this, open Command Prompt (push Windows + R buttons, then type cmd), and navigate to OpenSSL directory (e.g., type cd C:\OpenSSL-Win32\bin). To create CA, follow these steps: # Create CA private key openssl genrsa -des3 -passout pass:qwerty -out CA.key 2048 # Remove passphrase openssl rsa -passin pass:qwerty -in CA.key -out CA.key # Create CA self-signed certificate openssl req -new -x509 -days 999 -key CA.key -out CA.crt After that, we will create a SSL Server certificate following these steps: # Create private key for the localhost server openssl genrsa -des3 -passout pass:qwerty -out mysite.key 2048 # Remove passphrase openssl rsa -passin pass:qwerty -in mysite.key -out mysite.key # Create CSR for the mysite server openssl req -new -key mysite.key -out localhost.csr # Create certificate for the localhost server openssl ca -days 999 -in localhost.csr -out localhost.crt -keyfile CA.key -cert CA.crt -policy policy_anything In the seme vein, the SSL Client certificate is created:

FESB Computer and Data Security Course 6 # Create private key for a client openssl genrsa -des3 -passout pass:qwerty -out client.key 2048 # Remove passphrase openssl rsa -passin pass:qwerty -in client.key -out client.key # Create CSR for the client. openssl req -new -key client.key -out client.csr # Create client certificate. openssl ca -days 999 -in client.csr -out client.crt -keyfile CA.key -cert CA.crt -policy policy_anything At the end, export the SSL Client certificate to pkcs12 format: # Export the client certificate to pkcs12 for import in the browser openssl pkcs12 -export -passout pass:qwerty -in client.crt -inkey client.key -certfile CA.crt -out clientcert.p12 We can see that all the required certificates created and exported within OpenSSL folder (e.g. C:\OpenSSL-Win32\bin). To configure Apache Web Server, we will need CA.crt and mysite.crt public-key certificates as well as the private key mysite.key. Task 1.7. Configuring Apache Web Server Figure 6: Apache web server console. 1. To configure Apache Web Server, we will need CA.crt and mysite.crt publickey certificates as well as the private key mysite.key. Copy these certificates and keys within the conf folder of the Apache Web Server (e.g. C:\Web Server\Apache2\conf). 2. Edit httpd.conf (e.g. placed within C:\Web Server\Apache2\conf folder) and uncomment:

FESB Computer and Data Security Course 7 LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf 3. Edit httpd-ssl.conf (e.g. placed within C:\Web Server\Apache2\conf\extra folder) and verify that the following holds: (a) SSLCertificateFile "C:/Web Server/Apache2/conf/mysite.crt" (b) SSLCertificateKeyFile "C:/Web Server/Apache2/conf/mysite.key" (c) SSLCertificateChainFile "C:/Web Server/Apache2/conf/CA.crt" (d) SSLCACertificateFile "C:/Web Server/Apache2/conf/CA.crt" (e) SSLVerifyClient require (f) SSLVerifyDepth 2 4. Start/Restart the Apache server. 5. Finally, create simple html file and name it index.html. Copy this file to the htdocs/ subdirectory in the Apache Web Server directly. Overwrite any existing index.html file. Task 1.8. Testing Your Configuration In this task we will install client public-key certificate in the browser and test our configuration. To accomplish this goal in a Chrome browser, we can place the client public-key certificate in the Personal certificates directory. Here are the steps to install the client public-key certificate: 1. Click the Chrome menu on the browser toolbar. 2. Select Settings. 3. Click Show advanced settings. 4. In this window find the Certificates snap-in. Select it and click Add. 5. Go to the HTTPS/SSL section to manage your SSL certificates and settings. 6. Click Manage Certificates. 7. Click on the Personal tab and select Import.... 8. Click Next then select the client s.p12 file and click Next again. 9. Enter the password created while exporting client public-key certificate to pkcs12. 10. The next step in the wizard should indicate that the certificates will be placed in the Personal certificates. If so, click next. If not, fix it.

FESB Computer and Data Security Course 8 11. Click Finish. 12. Open a web browser and enter the following address in the address bar: https://localhost. Do you get any warning message? Which one? Can you explain why do you get it? 13. We would like to eliminate this warning message. What can we do in this regard? 14. Recall that the CA has digitally signed the web server public-key certificate. So if our web browser would have an access to the CA certificate (i.e., if it would trust this certificate), the web browser could successfully verify the digital signature in the web server certificate and would not report any warning messages. To accomplish this goal in a Chrome browser, we can place the CA s certificate in the Trusted Root Certification Authorities directory. Here are the steps to install the CA s certificate: (a) Click the Chrome menu on the browser toolbar. (b) Select Settings. (c) Click Show advanced settings. (d) In this window find the Certificates snap-in. Select it and click Add. (e) Go to the HTTPS/SSL section to manage your SSL certificates and settings. (f) Click Manage Certificates. (g) Click on the Trusted Root Certification Authorities tab and select Import.... (h) Click Next then select the CA s.cer file and click Next again. (i) The next step in the wizard should indicate that the certificates will be placed in the Trusted Root Certification Authorities. If so, click next. If not, fix it. (j) Click Finish. 15. Now that you have installed the CA certificate, try to access again to Do you get any warning message? https://localhost. 16. Try to access to the web server by using the following address https://127.0.0.1. Do you get any warning message? Please explain.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information