University of Split, FESB, Croatia Laboratory Exercises VI: SSL/TLS - Configuring Apache Server Keywords: digital signatures, public-key certificates, managing certificates M. Čagalj, T. Perković {mcagalj, toperkov}@fesb.hr June, 2014
FESB Computer and Data Security Course 1 Introduction Whenever you visit an SSL protected page, your browser usually checks the identity of the remote site by checking their certificate. In this exercise we will show how to integrate public-key certificates with a web server so to enable secure SSL/TLS sessions. Our goal is to set up the system (client, server, certificates, SSL/TLS server) such that an end user does not receive certificate warning messages as the one shown in Figure 1. Figure 1: A warning message that informs a user about potential problems with a digital certificate presented by a web server. We will also show how can the remote site check your identity using a previously issued certificate, called SSL client side certificate. To accomplish our goal we will use two software products: XCA or OpenSSL (for key and certificate (X.509) management), Apache (web server) and PHP. NOTE: Before proceeding with this exercise, please make sure that XCA, OpenSSL, Apache web server and PHP are all installed on your machine. Task 1.2. Creating a Certification Authority (CA) using XCA In this task, we will first create a CA. The role of CA is to issue public-key certificates to end entities (e.g., our web server). In other words, the CA digitally signs a public key of a web server and embeds it into the server s certificate. The CA uses its private key for signing. In practice, the CA certificate manager (a certificate server) should be installed on a secure machine (potentially disconnected from the network); the CA s private key should be kept highly secure. The CA also issues a self-signed public-key certificate, whereby the CA digitally signs its own public key. This certificate is distributed, in a secure way (the integrity of the CA s certificate must be protected), to all users who use a certificate issued by the CA to verify the authenticity of the certificate holder (e.g., a web server).
FESB Computer and Data Security Course 2 Figure 2: X Certificate and Key management application. 1. Open XCA and click the New Certificate button to start X.509 certificate creation procedure (Figure 2). 2. Make sure that you select SHA-1 as the Signature algorithm ; the default algorithm is set to SHA 256 that is not supported by some Windows-based operating systems. Also, select CA template for this certificate (we are creating a CA). 3. Select the Subject tab and fill in the fields such as Internal name, Country code, etc. with appropriate values (for an example please refer to Figure 3). Generate a new private key by clicking on the Generate a new key button. Note that this is the signing key of the CA. Figure 3: Creating a X.509 certificate for the CA.
FESB Computer and Data Security Course 3 4. Select the Extensions tab and set the Type of the certificate to Certification Authority (see Figure 3). Click OK to finish the certificate creation procedure. You can check the details of the created CA certificate by double-clicking on it in the main XCA window under the Certificate tab. Task 1.3. Creating a Web Server Certificate In this task we create a public-key certificate for a web server. This certificate will be digitally signed by the previously created Certification Authority (CA). 1. Again, click the New Certificate button in the main XCA window. Select the Source tab and configure the web server certificate properties as follows. Check Use this Certificate for signing and set it to the name of the CA created in the previous task. Set the Signature algorithm to SHA-1 and choose HTTPS server template from the list of available templates (Figure 5). Figure 4: Creating a X.509 certificate for the Web Server. 2. Select the Subject tab and fill in appropriately the available fields (Figure 4). It is particularly important that you set the Common name value to localhost. This will be the IP address (or the corresponding URL) of your web server. Finally, generate a new private key for the web server certificate by clicking Generate a new key. 3. Optionally, under the Extensions tab you may want to set the type to End Entity. Click OK to finish the certificate creation procedure.
FESB Computer and Data Security Course 4 Task 1.4. Creating a Client Certificate In this task we create a public-key certificate for a client. This certificate will be also digitally signed by the previously created Certification Authority (CA). 1. Again, click the New Certificate button in the main XCA window. Select the Source tab and configure the web server certificate properties as follows. Check Use this Certificate for signing and set it to the name of the CA created in the previous task. Set the Signature algorithm to SHA-1 and choose HTTPS client template from the list of available templates (Figure 5). Figure 5: Creating a X.509 certificate for the client. 2. Select the Subject tab and fill in appropriately the available fields (Figure 5). It is particularly important that you set the Common name value to your client name (e.g. User ID). This can be for example a username. If not set or if this value does not correspond to the username each time you try to establish a secure (SSL/TLS) session with this server, your web browser will give you a warning message about this mismatch. Finally, generate a new private key for the web server certificate by clicking Generate a new key. 3. Optionally, under the Extensions tab you may want to set the type to End Entity. Click OK to finish the certificate creation procedure. Task 1.5. Exporting Certificates In this task, we will export the certificates created in the previous tasks, that is, the CA public-key certificate (without the private key), the web server public-key certificate including its private key, as well as the client public-key certificate with its private key.
FESB Computer and Data Security Course 5 1. Open the Certificates tab in the main XCA window. Select the certificate that belongs to the CA and click Export. Select a destination and filename where you want to store the certificate and click OK. 2. Repeat the previous step but now export the public-key certificate of the web server and a client certificate. 3. Finally, we export the private key of the web server and of the client. To accomplish this, open the Private Keys tab and select the private key of the web server. The Key export window pops-up. Check the box Export the private part of the Key too and uncheck Encrypt the Key with a password. In a similar fashion export the private key of the client. 4. After exporting the public-key certificate and private key for the client, we need to convert the client certificate to pkcs12 for import in the browser. To accomplish this you can utilize OpenSSL as explained in the following section. Task 1.6. Creating a CA, an SSL Server and an SSL Client Certificate Using OpenSSL We can also create and export all the previously created public-key certificates (CA, SSL server and SSL Client) using OpenSSL. To accomplish this, open Command Prompt (push Windows + R buttons, then type cmd), and navigate to OpenSSL directory (e.g., type cd C:\OpenSSL-Win32\bin). To create CA, follow these steps: # Create CA private key openssl genrsa -des3 -passout pass:qwerty -out CA.key 2048 # Remove passphrase openssl rsa -passin pass:qwerty -in CA.key -out CA.key # Create CA self-signed certificate openssl req -new -x509 -days 999 -key CA.key -out CA.crt After that, we will create a SSL Server certificate following these steps: # Create private key for the localhost server openssl genrsa -des3 -passout pass:qwerty -out mysite.key 2048 # Remove passphrase openssl rsa -passin pass:qwerty -in mysite.key -out mysite.key # Create CSR for the mysite server openssl req -new -key mysite.key -out localhost.csr # Create certificate for the localhost server openssl ca -days 999 -in localhost.csr -out localhost.crt -keyfile CA.key -cert CA.crt -policy policy_anything In the seme vein, the SSL Client certificate is created:
FESB Computer and Data Security Course 6 # Create private key for a client openssl genrsa -des3 -passout pass:qwerty -out client.key 2048 # Remove passphrase openssl rsa -passin pass:qwerty -in client.key -out client.key # Create CSR for the client. openssl req -new -key client.key -out client.csr # Create client certificate. openssl ca -days 999 -in client.csr -out client.crt -keyfile CA.key -cert CA.crt -policy policy_anything At the end, export the SSL Client certificate to pkcs12 format: # Export the client certificate to pkcs12 for import in the browser openssl pkcs12 -export -passout pass:qwerty -in client.crt -inkey client.key -certfile CA.crt -out clientcert.p12 We can see that all the required certificates created and exported within OpenSSL folder (e.g. C:\OpenSSL-Win32\bin). To configure Apache Web Server, we will need CA.crt and mysite.crt public-key certificates as well as the private key mysite.key. Task 1.7. Configuring Apache Web Server Figure 6: Apache web server console. 1. To configure Apache Web Server, we will need CA.crt and mysite.crt publickey certificates as well as the private key mysite.key. Copy these certificates and keys within the conf folder of the Apache Web Server (e.g. C:\Web Server\Apache2\conf). 2. Edit httpd.conf (e.g. placed within C:\Web Server\Apache2\conf folder) and uncomment:
FESB Computer and Data Security Course 7 LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf 3. Edit httpd-ssl.conf (e.g. placed within C:\Web Server\Apache2\conf\extra folder) and verify that the following holds: (a) SSLCertificateFile "C:/Web Server/Apache2/conf/mysite.crt" (b) SSLCertificateKeyFile "C:/Web Server/Apache2/conf/mysite.key" (c) SSLCertificateChainFile "C:/Web Server/Apache2/conf/CA.crt" (d) SSLCACertificateFile "C:/Web Server/Apache2/conf/CA.crt" (e) SSLVerifyClient require (f) SSLVerifyDepth 2 4. Start/Restart the Apache server. 5. Finally, create simple html file and name it index.html. Copy this file to the htdocs/ subdirectory in the Apache Web Server directly. Overwrite any existing index.html file. Task 1.8. Testing Your Configuration In this task we will install client public-key certificate in the browser and test our configuration. To accomplish this goal in a Chrome browser, we can place the client public-key certificate in the Personal certificates directory. Here are the steps to install the client public-key certificate: 1. Click the Chrome menu on the browser toolbar. 2. Select Settings. 3. Click Show advanced settings. 4. In this window find the Certificates snap-in. Select it and click Add. 5. Go to the HTTPS/SSL section to manage your SSL certificates and settings. 6. Click Manage Certificates. 7. Click on the Personal tab and select Import.... 8. Click Next then select the client s.p12 file and click Next again. 9. Enter the password created while exporting client public-key certificate to pkcs12. 10. The next step in the wizard should indicate that the certificates will be placed in the Personal certificates. If so, click next. If not, fix it.
FESB Computer and Data Security Course 8 11. Click Finish. 12. Open a web browser and enter the following address in the address bar: https://localhost. Do you get any warning message? Which one? Can you explain why do you get it? 13. We would like to eliminate this warning message. What can we do in this regard? 14. Recall that the CA has digitally signed the web server public-key certificate. So if our web browser would have an access to the CA certificate (i.e., if it would trust this certificate), the web browser could successfully verify the digital signature in the web server certificate and would not report any warning messages. To accomplish this goal in a Chrome browser, we can place the CA s certificate in the Trusted Root Certification Authorities directory. Here are the steps to install the CA s certificate: (a) Click the Chrome menu on the browser toolbar. (b) Select Settings. (c) Click Show advanced settings. (d) In this window find the Certificates snap-in. Select it and click Add. (e) Go to the HTTPS/SSL section to manage your SSL certificates and settings. (f) Click Manage Certificates. (g) Click on the Trusted Root Certification Authorities tab and select Import.... (h) Click Next then select the CA s.cer file and click Next again. (i) The next step in the wizard should indicate that the certificates will be placed in the Trusted Root Certification Authorities. If so, click next. If not, fix it. (j) Click Finish. 15. Now that you have installed the CA certificate, try to access again to Do you get any warning message? https://localhost. 16. Try to access to the web server by using the following address https://127.0.0.1. Do you get any warning message? Please explain.