Solved

pgp openpgp gnupg Server

Posted on 2003-12-03
5
2,364 Views
Last Modified: 2011-09-20
I am a home user but am a techie.  I want to (for fun) be able to encript emails on my linux computer to/from windows systems.   I need something to hold my public keys also.    Lasty I am cheap :).

I will be running Redhat as a Email server/ webserver and would like to give out certificates.  

What should I use to provide a public key server and encription to a Linux/M$ world.

0
Comment
Question by:TIMFOX123
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 100 total points
Comment Utility
If your secure server is being accessed by the public at large, your secure server needs a certificate signed by a CA so that people who visit your website know that the website is owned by the organization who claims to own it. Before signing a certificate, a CA verifies that the organization requesting the certificate was actually who they claimed to be.

Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection. You can generate a self-signed certificate for your secure server, but be aware that a self-signed certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate is not automatically recognized by most Web browsers, and a self-signed certificate does not provide any guarantee concerning the identity of the organization that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. If your secure server will be used in a production environment, you probably need a CA-signed certificate.Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key.

You must be root to generate a key.

First, cd to the /etc/httpd/conf directory. Remove the fake key and certificate that were generated during the installation with the following commands:

rm ssl.key/server.key
rm ssl.crt/server.crt
 
Next, you need to create your own random key. Change to the /usr/share/ssl/certs directory, and type in the following command:

make genkey
 
Your system will display a message similar to the following:

umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
 
You now need to type in a passphrase. For best security, it should contain at least eight characters, include numbers and/or punctuation, and not be a word in a dictionary. Also, remember that your passphrase is case sensitive.

You will need to remember and enter this passphrase every time you start your secure server, so do not forget it.
 
Re-type the passphrase to verify that it is correct. Once you have typed it in correctly, /etc/httpd/conf/ssl.key/server.key, containing your key, is created.

Note that if you do not want to type in a passphrase every time you start your secure server, you will need to use the following two commands instead of make genkey to create the key.

Use the following command to create your key:

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
 
Then use the following command to make sure the permissions are set correctly for the file:

chmod go-rwx /etc/httpd/conf/ssl.key/server.key
 
After you use the above commands to create your key, you will not need to use a passphrase to start your secure server.

Disabling the passphrase feature for your secure server is a security risk. It is NOT recommend that you disable the passphrase feature for secure server. The problems associated with not using a passphrase are directly related to the security maintained on the host machine. For example, if an unscrupulous individual compromises the regular UNIX security on the host machine, that person could obtain your private key (the contents of your server.key file). The key could be used to serve Web pages that appear to be from your secure server.

If UNIX security practices are rigorously maintained on the host computer (all operating system patches and updates are installed as soon as they are available, no unnecessary or risky services are operating, and so on), secure server's passphrase may seem unnecessary. However, since your secure server should not need to be re-booted very often, the extra security provided by entering a passphrase is a worthwhile effort in most cases.

The server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file. and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate will no longer work and the CA will not be able to help you. Your only option would be to request (and pay for) a new certificate.

Once you have a key, make sure you are in the /usr/share/ssl/certs directory, and type the following command:

make testcert
 
You will see the following output, and you will be prompted for your passphrase (unless you generated a key without a passphrase):

umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
 
After you enter your passphrase (or without a prompt if you created a key without a passphrase), you will be asked for more information. The computer's output and a set of inputs looks like the following (you will need to provide the correct information for your organization and host):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US      
State or Province Name (full name) [Berkshire]:North Carolina
Locality Name (eg, city) [Newbury]:Raleigh
Organization Name (eg, company) [My Company Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Documentation
Common Name (your name or server's hostname) []:myhost.example.com
Email Address []:myemail@example.com
 
After you provide the correct information, a self-signed certificate will be created in /etc/httpd/conf/ssl.crt/server.crt. You will need to restart your secure server after generating the certificate with following the command:

/sbin/service httpd restart
 



0
 

Author Comment

by:TIMFOX123
Comment Utility
I will try this!   You are a brainiack you know that Kris !  I have some more questions but that will be later.  The points will corrispond :)
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 100 total points
Comment Utility
Two seperate things you're asking - regarding email:
As far as encrypting email using PKI, you don't need a certificate, all you need is a key pair.
Public keys can be posted openly on websites or emailed in plaintext.
Keyserver and certificate bring us to the realm of identity.
Public keys residing on keyserver can be signed by others and establish a 'ring of trust'.
If you know me and I sign Kris' key, you then can trust his key.
Two of the biggest keyservers are:
ldap://certserver.pgp.com
http://pgpkeys.mit.edu:11371

As Kris said regarding SSL, the same is true about email.
A certificate obtained from a Certificate Authority that is trusted by virtue of being a corporate entity with a reputation, like Thawte or Verisign, means that they have investigated the certificate holder and I can be reasonably sure of your identity.

While you can sign a certificate youself, it's meaningless unless I already trust you and know it's you who issued the certificate.


0
 

Author Comment

by:TIMFOX123
Comment Utility
I am amazed on what little I knew on this.  You guys have been great.  I am going to check some of this out and soon close this thread.  YOu have been great.  
0
 
LVL 9

Expert Comment

by:TooKoolKris
Comment Utility
Thanks for the compliments and good luck.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
question related to SHA-1 2 50
Cisco ASA -- weird connection issue 6 46
forensics for web activity 4 53
shd and spl analysis 3 57
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now