GopichandGadde
asked on
Free Apache ssl certificate installation for a web portal
Hi,
My server running with RH 9, using Apache ssl one portal running on same server. When I type https://domainname.com/ it showing a "security Alert" certificate. But my previous administrator created it to localhost. In that certificate under view certificate tab I found
Issued to : localhost.localdomain
Issued by : localhost.localdomain
My company not in a possession to buy a certificate from CA. So, I want to generate a 128-bit encryption free ssl certificate to my portal. Then, once any one installed the certificate in a system, "Security Alert" won't display again in that particular system.
Here I want a step by step help … How to generate a certificate on my domain name ?
And where I have to put that? To display “Security Alert” with domain name.
I posted the same under Networking catogiry but I didn't get proper response.
Thanks ==> who are helping in EE.
Regards
Gopichand
My server running with RH 9, using Apache ssl one portal running on same server. When I type https://domainname.com/ it showing a "security Alert" certificate. But my previous administrator created it to localhost. In that certificate under view certificate tab I found
Issued to : localhost.localdomain
Issued by : localhost.localdomain
My company not in a possession to buy a certificate from CA. So, I want to generate a 128-bit encryption free ssl certificate to my portal. Then, once any one installed the certificate in a system, "Security Alert" won't display again in that particular system.
Here I want a step by step help … How to generate a certificate on my domain name ?
And where I have to put that? To display “Security Alert” with domain name.
I posted the same under Networking catogiry but I didn't get proper response.
Thanks ==> who are helping in EE.
Regards
Gopichand
All SSL certificates not issued by one of the recognized certificate authorities (Verisign, Thawte, etc) will produce a "security warning" on a clinet browser. This is because the browser can't verify the authenticity of the certificate. So if you want that "Security Alert" to go away you'll have to purchase a certificate.
jlevie,
that is not completely true. You can sign your own certificate or get a free one from www.cacert.org for example. In that case the user needs to install a root certificate in order to avoid "Security Alert". For limited amount of controlable users that is OK. If you need to provide SSL for larger user comunity buying a certificate is definitely cheaper than provide them with help and support.
that is not completely true. You can sign your own certificate or get a free one from www.cacert.org for example. In that case the user needs to install a root certificate in order to avoid "Security Alert". For limited amount of controlable users that is OK. If you need to provide SSL for larger user comunity buying a certificate is definitely cheaper than provide them with help and support.
> So if you want that "Security Alert" to go away you'll have to purchase a certificate.
not realy true.
If all clients have a root CA which signed the other one there is no alert.
not realy true.
If all clients have a root CA which signed the other one there is no alert.
To generate your own ssl cert, you can also use OpenSSL but it's not quite easy to use.
or you can try JavaCA:
http://www.ofb.net/~jheiss/javaca/
If you don't want the "Security Alert", you have to import your CA certificate into your cert store.
How to import:
http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/
http://www.jensign.com/JavaScience/www/ImportCA/
Moreover, remember to choose your CN=<your_host_name> when generating CSR.
or you can try JavaCA:
http://www.ofb.net/~jheiss/javaca/
If you don't want the "Security Alert", you have to import your CA certificate into your cert store.
How to import:
http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/
http://www.jensign.com/JavaScience/www/ImportCA/
Moreover, remember to choose your CN=<your_host_name> when generating CSR.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
all these description do solve the problem only on server side, each reliable client (browser) still warns you for self-generated, self-signed certificates. It does this as long as the provided cert (from the server) is not signed by one of the trusted root CAs (the browser knows). See my first comment also.
That's why you need to import self signed CA cert to IE cert store.
> How to import:
> http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/
> http://www.jensign.com/JavaScience/www/ImportCA/
> How to import:
> http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/
> http://www.jensign.com/JavaScience/www/ImportCA/
I know that ahoffmann. You can see that I have warned GopichandGadde about Security Alert too. It is the second comment in this thread.
If you propperly create your certificate and install also CA certificate in browser you won't get Security Alert.
If you propperly create your certificate and install also CA certificate in browser you won't get Security Alert.
agreed, you're all aware of the problem ;-)
Shame on me that I didn't read carefully.
but does anyone realy want to import whatever-signed root cert? I'd not do that for obvious reason.
Shame on me that I didn't read carefully.
but does anyone realy want to import whatever-signed root cert? I'd not do that for obvious reason.
ASKER
Hi marko,
Ur explanation is excelent. But I am poor in this open ssl.
This is a live server 10 to 15 clients are connected thats why I am asking each and every step. Pl don't mind.
My server OS is RedHat linux 9.
According to you I have to fallow these steps ..
1. I have to install RPM's of openssl and openssl-misc
openssl-0.9.6b-35.7.i386.r
2.. CA.pl -newca ==> For new certificate
3. CA.pl -newreq ==> For Certificate request, because mine is a apache web server
after this how can I create certificate request from webserver ..
In my server mod_ssl is installed.
Where in /etc/httpd/conf
" ssl.crt, ssl.csr, ssl.key, ssl.prm, ssl.crl " these files are created
I applied this command to generate these files
openssl req -newkey rsa:1024 -x509 -nodes -our cert.pem -keyout key.pem
It asked for all the details where as I provided ..
In httpd.conf .. I changed the domainname page is not displying ...
oh ...tense ...
Ur explanation is excelent. But I am poor in this open ssl.
This is a live server 10 to 15 clients are connected thats why I am asking each and every step. Pl don't mind.
My server OS is RedHat linux 9.
According to you I have to fallow these steps ..
1. I have to install RPM's of openssl and openssl-misc
openssl-0.9.6b-35.7.i386.r
2.. CA.pl -newca ==> For new certificate
3. CA.pl -newreq ==> For Certificate request, because mine is a apache web server
after this how can I create certificate request from webserver ..
In my server mod_ssl is installed.
Where in /etc/httpd/conf
" ssl.crt, ssl.csr, ssl.key, ssl.prm, ssl.crl " these files are created
I applied this command to generate these files
openssl req -newkey rsa:1024 -x509 -nodes -our cert.pem -keyout key.pem
It asked for all the details where as I provided ..
In httpd.conf .. I changed the domainname page is not displying ...
oh ...tense ...
ASKER
One more info from my server
In /etc/httpd I find two files ... key.pem & cert.pem
and in /usr/share/ssl/ this file is there cert.pem ...
In /etc/httpd I find two files ... key.pem & cert.pem
and in /usr/share/ssl/ this file is there cert.pem ...
You don't create certificate request from server. CA.pl -newreq creates it.
You don't have to change settings in apache configuration. Just find out where apache looks for certificate files and replace those files with newly created certificate and private key. Only If you don't want to overwrite old keys change configuration to look for those files elsewhere.
You don't have to change settings in apache configuration. Just find out where apache looks for certificate files and replace those files with newly created certificate and private key. Only If you don't want to overwrite old keys change configuration to look for those files elsewhere.
ASKER
I loged in as a root and type the command CA.pl -newreq
bash: CA.pl: command not found ( I got this )
I have to install any RPM.
Thanks for your gr8 help Marko
Regards
Gopichand
bash: CA.pl: command not found ( I got this )
I have to install any RPM.
Thanks for your gr8 help Marko
Regards
Gopichand
Apparently you don't have CA utility. Check for openssl-misc package with "rpm -qa openssl-misc". See what openssl packages you have installed with "rpm -qa | grep openssl". List contents of installed package with "rpm -ql openssl-misc". See if CA.pl or CA.sh is in the list.
You can also use utilities provided with apache. Go to /etc/httpd/conf and type "make usage". You will get instructions how to make certificates for Apache.
You can also use utilities provided with apache. Go to /etc/httpd/conf and type "make usage". You will get instructions how to make certificates for Apache.
ASKER
openssl-0.9.7a-2
openssl-devel-0.9.7a-2
mod_ssl-2.0.40-21.3
I have these many RPM's only installed in my server.
I can install the RPM of openssl-misc. I downloaded openssl-misc-0.9.6-1.i386.
Can I install this RPM tryout with your commands ..!!!
Regards
Gopichand
openssl-devel-0.9.7a-2
mod_ssl-2.0.40-21.3
I have these many RPM's only installed in my server.
I can install the RPM of openssl-misc. I downloaded openssl-misc-0.9.6-1.i386.
Can I install this RPM tryout with your commands ..!!!
Regards
Gopichand
Install rpm with "rpm -i openssl-misc-0.9.6-1.i386.
ASKER
Installed RPM ==> rpm -i openssl-misc-0.9.6-1.i386.
# CA.pl -newca
asking for CA file name .. provided ==> www.domainname.com
#CA.pl -newrq
Asked for all the details ...in this Common Name ==> www.domainname.com ( provided )
After this got this below message..
Please enter the following 'extra' attributes to be sent with your certificate request
entered the password .. and company name ...
For signing .. #CA.pl -sign
Giving error like
Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
468:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecti
Signed certificate is in newcert.pem
Hope the first file name I have to give some name with our .com ... pl advise me here .. It may help for me.
Regards
Gopichand
# CA.pl -newca
asking for CA file name .. provided ==> www.domainname.com
#CA.pl -newrq
Asked for all the details ...in this Common Name ==> www.domainname.com ( provided )
After this got this below message..
Please enter the following 'extra' attributes to be sent with your certificate request
entered the password .. and company name ...
For signing .. #CA.pl -sign
Giving error like
Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
468:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecti
Signed certificate is in newcert.pem
Hope the first file name I have to give some name with our .com ... pl advise me here .. It may help for me.
Regards
Gopichand
ASKER
Sorry .. forgot to provide one more info .. While doing this process I didn't stop any service in my server.
Http, sshd, mysql all the services are running..
Http, sshd, mysql all the services are running..
At newca give some other Common Name. This is the authority that will sign the certificate for www.domainname.com. When creating CA you should also be asked to provide a password. When signing you must type in the CA password to access CAs private key which is used to sign the certificate request.
When you will be able to finish the whole procedure without errors. Place certificate and key files for apache to use and then restart apache.
Next time you will not need to create CA. Just create certificate request and sign it with CAs private key.
When you will be able to finish the whole procedure without errors. Place certificate and key files for apache to use and then restart apache.
Next time you will not need to create CA. Just create certificate request and sign it with CAs private key.
ASKER
Now first two stpes are exicuted fine.
When I tryed #CA.pl -sign getting this error.
Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
503:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecti
Signed certificate is in newcert.pem
What is the problem ??
When I tryed #CA.pl -sign getting this error.
Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
503:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecti
Signed certificate is in newcert.pem
What is the problem ??
I told you. When signing certificate you must access CAs private key. You obviously didn't properly made CA or didn't write in the right password to access CAs private key.
If you're still frustrated, here's my script to build self signed certs for a default linux apache 2.0 rpm setup.
This does not use the perl method, but instead the apache supplied makefile.
cd /etc/httpd/conf
# create key
make server.key
# create certificate request
make server.csr
# create self signed certificate
# make server.crt
# or for lifetime cert (9999 days is nearly 30 years)
/usr/bin/openssl req -new -key server.key -x509 -days 9999 -out server.crt
# disable passphrase on key
openssl rsa -in server.key -out server.key
# copy or move certs to directories referenced in /etc/httpd/conf.d/ssl.conf
cp server.key ssl.key
cp server.csr ssl.csr
cp server.crt ssl.crt
# give ownership to apache
chown -R apache ssl*
# verify processes are running
apachectl graceful
ps -fuapache
# check client response - open https://server... in browser
This does not use the perl method, but instead the apache supplied makefile.
cd /etc/httpd/conf
# create key
make server.key
# create certificate request
make server.csr
# create self signed certificate
# make server.crt
# or for lifetime cert (9999 days is nearly 30 years)
/usr/bin/openssl req -new -key server.key -x509 -days 9999 -out server.crt
# disable passphrase on key
openssl rsa -in server.key -out server.key
# copy or move certs to directories referenced in /etc/httpd/conf.d/ssl.conf
cp server.key ssl.key
cp server.csr ssl.csr
cp server.crt ssl.crt
# give ownership to apache
chown -R apache ssl*
# verify processes are running
apachectl graceful
ps -fuapache
# check client response - open https://server... in browser
As a note, apache-ssl package for debian and possible other OS's has a script for doing this in a fairly straightforward manner as well.
On appropriate systems, check out:
/usr/bin/ssl-certificate
creating selfsingned certificate
replace it with one signed by a certification authority (CA)
enter your ServerName at the Common Name prompt
If you want your certificate to expire after x days call this programm
with -days x
Using configuration from /usr/share/apache-ssl/ssle
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to '/etc/apache-ssl/apache.pe
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company; recommended) []:
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:
Email Address []:
Easy enough for most... don't forget to restart apache-ssl afterwards :-)
On appropriate systems, check out:
/usr/bin/ssl-certificate
creating selfsingned certificate
replace it with one signed by a certification authority (CA)
enter your ServerName at the Common Name prompt
If you want your certificate to expire after x days call this programm
with -days x
Using configuration from /usr/share/apache-ssl/ssle
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to '/etc/apache-ssl/apache.pe
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company; recommended) []:
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:
Email Address []:
Easy enough for most... don't forget to restart apache-ssl afterwards :-)