Solved

Free Apache ssl certificate installation for a web portal

Posted on 2004-08-11
23
13,280 Views
Last Modified: 2011-04-14
Hi,

My server running with RH 9, using Apache ssl one portal running on same server. When I type https://domainname.com/  it showing a "security Alert" certificate. But my previous administrator created it to localhost. In that certificate under view certificate tab I found
Issued to  : localhost.localdomain
Issued by  : localhost.localdomain

My company not in a possession to buy a certificate from CA. So, I want to generate a 128-bit encryption free ssl certificate to my portal. Then, once any one installed the certificate in a system, "Security Alert" won't display again in that particular system.

Here I want a step by step help … How to generate a certificate on my domain name ?
And where I have to put that? To display “Security Alert” with domain name.

I posted the same under Networking catogiry but I didn't get proper response.

Thanks  ==>  who are helping in EE.

Regards
Gopichand
0
Comment
Question by:GopichandGadde
  • 8
  • 7
  • 3
  • +4
23 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
All SSL certificates not issued by one of the recognized certificate authorities (Verisign, Thawte, etc) will produce a "security warning" on a clinet browser. This is because the browser can't verify the authenticity of the certificate. So if you want that "Security Alert" to go away you'll have to purchase a certificate.
0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
jlevie,

that is not completely true. You can sign your own certificate or get a free one from www.cacert.org for example. In that case the user needs to install a root certificate in order to avoid "Security Alert". For limited amount of controlable users that is OK. If you need to provide SSL for larger user comunity buying a certificate is definitely cheaper than provide them with help and support.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> So if you want that "Security Alert" to go away you'll have to purchase a certificate.
not realy true.
If all clients have a root CA which signed the other one there is no alert.
0
 
LVL 1

Expert Comment

by:justywong
Comment Utility
To generate your own ssl cert, you can also use OpenSSL but it's not quite easy to use.

or you can try JavaCA:
http://www.ofb.net/~jheiss/javaca/

If you don't want the "Security Alert", you have to import your CA certificate into your cert store.

How to import:
http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/
http://www.jensign.com/JavaScience/www/ImportCA/

Moreover, remember to choose your CN=<your_host_name> when generating CSR.
0
 
LVL 4

Accepted Solution

by:
marko020397 earned 300 total points
Comment Utility
You can create certificate yourself. Apparently your previous administrator did that.

I am going to describe the procedure with openSSL. If you have Linux you will need to get openssl and CA.pl or CA.sh script. In RedHat you can get them by installing openssl and openssl-misc packages.

First you need to create Certificate Authority (CA), which is authorised to sign certificates. Make a new CA with:

CA.pl -newca

Then you have to make a Certificate Request that will be signed by your newly created CA. If you have Windows and IIS you will make certificate request in IIS. If you use Apache or web server that doesn't create certificate request by itself you can create one with:

CA.pl -newreq

This command will put certificate request into file newreq.pem. On Linux usualy in /etc/ssl. If you created certificate request from web server you must put it in newreq.pem. Be carefull with values you put in certificate request. CN must be your hostname (for instance www.domainname.com). Without http://. Just domain name.

Signing the request is the last part before providing certificate to the web server. Try this:

CA.pl -sign

This command will sign the certificate request that must be in file newreq.pem and make new file newcert.pem. newreq.pem and newcert.pem are both text files. In windows just import newcert.pem and that's it. In Apache you will have to find private key and signed certificate and put them in separate files and then provide them to Apache. Apache will then want to have your password for private key every time you will start it. To avoid this use the following command:

openssl rsa -in keyfile -out keyfile

I hope this helps.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
all these description do solve the problem only on server side, each reliable client (browser) still warns you for self-generated, self-signed certificates. It does this as long as the provided cert (from the server) is not signed by one of the trusted root CAs (the browser knows). See my first comment also.
0
 
LVL 1

Expert Comment

by:justywong
Comment Utility
That's why you need to import self signed CA cert to IE cert store.

> How to import:
> http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/
> http://www.jensign.com/JavaScience/www/ImportCA/
0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
I know that ahoffmann. You can see that I have warned GopichandGadde about Security Alert too. It is the second comment in this thread.

If you propperly create your certificate and install also CA certificate in browser you won't get Security Alert.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
agreed, you're all aware of the problem ;-)
Shame on me that I didn't read carefully.
but does anyone realy want to import whatever-signed root cert? I'd not do that for obvious reason.
0
 

Author Comment

by:GopichandGadde
Comment Utility
Hi marko,

Ur explanation is excelent. But I am poor in this open ssl.

This is a live server 10 to 15 clients are connected thats why I am asking each and every step. Pl don't mind.

My server OS is RedHat linux 9.

According to you I have to fallow these steps ..

1. I have to install RPM's of  openssl and openssl-misc
openssl-0.9.6b-35.7.i386.rpm this RPM is available with me.
2.. CA.pl -newca    ==> For new certificate
3. CA.pl -newreq  ==> For Certificate request, because mine is a apache web server
 after this how can I create certificate request from webserver ..

In my server mod_ssl is installed.

Where in /etc/httpd/conf
" ssl.crt, ssl.csr, ssl.key, ssl.prm, ssl.crl "   these files are created  
 
I applied this command to generate these files
openssl req -newkey rsa:1024 -x509 -nodes -our cert.pem -keyout key.pem

It asked for all the details where as I provided ..

In httpd.conf .. I changed the domainname page is not displying ...

oh ...tense ...

0
 

Author Comment

by:GopichandGadde
Comment Utility
One more info from my server

In /etc/httpd I find two files ... key.pem & cert.pem

and in /usr/share/ssl/      this file is there   cert.pem ...
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 4

Expert Comment

by:marko020397
Comment Utility
You don't create certificate request from server. CA.pl -newreq creates it.

You don't have to change settings in apache configuration. Just find out where apache looks for certificate files and replace those files with newly created certificate and private key. Only If you don't want to overwrite old keys change configuration to look for those files elsewhere.
0
 

Author Comment

by:GopichandGadde
Comment Utility
I loged in as a root and type the command CA.pl -newreq
bash: CA.pl: command not found ( I got this )

I have to install any RPM.

Thanks for your gr8 help Marko

Regards
Gopichand
0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
Apparently you don't have CA utility. Check for openssl-misc package with "rpm -qa openssl-misc". See what openssl packages you have installed with "rpm -qa | grep openssl". List contents of installed package with "rpm -ql openssl-misc". See if CA.pl or CA.sh is in the list.

You can also use utilities provided with apache. Go to /etc/httpd/conf and type "make usage". You will get instructions how to make certificates for Apache.
0
 

Author Comment

by:GopichandGadde
Comment Utility
openssl-0.9.7a-2
openssl-devel-0.9.7a-2
mod_ssl-2.0.40-21.3


I have these many RPM's only installed in my server.
I can install the RPM of openssl-misc. I downloaded openssl-misc-0.9.6-1.i386.rpm

Can I install this RPM tryout with your commands ..!!!

Regards
Gopichand
0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
Install rpm with "rpm -i openssl-misc-0.9.6-1.i386.rpm" or "rpm -Uvh openssl-misc-0.9.6-1.i386.rpm".
0
 

Author Comment

by:GopichandGadde
Comment Utility
Installed RPM ==> rpm -i openssl-misc-0.9.6-1.i386.rpm

# CA.pl -newca
asking for CA file name .. provided ==> www.domainname.com

#CA.pl -newrq

Asked for all the details ...in this Common Name ==> www.domainname.com ( provided )

After this got this below message..
Please enter the following 'extra' attributes to be sent with your certificate request

entered the password .. and company name ...

For signing .. #CA.pl -sign

Giving error like

Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
468:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: ANY PRIVATE KEY
Signed certificate is in newcert.pem

Hope the first file name I have to give some name with our .com ... pl advise me here .. It may help for me.

Regards
Gopichand
0
 

Author Comment

by:GopichandGadde
Comment Utility
Sorry .. forgot to provide one more info .. While doing this process I didn't stop any service in my server.

Http, sshd, mysql all the services are running..

0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
At newca give some other Common Name. This is the authority that will sign the certificate for www.domainname.com. When creating CA you should also be asked to provide a password. When signing you must type in the CA password to access CAs private key which is used to sign the certificate request.

When you will be able to finish the whole procedure without errors. Place certificate and key files for apache to use and then restart apache.

Next time you will not need to create CA. Just create certificate request and sign it with CAs private key.
0
 

Author Comment

by:GopichandGadde
Comment Utility
Now first two stpes are exicuted fine.

When I tryed #CA.pl -sign  getting this error.

Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
503:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: ANY PRIVATE KEY
Signed certificate is in newcert.pem


What is the problem ??
0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
I told you. When signing certificate you must access CAs private key. You obviously didn't properly made CA or didn't write in the right password to access CAs private key.
0
 
LVL 10

Expert Comment

by:dennis_maeder
Comment Utility
If you're still frustrated, here's my script to build self signed certs for a default linux apache 2.0 rpm setup.
This does not use the perl method, but instead the apache supplied makefile.

cd /etc/httpd/conf

# create key
make server.key

# create certificate request
make server.csr

# create self signed certificate
# make server.crt
# or for lifetime cert (9999 days is nearly 30 years)
/usr/bin/openssl req -new -key server.key -x509 -days 9999 -out server.crt

# disable passphrase on key
openssl rsa -in server.key -out server.key

# copy or move certs to directories referenced in /etc/httpd/conf.d/ssl.conf
cp server.key ssl.key
cp server.csr ssl.csr
cp server.crt ssl.crt

# give ownership to apache
chown -R apache ssl*

# verify processes are running
apachectl graceful
ps -fuapache

# check client response - open https://server... in browser
0
 

Expert Comment

by:darkphorm
Comment Utility
As a note, apache-ssl package for debian and possible other OS's has a script for doing this in a fairly straightforward manner as well.

On appropriate systems, check out:
/usr/bin/ssl-certificate

creating selfsingned certificate
replace it with one signed by a certification authority (CA)

enter your ServerName at the Common Name prompt

If you want your certificate to expire after x days call this programm
with -days x
Using configuration from /usr/share/apache-ssl/ssleay.cnf
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to '/etc/apache-ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company; recommended) []:
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:
Email Address []:

Easy enough for most... don't forget to restart apache-ssl afterwards :-)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now