Thursday, February 28, 2013

Ubuntu Linux – Apache and Self Signed Certificates

http://pinehead.tv/linux/ubuntu-linux-apache-and-self-signed-certificates


Whether it is on your desktop or server installation of Ubuntu, there will come a time that you may need to work with Apache and certificates. We will go into full certificates from Certificate Authorities (like Verisign or Entrust) as well as exploring some of the ‘Open Source’ Certificate Authorities (read: free) in a later article. Today we are discussing how to prepare Apache to answer HTTPS requests in the VHOSTS as well as installing and configuring the pieces. Finally, we will install a self signed certificate and access our system over HTTPS to verify it all works.

Assembling All the Pieces
The first thing we need to do (assuming that Apache 2 is already installed) is to make sure we have all the pieces. Let’s install the SSL package and module we need:
sudo apt-get install openssl
This will install the parts needed to generate our certificate and the module that apache needs to enable SSL support (NOTE: Apache 2 must be installed prior to running this command in order for the module to be installed in the proper location). Once that is installed, apache needs to be told to enable the module:
sudo a2enmod ssl
If this is the first time you have used apache’s shortcut scripts, you may not be familiar with the most common one’s – you will want to be familiar with the following scripts when using apache in any Debian based distribution (including Ubuntu):
  • a2enmod: Shortcut for ‘Available To Enabled Module’, takes an installed module and creates a link from ‘/etc/apache2/mods-available’ to ‘/etc/apache2/mods-enabled’ so that when apache is restarted, the module will be enabled in the live configuration
  • a2dismod: Shortcut for ‘Available to Disabled Module’, removes the link from ‘/etc/apache2/mods-enabled’ created when the module was enabled (see above), the module will then be disabled after apache is restarted
  • a2ensite: Shortcut for ‘Available to Enabled Site’, takes an installed site (vhost) and creates a link from ‘/etc/apache2/sites-available’ to ‘/etc/apache2/sites-enabled’ so that when apache is restarted, the site will be enabled in the live configuration
  • a2dissite: Shortcut for ‘Available to Disabled Site’, removes the link from ‘/etc/apache2/sites-enabled’ created when the site was enabled (see above), the site will then be disabled after apache is restarted
Generating the Certificate
Our module is installed and active (at least the next time we restart apache), so now we need to generate a certificate and then note their locations (we will place our resulting certificate files and keys in the most ‘standard’ locations, but they can be changed to whatever is appropriate in your circumstance as long as you note where they are during our vhost setup later). First, we need to generate the ‘Certificate Request’ file:
Creating Our Certificate Request
As you can see, you will be asked for a number of pieces of information. During the generation and installation of a ‘Self Signed’ certificate, like we are installing, this information is unimportant. However, in our next article on the topic, it will be important since some of these items will generate the key embedded in your certificate and that is used by the Certificate Authority who issues the final certificate to validate your identity and secure your site. At this point, as you can see I did, you can put in almost anything you want.
A couple more things to complete the creation of our certificate and move the files into place. See the following screen shot:
Creating Our Certificate and Moving Files
Informing Our Web Server
A couple more steps and we are ready to test. We need to grab a vhost for apache to use for SSL requests and then we need to make some changes to it in order to use our key and certificate file. The easiest way to do this is to copy the following:
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/my-ssl
Then edit the ‘my-ssl’ file and be sure to add the following (comment out or remove existing entries if they are different than this):
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
NOTE: change the path for the certificate and/or key if you saved or named them something else in our earlier steps.
Finally, we need to restart apache so that the new virtual host is picked up:
sudo service apache2 restart
You can then go to your browser and enter ‘https://localhost’ to see your new certificate in action. You WILL get a browser security warning since this is a SELF SIGNED certificate and not issued by a Certificate Authority. This is normal and in our next article, we will cover installing a CA signed certificate which will fix that.
Final Thoughts
This will give your system a bit of extra security. For testing or local use, a self signed certificate is enough protection to secure basic authentication, database traffic or other web traffic from anyone sniffing your connection. Total time to implement this is about 20 minutes and is worth the effort.
Leave me a comment with any questions or problems and I will help out if I can.

No comments:

Post a Comment