Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > How-To: SSL on OS X in 10 Minutes

How-To: SSL on OS X in 10 Minutes
Thread Tools
legacyb4
Mac Elite
Join Date: May 2001
Location: Vancouver
Status: Offline
Reply With Quote
Nov 29, 2004, 03:59 PM
 
In the interest of better data security when sharing data from my home computer, I thought it would be a good idea to enable a secure HTTPS connection from my visitors. I looked for an easy-to-understand walk-through which could get me up and running in a matter of minutes and not finding one, decided to create my own.

Requirements for this walk-thru:

- Basic familiarity with Terminal and use of 'sudo'
- BSD subsystem for openssl support
- Dynamic DNS hostname (I'm using a fictitious 'sslthis.dyndns.org' for tutorial purposes, substitute as needed)

The basic steps are:

1. Creating a Certificate Authority
2. Generating a Web Server Private Key
3. Generating a Web Server Certificate Request
4. Signing the Certificate Request
5. Creating a .conf File for Apache

Disclaimer: These are the basic steps necessary to get up and running; additional work should be done to check file/directory permissions on your certificates, etc. as I have not gone fine-combed my steps for locking things down and in no way should this be construed to be a final solution for creating a completely secure webserver.

STEP 1. CREATING A CERTIFICATE AUTHORITY

Open up Terminal and enter the following commands:
Code:
cd ~/Documents
This changes to your Documents folder in your Home directory; next, enter:
Code:
mkdir certs
This create a new directory called 'certs'; (you can name to whatever makes sense to you although non-spaced names are best)
Code:
/System/Library/OpenSSL/misc/CA.pl -newca
This runs the 'CA.pl' script that is part of the system to create a new Certificate Authority in the 'certs' directory

You will get the following output to the Terminal
Code:
CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ..++++++.................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: (enter a new secure password) Verifying - Enter PEM pass phrase: (reenter the same password) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
As prompted, enter the information prompted for; the more meaningful you make it, the easier it is for people visiting your site to know that

they aren't getting a bad connection
Code:
----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: sslthis.dyndns.org Email Address []
Once this step is completed, you will have a series of folder inside ~/Documents/certs that make up the necessary structure for a functioning

Certificate Authority.

Files/directories created so far:
Code:
~/Documents/certs ~/Documents/certs/demoCA ~/Documents/certs/demoCA/cacert.pem ~/Documents/certs/demoCA/certs ~/Documents/certs/demoCA/crl ~/Documents/certs/demoCA/index.txt ~/Documents/certs/demoCA/newcerts ~/Documents/certs/demoCA/private ~/Documents/certs/demoCA/serial
STEP 2. GENERATE A PRIVATE KEY FOR THE WEBSERVER

The next step will be to generate a private key for your webserver.

In the ~/Documents/certs directory, enter the following in Terminal:
Code:
openssl genrsa -des3 -out webserver.key 1024
This will generate an encrypted, private key called 'webserver.key'; use a meaningful name, no spaces.
Code:
Generating RSA private key, 1024 bit long modulus ....................................++++++ .....................++++++ e is 65537 (0x10001) Enter pass phrase for webserver.key: (enter a new secure password) Verifying - Enter pass phrase for webserver.key: (reenter the same password)
Next, you will have generate a non-password protected copy of the key for Apache so that it can start up without errors.
Code:
openssl rsa -in webserver.key -out webserver.nopass.key
This will generate a non-password protected copy of the private key you just generated.
Code:
Enter pass phrase for webserver.key: (enter the secure password created in step 2) writing RSA key
Files generated at this point:
Code:
~/Documents/certs/webserver.key ~/Documents/certs/webserver.nopass.key
3. GENERATE A CERTIFICATE REQUEST

The next step will be to generate a certificate request for your webserver based on the private key generated in step 2 in a format that can

be signed by the Certificate Authority created in step 1.

In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
Code:
openssl req -config /System/Library/OpenSSL/openssl.cnf -new -key webserver.key -out newreq.pem -days 3650
This will tell the system to generate a new certificate request 'newreq.pem' with the default 'openssl.conf' configuration file and using

'webserver.key' for a validity period of 10 years.
Code:
Enter pass phrase for webserver.key: (enter the secure password created in step 2) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:sslthis.dyndns.org Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: leave blank An optional company name []: leave blank
Files generated at this point
Code:
~/Documents/certs/newreq.pem
STEP 4. SIGNING THE CERTIFICATE REQUEST

The next step will be to sign the certificate request 'newreq.pem' with the Certificate Authority created in step 1.

In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
Code:
/System/Library/OpenSSL/misc/CA.pl -signreq
This will tell the system to sign the 'newreq.pem' file created in step 3.
Code:
Using configuration from /System/Library/OpenSSL/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: (enter the secure password created in step 1) Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 29 04:00:05 2004 GMT Not After : Nov 27 04:00:05 2014 GMT Subject: countryName = as entered stateOrProvinceName = as entered localityName = as entered organizationName = as entered commonName = sslthis.dyndns.org emailAddress = as entered X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: X509v3 Authority Key Identifier: DirName: emailAddress= serial: Certificate is to be certified until Nov 27 04:00:05 2014 GMT (3650 days) Sign the certificate? [y/n]: (type y to confirm) 1 out of 1 certificate requests certified, commit? [y/n] (type y to confirm) Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Files generated at this point:
Code:
~/Documents/certs/newcert.pem
After this is done, I moved all the files created (webserver.key, webserver.nopass.key, newreq.pem, newcert.pem) into a new subdirectory

'sslthis.dyndns.org' for keeping things nice and neat.
Code:
~/Documents/certs/sslthis.dyndns.org
STEP 5. BASIC SSL CONFIGURATION FILE

The last step will be to create a configuration file for Apache 'ssl.conf' in the '/etc/httpd/users'.

In the /etc/httpd/users directory, enter the following in Terminal (Return key after each entry):
Code:
sudo vi ssl.conf
Use any Terminal editor you want, if not 'vi' and enter following (make corrections for the file paths as needed):
Code:
<IfModule mod_ssl.c> Listen 80 Listen 443 SSLRandomSeed startup builtin SSLRandomSeed connect builtin <VirtualHost _default_:443> SSLEngine on ServerName sslthis.dyndns.org ServerAdmin youremailaddress ErrorLog /var/log/httpd/error_log SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/newcert.pem SSLCertificateKeyFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/webserver.nopass.key SSLCACertificateFile /Users/YOURNAME/Documents/certs/demoCA/cacert.pem SSLCARevocationPath /Users/YOURNAME/Documents/certs/demoCA/crl </VirtualHost> </IfModule>
You will also have to edit /etc/httpd/httpd.conf (don't forget to make a backup) by typing:
Code:
sudo vi /etc/httpd/httpd.conf
and uncommenting the following lines:
Code:
LoadModule ssl_module libexec/httpd/libssl.so AddModule mod_ssl.c
Once this is done, stop and start your webserver (from Terminal or System Preferences) and you should be good to go. Don't forget to enable

port forwarding for 443 TCP through your router and your OS X firewall (if enabled) for incoming connections.
Macbook (Black) C2D/250GB/3GB | G5/1.6 250GBx2/2.0GB
Free Mobile Ringtone & Games Uploader | Flickr | Twitter
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:09 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,