In the interest of better data security when sharing data from my home computer, I thought it would be a good idea to enable a secure HTTPS connection from my visitors. I looked for an easy-to-understand walk-through which could get me up and running in a matter of minutes and not finding one, decided to create my own.
Requirements for this walk-thru:
- Basic familiarity with Terminal and use of 'sudo'
- BSD subsystem for openssl support
- Dynamic DNS hostname (I'm using a fictitious 'sslthis.dyndns.org' for tutorial purposes, substitute as needed)
The basic steps are:
1. Creating a Certificate Authority
2. Generating a Web Server Private Key
3. Generating a Web Server Certificate Request
4. Signing the Certificate Request
5. Creating a .conf File for Apache
Disclaimer: These are the basic steps necessary to get up and running; additional work should be done to check file/directory permissions on your certificates, etc. as I have not gone fine-combed my steps for locking things down and in no way should this be construed to be a final solution for creating a completely secure webserver.
STEP 1. CREATING A CERTIFICATE AUTHORITY
Open up Terminal and enter the following commands:
This changes to your Documents folder in your Home directory; next, enter:
This create a new directory called 'certs'; (you can name to whatever makes sense to you although non-spaced names are best)
Code:
/System/Library/OpenSSL/misc/CA.pl -newca
This runs the 'CA.pl' script that is part of the system to create a new Certificate Authority in the 'certs' directory
You will get the following output to the Terminal
Code:
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++.................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: (enter a new secure password)
Verifying - Enter PEM pass phrase: (reenter the same password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
As prompted, enter the information prompted for; the more meaningful you make it, the easier it is for people visiting your site to know that
they aren't getting a bad connection
Code:
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: sslthis.dyndns.org
Email Address []
Once this step is completed, you will have a series of folder inside ~/Documents/certs that make up the necessary structure for a functioning
Certificate Authority.
Files/directories created so far:
Code:
~/Documents/certs
~/Documents/certs/demoCA
~/Documents/certs/demoCA/cacert.pem
~/Documents/certs/demoCA/certs
~/Documents/certs/demoCA/crl
~/Documents/certs/demoCA/index.txt
~/Documents/certs/demoCA/newcerts
~/Documents/certs/demoCA/private
~/Documents/certs/demoCA/serial
STEP 2. GENERATE A PRIVATE KEY FOR THE WEBSERVER
The next step will be to generate a private key for your webserver.
In the ~/Documents/certs directory, enter the following in Terminal:
Code:
openssl genrsa -des3 -out webserver.key 1024
This will generate an encrypted, private key called 'webserver.key'; use a meaningful name, no spaces.
Code:
Generating RSA private key, 1024 bit long modulus
....................................++++++
.....................++++++
e is 65537 (0x10001)
Enter pass phrase for webserver.key: (enter a new secure password)
Verifying - Enter pass phrase for webserver.key: (reenter the same password)
Next, you will have generate a non-password protected copy of the key for Apache so that it can start up without errors.
Code:
openssl rsa -in webserver.key -out webserver.nopass.key
This will generate a non-password protected copy of the private key you just generated.
Code:
Enter pass phrase for webserver.key: (enter the secure password created in step 2)
writing RSA key
Files generated at this point:
Code:
~/Documents/certs/webserver.key
~/Documents/certs/webserver.nopass.key
3. GENERATE A CERTIFICATE REQUEST
The next step will be to generate a certificate request for your webserver based on the private key generated in step 2 in a format that can
be signed by the Certificate Authority created in step 1.
In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
Code:
openssl req -config /System/Library/OpenSSL/openssl.cnf -new -key webserver.key -out newreq.pem -days 3650
This will tell the system to generate a new certificate request 'newreq.pem' with the default 'openssl.conf' configuration file and using
'webserver.key' for a validity period of 10 years.
Code:
Enter pass phrase for webserver.key: (enter the secure password created in step 2)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:sslthis.dyndns.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: leave blank
An optional company name []: leave blank
Files generated at this point
Code:
~/Documents/certs/newreq.pem
STEP 4. SIGNING THE CERTIFICATE REQUEST
The next step will be to sign the certificate request 'newreq.pem' with the Certificate Authority created in step 1.
In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
Code:
/System/Library/OpenSSL/misc/CA.pl -signreq
This will tell the system to sign the 'newreq.pem' file created in step 3.
Code:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: (enter the secure password created in step 1)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 29 04:00:05 2004 GMT
Not After : Nov 27 04:00:05 2014 GMT
Subject:
countryName = as entered
stateOrProvinceName = as entered
localityName = as entered
organizationName = as entered
commonName = sslthis.dyndns.org
emailAddress = as entered
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
DirName:
emailAddress=
serial:
Certificate is to be certified until Nov 27 04:00:05 2014 GMT (3650
days)
Sign the certificate? [y/n]: (type y to confirm)
1 out of 1 certificate requests certified, commit? [y/n] (type y to confirm)
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Files generated at this point:
Code:
~/Documents/certs/newcert.pem
After this is done, I moved all the files created (webserver.key, webserver.nopass.key, newreq.pem, newcert.pem) into a new subdirectory
'sslthis.dyndns.org' for keeping things nice and neat.
Code:
~/Documents/certs/sslthis.dyndns.org
STEP 5. BASIC SSL CONFIGURATION FILE
The last step will be to create a configuration file for Apache 'ssl.conf' in the '/etc/httpd/users'.
In the /etc/httpd/users directory, enter the following in Terminal (Return key after each entry):
Use any Terminal editor you want, if not 'vi' and enter following (make corrections for the file paths as needed):
Code:
<IfModule mod_ssl.c>
Listen 80
Listen 443
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
SSLEngine on
ServerName sslthis.dyndns.org
ServerAdmin youremailaddress
ErrorLog /var/log/httpd/error_log
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/newcert.pem
SSLCertificateKeyFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/webserver.nopass.key
SSLCACertificateFile /Users/YOURNAME/Documents/certs/demoCA/cacert.pem
SSLCARevocationPath /Users/YOURNAME/Documents/certs/demoCA/crl
</VirtualHost>
</IfModule>
You will also have to edit /etc/httpd/httpd.conf (don't forget to make a backup) by typing:
Code:
sudo vi /etc/httpd/httpd.conf
and uncommenting the following lines:
Code:
LoadModule ssl_module libexec/httpd/libssl.so
AddModule mod_ssl.c
Once this is done, stop and start your webserver (from Terminal or System Preferences) and you should be good to go. Don't forget to enable
port forwarding for 443 TCP through your router and your OS X firewall (if enabled) for incoming connections.
Top