Laboratory Exercises VI: SSL/TLS
-Configuring Apache Server
Keywords: digital signatures, public-key certificates, managing certificates
M. ˇ
Cagalj, T. Perkovi´
c
{mcagalj, toperkov}@fesb.hr
FESB Computer and Data Security Course 1
Introduction
Whenever you visit an SSL protected page, your browser usually checks the identity of the remote site by checking their certificate. In this exercise we will show how to integrate public-key certificates with a web server so to enable secure SSL/TLS sessions. Our goal is to set up the system (client, server, certificates, SSL/TLS server) such that an end user does not receive certificate warning messages as the one shown in Figure 1.
Figure 1: A warning message that informs a user about potential problems with a digital certificate presented by a web server.
We will also show how can the remote site check your identity using a previously issued certificate, called SSL client side certificate.
To accomplish our goal we will use two software products: XCA or OpenSSL (for key and certificate (X.509) management), Apache (web server) and PHP.
NOTE: Before proceeding with this exercise, please make sure that XCA, OpenSSL, Apache web server and PHP are all installed on your machine.
Task 1.2. Creating a Certification Authority (CA) using XCA
In this task, we will first create a CA. The role of CA is to issue public-key certificates to end entities (e.g., our web server). In other words, the CA digitally signs a public key of a web server and embeds it into the server’s certificate. The CA uses its private key for signing. In practice, the CA certificate manager (a certificate server) should be installed on a secure machine (potentially disconnected from the network); the CA’s private key should be kept highly secure.
The CA also issues a self-signed public-key certificate, whereby the CA digitally signs its own public key. This certificate is distributed, in a secure way (the integrity of the CA’s certificate must be protected), to all users who use a certificate issued by the CA to verify the authenticity of the certificate holder (e.g., a web server).
Figure 2: X Certificate and Key management application.
1. Open XCA and click the “New Certificate” button to start X.509 certificate creation procedure (Figure 2).
2. Make sure that you select SHA-1 as the “Signature algorithm”; the default algo-rithm is set to SHA 256 that is not supported by some Windows-based operating systems. Also, select CA template for this certificate (we are creating a CA). 3. Select the “Subject” tab and fill in the fields such as “Internal name”, “Country
code”, etc. with appropriate values (for an example please refer to Figure 3). Generate a new private key by clicking on the “Generate a new key” button. Note that this is the signing key of the CA.
FESB Computer and Data Security Course 3
4. Select the “Extensions” tab and set the “Type” of the certificate to “Certification Authority” (see Figure 3). Click “OK” to finish the certificate creation procedure. You can check the details of the created CA certificate by double-clicking on it in the main XCA window under the “Certificate” tab.
Task 1.3. Creating a Web Server Certificate
In this task we create a public-key certificate for a web server. This certificate will be digitally signed by the previously created Certification Authority (CA).
1. Again, click the “New Certificate” button in the main XCA window. Select the “Source” tab and configure the web server certificate properties as follows. Check “Use this Certificate for signing” and set it to the name of the CA cre-ated in the previous task. Set the “Signature algorithm” to SHA-1 and choose “HTTPS server template” from the list of available templates (Figure 5).
Figure 4: Creating a X.509 certificate for the Web Server.
2. Select the “Subject” tab and fill in appropriately the available fields (Figure 4). It is particularly important that you set the “Common name” value to localhost. This will be the IP address (or the corresponding URL) of your web server. Finally, generate a new private key for the web server certificate by clicking “Generate a new key”.
3. Optionally, under the “Extensions” tab you may want to set the type to “End Entity”. Click “OK” to finish the certificate creation procedure.
Task 1.4. Creating a Client Certificate
In this task we create a public-key certificate for a client. This certificate will be also digitally signed by the previously created Certification Authority (CA).
1. Again, click the “New Certificate” button in the main XCA window. Select the “Source” tab and configure the web server certificate properties as follows. Check “Use this Certificate for signing” and set it to the name of the CA cre-ated in the previous task. Set the “Signature algorithm” to SHA-1 and choose “HTTPS client template” from the list of available templates (Figure 5).
Figure 5: Creating a X.509 certificate for the client.
2. Select the “Subject” tab and fill in appropriately the available fields (Figure 5). It is particularly important that you set the “Common name” value to your client name (e.g. User ID). This can be for example a username. If not set or if this value does not correspond to the username each time you try to establish a secure (SSL/TLS) session with this server, your web browser will give you a warning message about this mismatch. Finally, generate a new private key for the web server certificate by clicking “Generate a new key”.
3. Optionally, under the “Extensions” tab you may want to set the type to “End Entity”. Click “OK” to finish the certificate creation procedure.
Task 1.5. Exporting Certificates
In this task, we will export the certificates created in the previous tasks, that is, the CA public-key certificate (without the private key), the web server public-key certificate including its private key, as well as the client public-key certificate with its private key.
FESB Computer and Data Security Course 5
1. Open the “Certificates” tab in the main XCA window. Select the certificate that belongs to the CA and click “Export”. Select a destination and filename where you want to store the certificate and click “OK”.
2. Repeat the previous step but now export the public-key certificate of the web server and a client certificate.
3. Finally, we export the private key of the web server and of the client. To ac-complish this, open the “Private Keys” tab and select the private key of the web server. The “Key export” window pops-up. Check the box “Export the private part of the Key too” and uncheck “Encrypt the Key with a password”. In a similar fashion export the private key of the client.
4. After exporting the public-key certificate and private key for the client, we need to convert the client certificate to pkcs12 for import in the browser. To accomplish this you can utilize OpenSSL as explained in the following section.
Task 1.6. Creating a CA, an SSL Server and an SSL Client
Certificate Using OpenSSL
We can also create and export all the previously created public-key certificates (CA, SSL server and SSL Client) using OpenSSL. To accomplish this, open Command Prompt (push Windows + R buttons, then type cmd), and navigate to OpenSSL di-rectory (e.g., type cd C:\OpenSSL-Win32\bin). To create CA, follow these steps: # Create CA private key
openssl genrsa -des3 -passout pass:qwerty -out CA.key 2048 # Remove passphrase
openssl rsa -passin pass:qwerty -in CA.key -out CA.key # Create CA self-signed certificate
openssl req -new -x509 -days 999 -key CA.key -out CA.crt After that, we will create a SSL Server certificate following these steps: # Create private key for the localhost server
openssl genrsa -des3 -passout pass:qwerty -out mysite.key 2048 # Remove passphrase
openssl rsa -passin pass:qwerty -in mysite.key -out mysite.key # Create CSR for the mysite server
openssl req -new -key mysite.key -out localhost.csr # Create certificate for the localhost server
openssl ca -days 999 -in localhost.csr -out localhost.crt -keyfile CA.key -cert CA.crt -policy policy_anything
# Create private key for a client
openssl genrsa -des3 -passout pass:qwerty -out client.key 2048 # Remove passphrase
openssl rsa -passin pass:qwerty -in client.key -out client.key # Create CSR for the client.
openssl req -new -key client.key -out client.csr # Create client certificate.
openssl ca -days 999 -in client.csr -out client.crt -keyfile CA.key -cert CA.crt -policy policy_anything
At the end, export the SSL Client certificate to pkcs12 format:
# Export the client certificate to pkcs12 for import in the browser openssl pkcs12 -export -passout pass:qwerty -in client.crt
-inkey client.key -certfile CA.crt -out clientcert.p12
We can see that all the required certificates created and exported within OpenSSL folder (e.g. C:\OpenSSL-Win32\bin). To configure Apache Web Server, we will need CA.crt and mysite.crt public-key certificates as well as the private key mysite.key.
Task 1.7. Configuring Apache Web Server
Figure 6: Apache web server console.
1. To configure Apache Web Server, we will need CA.crt and mysite.crt public-key certificates as well as the private public-key mysite.public-key. Copy these certificates and
keys within the conf folder of the Apache Web Server (e.g. C:\Web Server\Apache2\conf). 2. Edit httpd.conf (e.g. placed within C:\Web Server\Apache2\conf folder) and
FESB Computer and Data Security Course 7
LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf
3. Edit httpd-ssl.conf (e.g. placed within C:\Web Server\Apache2\conf\extra folder) and verify that the following holds:
(a) SSLCertificateFile "C:/Web Server/Apache2/conf/mysite.crt" (b) SSLCertificateKeyFile "C:/Web Server/Apache2/conf/mysite.key"
(c) SSLCertificateChainFile "C:/Web Server/Apache2/conf/CA.crt" (d) SSLCACertificateFile "C:/Web Server/Apache2/conf/CA.crt"
(e) SSLVerifyClient require (f) SSLVerifyDepth 2
4. Start/Restart the Apache server.
5. Finally, create simple html file and name it index.html. Copy this file to the “htdocs/” subdirectory in the “Apache Web Server” directly. Overwrite any existing index.html file.
Task 1.8. Testing Your Configuration
In this task we will install client public-key certificate in the browser and test our configuration. To accomplish this goal in a Chrome browser, we can place the client public-key certificate in the Personal certificates directory. Here are the steps to install the client public-key certificate:
1. Click the “Chrome menu” on the browser toolbar. 2. Select “Settings”.
3. Click “Show advanced settings”.
4. In this window find the “Certificates snap-in”. Select it and click “Add”. 5. Go to the “HTTPS/SSL” section to manage your SSL certificates and settings. 6. Click “Manage Certificates”.
7. Click on the “Personal” tab and select “Import...”.
8. Click “Next” then select the client’s .p12 file and click “Next” again.
9. Enter the password created while exporting client public-key certificate to pkcs12. 10. The next step in the wizard should indicate that the certificates will be placed
11. Click “Finish”.
12. Open a web browser and enter the following address in the address bar: https://localhost .
Do you get any warning message? Which one? Can you explain why do you get it?
13. We would like to eliminate this warning message. What can we do in this regard? 14. Recall that the CA has digitally signed the web server public-key certificate. So if our web browser would have an access to the CA certificate (i.e., if it would trust this certificate), the web browser could successfully verify the digital signature in the web server certificate and would not report any warning messages.
To accomplish this goal in a Chrome browser, we can place the CA’s certificate in the Trusted Root Certification Authorities directory. Here are the steps to install the CA’s certificate:
(a) Click the “Chrome menu” on the browser toolbar. (b) Select “Settings”.
(c) Click “Show advanced settings”.
(d) In this window find the “Certificates snap-in”. Select it and click “Add”. (e) Go to the “HTTPS/SSL” section to manage your SSL certificates and
set-tings.
(f) Click “Manage Certificates”.
(g) Click on the “Trusted Root Certification Authorities” tab and select “Im-port...”.
(h) Click “Next” then select the CA’s .cer file and click “Next” again.
(i) The next step in the wizard should indicate that the certificates will be placed in the “Trusted Root Certification Authorities”. If so, click next. If not, fix it.
(j) Click “Finish”.
15. Now that you have installed the CA certificate, try to access again to https://localhost .
Do you get any warning message?
16. Try to access to the web server by using the following address https://127.0.0.1 .
