Posts Tagged ‘SSL’

Creating and signing certification requests using OpenSSL

In our previous tutorial about creating your own Certificate Authority, we introduced OpenSSL – an open source commercial-grade toolkit, which implements SSL and TLS (Secure Sockets Layer and Transport Layer Security) and provides a general purpose cryptography library. Naturally we continue with creation of certification requests (also called Certificate Signing Request).

Note: In this tutorial (as well as in the previous one) we assume CentOS is the OS of choice.

To create a certificate request we navigate again to /etc/pki/CA:

cd /etc/pki/CA

Now let’s create the certification request. We’ll request a certificate, which will last one year:

openssl req -config openssl.cnf -new -nodes -keyout private/<domain>.key -out <domain>.csr -days 365

Generating a 2048 bit RSA private key
..............................+++
.................................+++
writing new private key to 'private/<domain>.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<country>
State or Province Name (full name) []:<state>
Locality Name (eg, city) [Default City]:<city>
Organization Name (eg, company) [Default Company Ltd]:<organization>
Organizational Unit Name (eg, section) []:<department>
Common Name (eg, your name or your server's hostname) []:<url>
Email Address []:<email>
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This creates two files, <domain>.key, which is the private key and <domain>.csr, which is the Certificate Signing Request. Restrict the rights to the private key so it readable only by root and the user that will use it:

chown root:globus private/<domain>.key

chmod 0440 private/<domain>.key

So now that we have created the certification request it is time to sign it. Navigate to /etc/pki/CA:

cd /etc/pki/CA

Sign the certificate using this command:

openssl ca -config openssl.cnf -policy policy_anything -out certs/<domain>.crt -infiles <domain>.csr

Using configuration from openssl.cnf
Enter pass phrase for ./private/ca.key:<ca_password>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 15 18:52:08 2011 GMT
            Not After : Nov 14 18:52:08 2012 GMT
… CERTIFICATE INFORMATION …
Certificate is to be certified until Nov 14 18:52:08 2012 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

After that, you need to remove the certificate request:

rm -f <domain>.csr

After the whole procedure two files are created. <domain>.crt – this is a domain specific certificate for the request. It is put in the certs directory. <certificate_number>.pem is the second file. It is put in the newcerts folder. This is a ready to use X.509 file which contains the information from <domain>.key and from <domain>.crt.

VN:F [1.9.18_1163]
Rating: 0.0/10 (0 votes cast)

Create your own Certificate Authority using OpenSSL on CentOS

OpenSSL is an implementation of the SSL and TLS protocols. It is open-source and is the de-facto standard toolkit for Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It is written in C and also contains a general purpose cryptography library. Being written in C allows for various wrappers for other programming languages to exist.

Installing OpenSSL on CentOS is actually quite easy. All you have to do is enter the following command:

yum install openssl

Note: Depending on your installation configurations OpenSSL may already be installed on your system.

Note: This tutorial uses OpenSSL 1.0.0.

After we install OpenSSL, we need to setup our own Certificate Authority. To do so we first navigate to /etc/pki/CA:

cd /etc/pki/CA

Now we will make a directory where our certificates will be stored:

mkdir certs

Another necessary directory is for the revocation list:

mkdir crl

Note: crl stands for Certificate Revocation List.

Now we must create a directory for storing the unencrypted certificates:

mkdir newcerts

Next, create an empty file index.txt (you may use touch). The index.txt file is the database for certificates. Additionally, create two files containing the next serial number for a certificate and the next serial number for the revocation list:

echo ’01’ > serial

echo ’01’ > crlnumber

Almost ready. Copy the standard openssl config file to you current directory:

cp /etc/pki/tls/openssl.cnf openssl.cnf

And edit the config file (the one stored at /etc/pki/CA/openssl.cnf):

Change this line:

dir             = /etc/pki/CA           # Where everything is kept

to

dir             = .           # Where everything is kept

Change this line:

certificate     = $dir/cacert.pem       # The CA certificate

to

certificate     = $dir/certs/ca.crt       # The CA certificate

And this line:

private_key     = $dir/private/cakey.pem# The private key

to

private_key     = $dir/private/ca.key # The private key

And last, but certainly not least, make /etc/pki/CA/openssl.cnf readable only for you:

chmod 0600 openssl.cnf

After that, the process of creating a certificate authority is actually quite easy. Navigate to /etc/pki/CA:

cd /etc/pki/CA

Enter the following command:

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650

if you want to create a CA valid for 10 years. You will be prompted:

Generating a 2048 bit RSA private key
........+++
.......+++
writing new private key to 'private/ca.key'
Enter PEM pass phrase:<password>
Verifying - Enter PEM pass phrase:<password>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<country>
State or Province Name (full name) []:<state>
Locality Name (eg, city) [Default City]:<city>
Organization Name (eg, company) [Default Company Ltd]:<organization>
Organizational Unit Name (eg, section) []:<department>
Common Name (eg, your name or your server's hostname) []:<common_name>
Email Address []:<email>

Where common_name is usually formed like ca.<your_domain>, and <email> is usually ca@<your_domain>

Finally, don’t forget to restrict the access to your private key:

chmod 0400 private/ca.key

For more on OpenSSL checkout how to create and sign certificates.

VN:F [1.9.18_1163]
Rating: 10.0/10 (3 votes cast)

How to enable HTTPS (SSL) connection to Twitter

Whenever the topic is Social Networks, questions about security, privacy, etc. arise. Recently, Twitter, similarly to Facebook and most email service providers, enabled HTTPS connection for its users. In this short tutorial we will show you how to enable this feature. Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 0.0/10 (0 votes cast)

Install SSL certificate in Opera

This tutorial will show you how to install your own SSL certificate under Opera Browser. Opera Browser is the third most popular web browser in the world after Internet Explorer and Mozilla Firefox. Nowadays SSL certificates are widely used for personal identification, for example, for online banking systems. The certificate ensures that the person connection is the one who should only have access to the system.

To get to the proper place you must go to the Opera browser Button at the top left corner. You go to the Settings menu then select Preferences Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 0.9/10 (12 votes cast)

Install SSL certificate in Internet Explorer 7

This tutorial will guide you how to install your own SSL certificate in Internet Explorer in few simple steps. Such certificates are widely used for personal identification, for example, for online banking systems. The certificate ensures that the person connection is the one who should only have access to the system.

To get to the proper place you must go to the browser Options. You click on Tools menu then select Internet Options Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 0.6/10 (10 votes cast)

Install SSL certificate in Google Chrome

Google Chrome is a web browser descended from the Chromium open source project, managed and developed by the Google Inc.

This tutorial will show you how to install your own SSL certificate. Such certificates are widely used for personal identification, for example, for online banking systems. The certificate ensures that the person connection is the one who should only have access to the system.

To get to the proper place you must go to the browser Options. You click on Customize and Control Google Chrome menu then select Options Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 4.5/10 (27 votes cast)

PSPad Editor – FTP Connection

We will continue review of PSPad features from previous tutorials.

With this tutorial I will show you how to set up FTP or Secure FTP connection to your websites with PSPad.

To do this open PSPad and go to FTP tab a left side in the program and click on Connect FTP button like shown on the picture bellow. Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 3.3/10 (16 votes cast)

Strip SSL with Apache mod_proxy part two

Greetings, reader.

This tutorial is the second part of the setup instructions how to Strip SSL part of a request with Apache mod_proxy. Lets remind you what the situation was. We have server A which has SSL support and can handle the initial request. Then we have server B which is supposed actually to handle the request but doesn”t support SSL. The goal is to relay the request which landed on Server A and to pass it to Server B

You can read the first part of the tutorial here Strip SSL with Apache mod_proxy part one

So the first part ended up with configuring a virtual host to handle HTTP request on Server A.

Now we need to configure a virtual host to handle HTTPS requests. Open /usr/local/apache2/conf/extra/httpd-ssl.conf with your favorite editor.

Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 5.5/10 (2 votes cast)

Strip SSL with Apache mod_proxy part one

Today I have faced a challenging situation. I needed to strip SSL from HTTP request to on of our servers platform and send it to another server without SSL. We use little tip as using Apache mod_proxy to implement this functionality.

Requirements

We need to have apache with:

1. DSO support compiled (with mod_proxy support)
2. SSL certificate
3. configuration for Virtual Hosting
4. configuration for mod_proxy

By default our apache installations are with version 2.2.3 and we have support for DSO, this means if we have mod_proxy compiled for Apache 2.2.3 we can use without recompiling Apache from source and just put it in /usr/local/apache2/modules . If you need to compile new Apache instance we need to use configure options as follow: Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 0.0/10 (0 votes cast)

Install SSL certificate in Firefox

Mozilla Firefox is an open source web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation. Firefox is second-most popular browser in current use worldwide, after Internet Explorer.

This tutorial will show you how to install your own SSL certificate. Such certificates are widely used for personal identification, for example, for online banking systems. The certificate ensures that the person connection is the one who should only have access to the system.

To get to the proper place you must go to the browser Options. You click on Tools menu then select Options
Read the rest of this entry »

VN:F [1.9.18_1163]
Rating: 9.6/10 (8 votes cast)