These are the steps I followed. This was a straightforward task to configure apache to accept HTTPS traffic. Further enhancements such as forcing HTTPS only, or validating client certificates were not required.
This article is quite good
http://articles.sitepoint.com/article/securing-apache-2-server-ssl
If on linux then install mod_ssl. (http://www.cyberciti.biz/faq/rhel-apache-httpd-mod-ssl-tutorial/ )
yum install mod_ssl ...
Also http://www.csrparser.com/ is handy for checking any old CSRs
Setting up certs etc.
generate a certificate.
PreRequisite:
To do this you need a Certification Authority, CA, (openssl to DIY, or public CA). See links above
1/ Generate CSR (Certificate Signing Request)
Multiple ways to do this. OpenSSL or Keytool.
For openssl using defaults you can simply do
openssl req -new
2/ Generate certificate (using CA)
3/ Install certificate in Apache (as root)
4/ Edit ssl.conf file (equivalent to httpd.conf). Configure any VirtualHosts you require, and assign them the requisite keys and certs, e.g.
<VirtualHost www.nixcraft.com:>
SSLEngine On
SSLCertificateFile /etc/pki/tls/http/apachecert.pem
SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
DocumentRoot /var/www/html/ssl
ServerName www.nixcraft.com
</VirtualHost>
Create CA private Key (used for generating CSR’s)
openssl genrsa –aes256 -out domainname.com.key 1024
In general generate a private key per domain
Create Self Signed CA cert (Also generates private Key for CA)
openssl req -new -x509 -extensions v3_ca -keyout ./private/cakey.pem -out cacert.pem -days 3650
Create Self signed CA using existing private key
openssl req -new -x509 -extensions v3_ca -key privateKey.pem -out cacert.pem -days 3650
This command demonstrates the how commands in openssl combine functionality
Req command allows switch to x509
Keystore
The default locations of the of the keystore files is %JAVA_HOME%/jre/security/.keystore
To include trusted certs from the keystore in a java client you must add the following
Java -Djavax.net.ssl.trustStore=...
Problems
<ms_osb1> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1315908488277> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
http://java.sun.com/javase/6/webnotes/6u13.html
I was doing some work with 2-way SSL, and seeing the following error in my weblogic (OSB) logs.
As it happens this is a problem with JDK 1.6_013. They included a non compatible CA cert in the keystore.
keytool -delete -keystore $JAVA_HOME\jre\lib\security\cacerts -alias ttelesecglobalrootclass2ca -keystorepass changeit
keytool -delete -keystore $JAVA_HOME\jre\lib\security\cacerts -alias ttelesecglobalrootclass3ca -keystorepass changeit
How do I remove a passphrase from a key?
Perhaps you’ve grown tired of typing your passphrase every time your secure daemon starts. You can decrypt your key, removing the passphrase requirement, using the rsa or dsa option, depending on the signature algorithm you chose when creating your private key.
If you created an RSA key and it is stored in a standalone file called key.pem, then here’s how to output a decrypted version of the same key to a file called newkey.pem.
# you'll be prompted for your passphrase one last time
openssl rsa -in key.pem -out newkey.pem
Often, you’ll have your private key and public certificate stored in the same file. If they are stored in a file called mycert.pem, you can construct a decrypted version called newcert.pem in two steps.
# you'll need to type your passphrase once more
openssl rsa -in mycert.pem -out newcert.pem
openssl x509 -in mycert.pem >>newcert.pem
from
No comments:
Post a Comment