Tuesday, October 30, 2012

Apache 2.2 SSL

yum -y install mod_ssl

The default config files expects the following credentials.

vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Not only that, but it has provided them for you. But you'll probably want new ones that actually identify your server by name, so I show how to replace them below.

The cert and key files are just PEM ASN.1 blobs. You can look at them in vi, and if you remove the top and bottom comment lines, you can decode them.

vi /etc/pki/tls/certs/localhost.crt
-----BEGIN CERTIFICATE-----
MIIDNzCCAh+gAwIBAgIFUw5hmvgwDQYJKoZIhvcNAQELBQAwMTEaMBgGCgmSJomT
8ixkARkWCnlvdXJEb21haW4xEzARBgoJkiaJk/IsZAEZFgNjb20wHhcNMTIxMDMw
MTcwOTIzWhcNMTQxMDMwMTcwOTIzWjAxMRowGAYKCZImiZPyLGQBGRYKeW91ckRv
bWFpbjETMBEGCgmSJomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK3AOppBP/YGknlbPpEl3IxM9uuVN3cn34LFWmfWtRgmC1/1fTqY
WIn/4m1UJF9BqLCmSl2VQJQcoO0H/JTJmQcOmyOxyjJhd7CpgtdC7GBQFqDVNns6
O/U/Te7KXlxr2CZXfGCt9a90HHEdcjSlRyJ6W9ni8cjUrkAIHl9NzDF8eB/yR/tS
JLKoTKHvn/i3TSVWceXwrMuaLG8no/OJeUCTR3uG+EobdT73l8sgkNls6A8r/h+w
JuvSmEZR2WWfTTft94q26pqh2a/gW1ptIv+K/cxzTbz5yonbGCoaPRUpk87MWiAb
c8+wrJrxNOM3bO3UQvgZIlzjoWps6Iw2aPcCAwEAAaNWMFQwCwYDVR0PBAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMDAGA1UdEQQpMCeCECoueW91ckRvbWFpbi5j
b22CEyouYW5vdGhlckRvbWFpbi5jb20wDQYJKoZIhvcNAQELBQADggEBAC2irYkJ
mgSuHIoMTyZF0JmYqL2NndZ8J/XIHwONc9RCccxmLdUXnBFPSR6cuF/KI4nb0m7l
ZdctfaIi2cQvXXQwF/esY2fTPExC2qU0/bN5Axd6o8LdZyi9HW9kzyEncRpTCVn2
OXZ4gJYZB5NE5LMhxdcVAVrIai3tLJSgAgnbUw5bnr/KXpWk1Y1F91Reyy9Te2ot
GkJa3LRq90xuUtWCybcUGlrmxsA0MCfTJzx38WYIY5Q1DzqcC8GIKmGmGJ+Ut62N
vAm/e1V4Ltsm6RPod+cNnY0oh5j2EurVTTENmP23V7TzylUwEdpZREewTOWOquFZ
+x61gvSzU6er9ms=
-----END CERTIFICATE-----
SEQUENCE {
   SEQUENCE {
      [0] {
         INTEGER 0x02 (2 decimal)
      }
      INTEGER 0x530e619af8 (356723563256 decimal)
      SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
         NULL 
      }
      SEQUENCE {
         SET {
            SEQUENCE {
               OBJECTIDENTIFIER 0.9.2342.19200300.100.1.25 (id_domainComponent)
               IA5String 'yourDomain'
            }
         }
         SET {
            SEQUENCE {
               OBJECTIDENTIFIER 0.9.2342.19200300.100.1.25 (id_domainComponent)
               IA5String 'com'
            }
         }
      }
      SEQUENCE {
         UTCTime '121030170923Z'
         UTCTime '141030170923Z'
      }
      SEQUENCE {
         SET {
            SEQUENCE {
               OBJECTIDENTIFIER 0.9.2342.19200300.100.1.25 (id_domainComponent)
               IA5String 'yourDomain'
            }
         }
         SET {
            SEQUENCE {
               OBJECTIDENTIFIER 0.9.2342.19200300.100.1.25 (id_domainComponent)
               IA5String 'com'
            }
         }
      }
      SEQUENCE {
         SEQUENCE {
            OBJECTIDENTIFIER 1.2.840.113549.1.1.1 (rsaEncryption)
            NULL 
         }
         BITSTRING 0x3082010a0282010100adc03a9a413ff60692795b3e9125dc8c4cf6eb95377727df82c55a67d6b518260b5ff57d3a985889ffe26d54245f41a8b0a64a5d9540941ca0ed07fc94c999070e9b23b1ca326177b0a982d742ec605016a0d5367b3a3bf53f4deeca5e5c6bd826577c60adf5af741c711d7234a547227a5bd9e2f1c8d4ae40081e5f4dcc317c781ff247fb5224b2a84ca1ef9ff8b74d255671e5f0accb9a2c6f27a3f389794093477b86f84a1b753ef797cb2090d96ce80f2bfe1fb026ebd2984651d9659f4d37edf78ab6ea9aa1d9afe05b5a6d22ff8afdcc734dbcf9ca89db182a1a3d152993cecc5a201b73cfb0ac9af134e3376cedd442f819225ce3a16a6ce88c3668f70203010001 : 0 unused bit(s)
      }
      [3] {
         SEQUENCE {
            SEQUENCE {
               OBJECTIDENTIFIER 2.5.29.15 (keyUsage)
               OCTETSTRING 030205a0
            }
            SEQUENCE {
               OBJECTIDENTIFIER 2.5.29.37 (extKeyUsage)
               OCTETSTRING 300a06082b06010505070301
            }
            SEQUENCE {
               OBJECTIDENTIFIER 2.5.29.17 (subjectAltName)
               OCTETSTRING 302782102a2e796f7572446f6d61696e2e636f6d82132a2e616e6f74686572446f6d61696e2e636f6d
            }
         }
      }
   }
   SEQUENCE {
      OBJECTIDENTIFIER 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
      NULL 
   }
   BITSTRING 0x2da2ad89099a04ae1c8a0c4f2645d09998a8bd8d9dd67c27f5c81f038d73d44271cc662dd5179c114f491e9cb85fca2389dbd26ee565d72d7da222d9c42f5d743017f7ac6367d33c4c42daa534fdb37903177aa3c2dd6728bd1d6f64cf2127711a530959f6397678809619079344e4b321c5d715015ac86a2ded2c94a00209db530e5b9ebfca5e95a4d58d45f7545ecb2f537b6a2d1a425adcb46af74c6e52d582c9b7141a5ae6c6c0343027d3273c77f166086394350f3a9c0bc1882a61a6189f94b7ad8dbc09bf7b55782edb26e913e877e70d9d8d288798f612ead54d310d98fdb757b4f3ca553011da594447b04ce58eaae159fb1eb582f4b353a7abf66b : 0 unused bit(s)
}

This is an X.509 v3 certificate as indicated by the first integer 0x02. Version counting starts at zero, so 2 means version 3. It is defined by rfc5280, excerpt below.

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3

Here's how I created them.

# generate an RSA-2048 key keypair
# store the private key in key.pem
# store the public key as a cert-request in req.pem with subject "yourDomain.com"

openssl req -nodes -subj "/DC=yourDomain/DC=com" -keyout key.pem -newkey rsa:2048 -new -out req.pem

# create a file to define the other extensions you'll want in the certificate
# an ssl device needs to perform both signing and encryption
# and needs to be certified for serverAuth
# and needs the machine name in either the subject (above) or subjectAltName
# if multiple domains point to your machine, you need each in the subjetAltName

vi extensions.txt

keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=DNS:*.yourDomain.com,DNS:*.anotherDomain.com

# create a two year certificate output as cert.pem from req.pem
# with a random large serial number and the above extensions
# signed by your own RSA-2048 from key.pem key using RSA-SHA256

openssl x509 -req -days 730 -set_serial 356723563256 -sha256 -in req.pem -extfile extensions.txt -signkey key.pem -out cert.pem

# now just copy them to the locations that apache expects and restart apache

cp cert.pem /etc/pki/tls/certs/localhost.crt
cp key.pem /etc/pki/tls/private/localhost.key
{ "loggedin": false, "owner": false, "avatar": "", "render": "nothing", "trackingID": "UA-36983794-1", "description": "", "page": { "blogIds": [ 270 ] }, "domain": "holtstrom.com", "base": "\/michael", "url": "https:\/\/holtstrom.com\/michael\/", "frameworkFiles": "https:\/\/holtstrom.com\/michael\/_framework\/_files.4\/", "commonFiles": "https:\/\/holtstrom.com\/michael\/_common\/_files.3\/", "mediaFiles": "https:\/\/holtstrom.com\/michael\/media\/_files.3\/", "tmdbUrl": "http:\/\/www.themoviedb.org\/", "tmdbPoster": "http:\/\/image.tmdb.org\/t\/p\/w342" }