CopyDisable

Monday, 15 August 2011

Using digital certificate with Apache in Windows

Install Apache with openslll, it can be downloaded from http://apache.cs.utah.edu/httpd/binaries/win32/apache_2.2.11-win32-x86-openssl-0.9.8i.msi
When it comes to use SSL over apache, OpenSSL is there with Apache.
So, we will generate the private key of the server then we will generate Certificate Signing Request (the CSR file), which we need to send to Certificate Authority (CA) to sign and CA will return us the digital certificate  (i.e. the public key) in a CRT file.
Open Command Prompt and go to Apache’s BIN directory and then type openssl to enter OpenSSL prompt.


Now, first of all we need to generate RSA Private Key for our server. Type in following command to get encrypted private key on OpenSSL prompt.
OpenSSL> genrsa -des3 -out digitss.key 1024
The key name (in our example digits.key) can be anything we like. After typing the command it will ask for pass phrase, enter pass phrase (Password)
Note:
1) Keep a note of the password.
2) Take a backup of the private key file generated as above in some secure place.

 If we try to see the contents of the private key file it would look something as below:

We can see more readable text format of the private key using the following command. It will ask for the password that we have specified at the time of private key creation.
OpenSSL> rsa -noout -text -in digitss.key
Enter pass phrase for digitss.key:
Private-Key: (1024 bit)
modulus:
00:c6:54:39:f5:c5:ae:5a:ef:f5:53:9c:13:c9:86:
27:c5:19:9f:25:ab:a5:96:5a:2e:f3:c0:5b:b0:c5:
02:a6:e0:53:a8:fa:34:e1:8f:55:b4:ee:57:e3:54:
65:70:6a:f0:0c:4d:b1:ed:9f:31:38:51:3c:e1:99:
fe:82:6c:0d:3d:a5:d3:6e:01:8c:89:cc:f1:97:c0:
95:0e:80:1a:c7:0a:ac:56:15:27:cd:08:32:e0:2c:
39:00:77:2f:d1:83:4f:2e:ff:ea:50:fb:26:6c:fd:
dd:ea:38:3b:ec:c0:f7:d3:c6:c2:23:20:12:40:bf:
1b:94:59:d8:d6:34:8d:7c:dd
publicExponent: 65537 (0×10001)
privateExponent:
23:5b:b8:c9:9c:68:ad:45:c2:93:19:6c:5d:ad:51:
31:ce:83:95:0f:b9:01:c9:2a:3d:c2:b9:96:16:49:
96:be:bf:ab:8c:90:08:f6:a8:ed:0c:e1:16:62:61:
83:5d:4d:56:a4:33:68:8d:cd:14:a1:47:1d:61:7b:
02:7d:89:0e:77:f9:0b:b9:89:02:a5:e1:0a:ba:66:
f2:25:dc:06:7e:74:b2:c7:6a:be:1a:e1:6f:fb:b7:
e2:2d:b5:f2:ca:a8:ec:27:9e:81:25:7e:8a:2d:6c:
94:6f:f5:ca:f3:4e:bc:3d:1e:e9:5d:74:47:59:8c:
f7:29:d8:8e:9c:d2:e0:01
prime1:
00:f4:85:25:2e:6c:02:79:02:58:c9:ec:29:a8:11:
33:9e:db:bf:84:0a:a2:87:f9:2b:82:f5:a0:04:59:
69:bb:f7:d3:6a:d8:ee:6d:74:0e:bb:62:01:8e:bf:
5f:85:d8:3d:de:e9:12:86:c9:20:de:7c:cf:4c:f2:
6a:1b:40:e2:01
prime2:
00:cf:a3:ea:a4:39:10:6c:4e:3c:58:b1:8e:f0:17:
33:ea:1f:9d:0c:be:0a:bd:3b:d5:80:76:70:e3:e4:
54:4f:1a:8f:8a:ab:00:d5:64:e6:8a:e7:24:12:2b:
3e:97:b9:24:96:b5:f4:31:eb:ae:6d:fa:83:b2:32:
92:8b:06:62:dd
exponent1:
00:b4:40:d2:bf:fd:ef:74:b5:3e:2e:dc:61:78:fc:
34:77:9f:16:f7:87:bf:78:ed:3e:1e:34:63:d9:d0:
f0:19:19:00:49:6b:d1:97:ee:4e:4d:e4:59:b1:99:
72:19:80:e7:5b:44:05:dc:46:b8:6c:4b:25:a6:5b:
ad:cc:99:70:01
exponent2:
00:b8:a7:83:41:ec:65:88:8b:c2:ea:f5:6c:b2:63:
33:98:9f:e8:a0:ae:59:0a:94:ad:78:02:dc:be:2e:
3e:34:12:e0:d8:66:de:e4:e7:48:86:fa:ab:7f:64:
e9:d3:30:19:33:d6:38:86:34:9b:f8:be:32:64:44:
c9:41:cd:ba:19
coefficient:
7c:9a:fa:80:72:8a:74:11:7b:f0:32:d0:e4:b3:44:
cd:d4:2c:4e:6b:37:38:68:9a:6e:cd:ae:f0:9f:54:
31:a5:f6:f7:c8:16:f3:1a:4a:5c:d3:6b:60:a1:7d:
f5:a2:6c:b2:ab:12:1d:1c:5c:dd:63:57:d5:c0:be:
a3:d1:37:67


We need to create an unsecured version of the private key as with Windows Apache and OpenSSL setup, otherwise it will give some error while setting up SSL and apache will refuse to start and generate errors.
So to get Unsecured version of the private key use the command:
OpenSSL> rsa -in digitss.key -out unsecured.digitss.key
Enter pass phrase for digitss.key:
writing RSA key
digitss.key is the file which we have previously generated and it is encrypted (3-DES), and -out file is the one which will be generated based on our request in non-encrypted form.
Now we are going to create the CSR. Following command will generate PEM formatted Certificate Signing Request file.
OpenSSL> req -new -key digitss.key -out digitss.csr -config openssl.cnf
Here, in this command we are making request for generation of CSR file with our private key generated previously and here we have specified configuration file as openssl.cnf as one more parameter. If this file doesn’t exist in apache/bin directory then either move it there or specify full path.
Now we need to answer few questions to generate CSR file.
OpenSSL> req -new -key digitss.key -out digitss.csr -config openssl.cnf
Enter pass phrase for digitss.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
OpenSSL>

Country Name: Use the two-letter code without punctuation for country, for example: IN.
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Maharashtra
Locality or City: The Locality field is the city or town name, for example: Mumbai.
Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.
Example: XYZ Corporation
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
Common Name: The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.
VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.
Please do not enter your email address, challenge password or an optional company name when generating the CSR.
In the following screenshot I have changed some values from the original CSR request screenshot just to preserve some privacy. 


Now we need to send this generated CSR file to a Certifying Authority (CA) for signing, The CA will inspect our request and will send back us the Real Certificate CRT file with the help of which we can setup SSL over our web server running Apache and OpenSSL. There are many CAs like VeriSign, Thawte , CertiSign , GoDaddy etc.
After receiving the Certificate from CA we need to configure apache config file to use the SSL certificates (There are many settings to enable SSL but I am only mentioning the settings for the certificates).
SSLCertificateFile “Path_to_SSL_Certificate_received_from_CA/public.crt”
SSLCertificateKeyFile “Path_to_Unsecured_private_certificate_we_generated_above/unsecured.key”
If intermediate certificate is required then use the following configuration line. All SSL certificates issued by VeriSign require the installation of an Intermediate CA Certificate. Intermediate CA certificate can be obtained from VeriSign site free of cost.
SSLCACertificateFile “Path_to_intermidiate_certificate/inter.crt”


জয় আই অসম,
প্রণব শর্মা