Server Keys and Certificates
MPE documents | |
 Complete PDF | |
| Table of Contents | |
| Glossary | |
| Index | |
| E0802 Edition 6 | |
| E0701 Edition 5 | |
| E0400 Edition 4 ♥ |
Log on as MGR.APACHE
Before starting any key or certificate management you should first log on as MGR.APACHE and make sure that all configuration files and directories are owned by MGR.APACHE:
:HELLO MGR.APACHE,SECURE
:XEQ SH.HPBIN.SYS -L
$ export PATH=/APACHE/SECURE/bin:$PATH
$ chown -R MGR.APACHE conf
$ cp conf/ssl.crt/server.crt.sample conf/ssl.crt/server.crt
$ cp conf/ssl.key/server.key.sample conf/ssl.key/server.key
Create Your Private Server Key
Your private key is an EXTREMELY sensitive and confidential piece of information. Anybody who obtains your private key will be able to impersonate you. If you should ever lose your private key or have it stolen, your only recourse is to create a new private key and do a better job of protecting it. Appropriate filesystem security is essential for the file which contains your private key. MGR.APACHE should be the owner of the key file, and the owner is the only user that should have any kind of access. MGR.APACHE should also be the owner of the directory in which the key file resides, and nobody besides the owner should have access to the directory. For extra added security, it is recommended that you encrypt your server key with a pass phrase that is stored separately from the key. If you use a pass phrase, this will need to be supplied to the web server at start up time, either by inserting it directly into the /APACHE/SECURE/JHTTPDS job stream after the command that invokes HTTPDS (caution — the pass phrase will be in plain text in the JHTTPDS job stream, so you'll need to protect the job stream too), or by writing a special script or program that HTTPDS will invoke to obtain the pass phrase. See the mod_ssl SSLPassPhraseDialog configuration directive documentation for details. Key generation uses a random number generator which in order to be portable uses a rather simple random seed consisting of the current time, process ID, and some memory buffer contents. To increase the randomness for the initial random number, you should use the openssl -rand parameter to specify a file that contains possibly random data but definitely data that is unique to your machine. For example, because machines have different patches applied at different times, /SYS/PUB/HPSWINFO might be suitable as a -rand file containing unique data that will only exist on this one machine. To create your private server key:
$ cd conf/ssl.key
$ openssl genrsa -rand /SYS/PUB/HPSWINFO -des3 -out server.key 1024 unable to load 'random state' 28199 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ................+++++ .................+++++ e is 65537 (0x10001) Enter PEM pass phrase:******** Verifying password - Enter PEM pass phrase:********
$ openssl rsa -noout -text -in server.key
(displays the details of your newly created server key)read RSA private key Enter PEM pass phrase:******** Private-Key: (1024 bit) modulus: 00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a: 88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3: 9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe: d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36: ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a: 81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30: 5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f: 49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3: 6c:df:87:61:d3:46:93:d8:6b publicExponent: 65537 (0x10001) privateExponent: 00:ae:e8:8a:47:6a:99:49:a4:a4:df:4a:0c:0b:bf: c0:ca:b1:25:89:65:fc:3b:14:f1:3e:29:68:34:f1: 4c:07:32:7d:04:32:cf:cc:c4:31:5b:ae:4b:ca:37: aa:5b:d3:50:7c:01:b9:62:96:7a:a3:a7:2d:9e:fe: ff:a5:c4:20:40:3e:ea:02:05:fa:9e:00:d6:a9:59: e0:46:13:ef:9a:ef:64:d1:8a:bd:e6:2b:82:06:c9: da:8b:15:e9:b8:fa:eb:a0:13:6c:94:ca:10:9c:dc: 2a:59:f8:fc:c7:2d:e0:69:cb:5b:a5:32:ec:d2:56: e2:0f:b0:c5:39:b8:50:5b:f1 prime1: 00:fa:06:99:8b:68:55:5b:a8:ff:25:5a:f5:82:26: 4c:73:2d:a0:70:75:e6:72:2c:25:70:22:49:5d:1a: 96:0e:32:ce:4f:d9:7f:31:94:2c:62:8b:02:3c:c8: 8f:4f:04:58:5b:6a:c0:66:fe:a1:d1:35:21:0e:c1: bb:4d:66:a7:83 prime2: 00:d7:df:d2:7e:68:7f:5c:04:fe:08:64:48:2e:ee: b5:8a:06:40:55:38:14:b4:f1:86:04:5b:98:78:77: cf:ab:c8:97:b4:e5:e7:ca:30:b5:8e:4d:93:23:7b: 41:66:c7:29:8e:d4:f9:8a:0d:61:27:c3:36:b8:26: 26:1e:bb:4e:f9 exponent1: 00:80:ed:d4:51:da:1c:62:26:d4:63:6b:f3:3c:09: 09:d5:3f:0b:03:d3:18:61:79:b8:58:89:a5:b1:38: 1b:76:f8:e6:00:b1:14:70:f9:8a:a5:ca:2e:fe:2f: 22:0f:4a:1b:52:10:cb:64:91:1b:da:a8:fe:02:01: 0e:d8:0b:fe:87 exponent2: 00:b0:5f:9d:52:4c:3c:6a:49:65:e8:23:4e:da:91: 8b:df:36:56:4f:8a:1f:58:ea:d0:2d:35:4c:f0:78: 2b:43:56:03:a4:f8:06:16:2b:0f:db:31:44:5b:43: f3:de:6e:30:65:13:5a:c2:51:46:24:bf:99:30:81: 72:b9:bf:1d:b9 coefficient: 45:06:9e:13:e6:a9:2a:eb:5a:e0:99:65:43:88:85: ed:e2:64:ee:e7:75:99:6e:c3:25:69:36:d5:14:3a: e1:20:60:04:a0:44:c0:8e:55:cd:bf:8a:18:97:aa: f7:f9:43:81:db:16:ea:c9:e2:1e:68:a9:f2:56:63: 2e:8f:56:60$ chmod 400 server.key
Create Your Certificate Signing Request (CSR)
Next you need to use your private server key to create a CSR which identifies your company and your web server. This is the same identity that will be presented to your web browser users, so choose carefully. When openssl prompts you to enter a value for "Common Name (e.g., YOUR name)", you need to enter the fully qualified domain name (FQDN) of your web server. For example, if you want people to access your web server via a URL prefix of https://www.yourcompanyhere.com, you would enter www.yourcompanyhere.com in response to this prompt. When openssl prompts you for the 'extra' attributes to be sent with your certificate request, leave them blank. To create your CSR:
$ cd ../ssl.csr
$ openssl req -new -key ../ssl.key/server.key -out server.csr Using configuration from /APACHE/SECURE/ssl/openssl.cnf Enter PEM pass phrase:******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:My State Locality Name (eg, city) []:My City Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:My Org Common Name (eg, YOUR name) []:www.mycompany.com Email Address []:webmaster@www.mycompany.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:$ openssl req -noout -text -in server.csr (displays the details of your newly created server CSR)
Using configuration from /APACHE/SECURE/ssl/openssl.cnf Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org, CN=www.mycompany.com/ Email=webmaster@www.mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a: 88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3: 9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe: d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36: ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a: 81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30: 5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f: 49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3: 6c:df:87:61:d3:46:93:d8:6b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 8f:5b:d3:45:ae:52:6a:66:36:23:09:0b:b9:d1:5c:2b:52:12: 00:98:78:97:39:5b:9d:f6:9f:82:b2:2c:3f:24:bb:e0:f0:47: 19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3: eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13: 9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55: f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1: c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65: 38:ba$ chmod 400 server.csr
Submit Your CSR to an External Trusted CA For Signing...
All web browsers come preconfigured with a list of trusted CAs. Certificates signed by these trusted CAs will in turn be trusted by the browsers. If your certificate is signed by a CA unrecognized by the browser, each browser user will get a warning dialog window each time they visit your web site. So if you're doing an Internet e-commerce application where you have no control over the customer's browser configuration, you will want to obtain your certificate from one of the default trusted CAs recognized by all browsers. There are many trusted CAs; VeriSign (www.verisign.com) and Equifax (www.equifaxsecure.com) are just two examples. By using your browser's security-related features, you can list all of the CAs trusted by that particular browser. You can either purchase a real certificate at this point, or alternatively you can usually obtain a free test certificate good for a limited time. In either case, the process is the same. You typically visit the CA's web site and submit a web registration form that includes a cut/paste of your CSR, and then the CA e-mails the resulting certificate to you. You need to cut/paste your CSR in its raw PEM format, which looks like this if you display the contents of the conf/ssl.csr/server.csr file:
-----BEGIN CERTIFICATE REQUEST----- MIIB4TCCAUoCAQAwgaAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNeSBTdGF0ZTEQ MA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29tcGFueTEPMA0GA1UECxMG TXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55LmNvbTEqMCgGCSqGSIb3DQEJ ARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc0yPGp7rkk17T05y6GCfsJdtb H/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQNGv/NbGDCoGhElrVzwBEYnBy +TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCupOpcQ82zfh2HTRpPYawIDAQAB oAAwDQYJKoZIhvcNAQEEBQADgYEAj1vTRa5SamY2IwkLudFcK1ISAJh4lzlbnfaf grIsPyS74PBHGQKdPp8y0L6aVD28wO1jZ82j62ihLXoPlIfwqBT2Rc+9qbwTmkzM +6erc4gXI5CzSVh/1QJV8YWB+OpI2UC8Kd747eMEnLmxws6NwshD53O85uWfmbVz mN1lOLo= -----END CERTIFICATE REQUEST-----Your signed certificate will arrive in raw PEM format, which looks like this:
-----BEGIN CERTIFICATE----- MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMREwDwYD VQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29t cGFueTEWMBQGA1UECxMNTXkgQ29tcGFueSBDQTEeMBwGA1UEAxMVQ2VydGlmaWNh dGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBjYUBteWNvbXBhbnkuY29tMB4X DTAwMDQxMzE4MzY0MVoXDTAxMDQxMzE4MzY0MVowgaAxCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkg Q29tcGFueTEPMA0GA1UECxMGTXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55 LmNvbTEqMCgGCSqGSIb3DQEJARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc 0yPGp7rkk17T05y6GCfsJdtbH/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQ NGv/NbGDCoGhElrVzwBEYnBy+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCup OpcQ82zfh2HTRpPYawIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABlROc1/xpG+FlPd lekq+E1oc42sOMiLaWe6orfffh74DbuTgxvTWTK8Wo31W8Reqj7jqOAeGvF46mWH Vq1mFM/Jh9oMQYb2IAjbuA1/7kefkMHdgf6NMC3L0cbCKs6bF7nDJGjWYb9sXcTM shYJMLBXyKW+cmrvJIqoMnq8DZUv -----END CERTIFICATE-----Save this data as /APACHE/SECURE/conf/ssl.crt/server.crt and then proceed to the "Installing Your Certificate" section. You can display the details of your new server certificate by doing:
$ openssl x509 -noout -text -in /APACHE/SECURE/conf/ssl.crt/server.crt
...Or Sign Your CSR With Your Own CA
First, create a private key and certificate for your CA. The CA requires a unique Distinguished Name different from the server certificate(s) you will be signing. One way to do this is to use a unique Organizational Unit Name when you create the CA certificate. For example, if your organization is XYZ Corporation, you might want to make the Organizational Unit Name be XYZ Corporation Certificate Authority.
$ cd ../ssl.key
$ openssl genrsa -des3 -out ca.key 1024
1128 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .......................................+++++ ....................................................+++++ e is 65537 (0x10001) Enter PEM pass phrase:******** Verifying password - Enter PEM pass phrase:********
$ openssl rsa -noout -text -in ca.key (displays the details of your newly created CA key; output omitted)
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /APACHE/SECURE/ssl/openssl.cnf Enter PEM pass phrase:******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:My State Locality Name (eg, city) []:My City Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:My Company CA Common Name (eg, YOUR name) []:Certificate Authority Email Address []:ca@mycompany.com$ openssl x509 -noout -text -in ca.crt (displays the details of your newly created CA certificate)
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/ Email=ca@mycompany.com Validity Not Before: Apr 13 18:29:50 2000 GMT Not After : Apr 13 18:29:50 2001 GMT Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/ Email=ca@mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a8:f9:f5:38:07:dd:6b:84:51:a6:34:43:15:fa: ae:3c:08:24:dc:60:6d:ea:e4:ab:8d:13:f3:bb:48: b9:e9:eb:e9:a7:74:58:87:4b:10:4b:a1:09:c0:c4: 7b:88:5e:9c:14:7b:da:bd:9f:5f:d2:b9:19:51:f0: c3:a4:43:10:ec:13:6a:f9:72:25:e2:fe:6e:57:67: 0d:7a:dc:3f:a5:63:d2:d2:32:69:f3:d2:6d:1b:f3: 70:06:70:28:eb:a8:9f:06:ad:f1:ab:a3:30:db:a7: 54:37:f7:75:85:90:26:d0:28:e8:f6:d6:65:93:82: ef:02:88:f4:c7:0b:91:1f:35 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 89:B4:C8:ED:17:82:61:39:C5:1D:9F:E9:12:73:75:C8:31:EA:DF:33 X509v3 Authority Key Identifier: keyid:89:B4:C8:ED:17:82:61:39:C5:1D:9F:E9:12:73:75:C8:31:EA:DF:33 DirName:/C=US/ST=My State/L=My City/O=My Company/ OU=My Company CA/CN=Certificate Authority/ Email=ca@mycompany.com serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption a7:3d:21:6a:b8:bf:f2:67:01:81:e6:05:56:89:8a:21:ab:bf: d5:43:48:ad:06:af:51:66:2a:02:77:ba:30:41:57:26:a5:7c: eb:00:a0:77:bf:b8:2b:03:91:59:92:1c:0b:8d:fc:16:27:c1: 75:d3:90:1c:fd:de:9b:21:e1:34:27:2c:1c:4c:36:9c:7a:5f: 16:bf:df:66:85:43:35:9e:b2:e8:2d:04:08:af:b1:60:84:3f: 3e:5f:67:2b:38:75:38:2d:58:28:36:a2:56:19:fb:b3:66:d2: fd:8e:b9:30:02:5d:43:f9:57:bb:1f:b9:40:5d:32:b3:c0:4c: ba:dd$ chmod 400 ca.key ca.crt
$ sign.sh ../ssl.csr/server.csr
CA signing: ../ssl.csr/server.csr -> ../ssl.csr/server.crt: Using configuration from ca.config Enter PEM pass phrase:******** Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'My State' localityName :PRINTABLE:'My City' organizationName :PRINTABLE:'My Company' organizationalUnitName:PRINTABLE:'My Org' commonName :PRINTABLE:'www.mycompany.com' emailAddress :IA5STRING:'webmaster@www.mycompany.com' Certificate is to be certified until Apr 13 18:36:41 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: ../ssl.csr/server.crt <- CA cert ../ssl.csr/server.crt: OK
$ rm -fR ca.db.*
$ cd ..
$ mv ssl.csr/server.crt ssl.crt/server.crt
$ openssl x509 -noout -text -in ssl.crt/server.crt (displays the details of your newly created self-signed server certificate)
Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=My State, L=My City, O=My Company, OU=My Company CA, CN=Certificate Authority/ Email=ca@mycompany.com Validity Not Before: Apr 13 18:36:41 2000 GMT Not After : Apr 13 18:36:41 2001 GMT Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org, CN=www.mycompany.com/ Email=webmaster@www.mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a: 88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3: 9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe: d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36: ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a: 81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30: 5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f: 49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3: 6c:df:87:61:d3:46:93:d8:6b Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 19:51:39:cd:7f:c6:91:be:16:53:dd:95:e9:2a:f8:4d:68:73: 8d:ac:38:c8:8b:69:67:ba:a2:b7:df:7e:1e:f8:0d:bb:93:83: 1b:d3:59:32:bc:5a:8d:f5:5b:c4:5e:aa:3e:e3:a8:e0:1e:1a: f1:78:ea:65:87:56:ad:66:14:cf:c9:87:da:0c:41:86:f6:20: 08:db:b8:0d:7f:ee:47:9f:90:c1:dd:81:fe:8d:30:2d:cb:d1: c6:c2:2a:ce:9b:17:b9:c3:24:68:d6:61:bf:6c:5d:c4:cc:b2: 16:09:30:b0:57:c8:a5:be:72:6a:ef:24:8a:a8:32:7a:bc:0d: 95:2f$ mv ssl.key/ca.crt ssl.crt/ca.cr
Installing Your Certificate
Certificates (and keys) are sensitive information and must be protected from unauthorized usage:
$ cd /APACHE/SECURE/conf/ssl.crt
$ make (to rebuild the certificate hash symbolic links)
ca-bundle.crt ... Skipped ca.crt ... dc91dd8e.0 server.crt ... 2f66b362.0 snakeoil-ca-dsa.crt ... 0cf14d7d.0 snakeoil-ca-rsa.crt ... e52d41d0.0 snakeoil-dsa.crt ... 5d8360e1.0 snakeoil-rsa.crt ... 82ab5372.0 zzyzx-ca-rsa.crt ... f28a2a0f.0
$ chmod 400 /APACHE/SECURE/conf/ssl.*/*
|
Configuring the Software |
Starting the Web Server |