From Fedora Project Wiki

Revision as of 01:57, 1 September 2014 by Javiertury (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Your webserver is only as secure as you make it but security isn't only about protecting your server against attackers, it is also about protecting your clients from Man In The Middle(MITM) attacks. Securing your connections using the TLS protocol(successor of SSL) is strongly recommended if your website allows user registration, economic transactions or requests private information, otherwise plain text passwords, credit card numbers or confidential data could be easily stolen by MITM attackers.

There are many cryptographic libraries to choose from. While NSS is recommended, OpenSSL is still dominant.

While OpenSSL uses x509 format and stores the certificates in files, NSS uses the PKCS12 format for certificates which it imports to a database. Genkey supports both, however it doesn't allow to specify the cryptographic or the digest algorithm and the defaults can be considered weak as it uses SHA1 as a digest algorithm.

Genkey, create a TLS/SSL certificate the easy way

If you want to either generate a self-signed certificate or generate a certificate signing request to send to a recognized certificate authority so you can receive a valid server certificate, you can use the /usr/bin/genkey tool which is provided by the crypto-utils package. Install it using

# sudo yum install crypto-utils

This command:

# /usr/bin/genkey

would generate a self-signed certificate or a CSR identifying the server ''. genkey is an interactive tool - it will ask you to choose a key size, and enter some identifying information. It will also ask if you want to generate a CSR. If you say no, you will get a self-signed certificate instead. Fill out the fields as appropriate, but the most important field is 'CN', which should be the fully-qualified domain name (e.g. of the server you wish to use the certificate with.

After generating a certificate this way, you should have the new files /etc/pki/tls/certs/ and /etc/pki/tls/private/ - the former is your self-signed server certificate, and the latter is the corresponding private key. If you generate a CSR, you will have /etc/pki/tls/certs/ and /etc/pki/tls/private/, and you should send the contents of /etc/pki/tls/certs/ to your CA, who will send you a certificate to save as /etc/pki/tls/certs/

Certificate and key naming
Naming certificate and key files after the host they identify is only a convention - the name of the files has no special significance, so long as the server is configured to find them.

genkey can also save keys and certificates to the database used by the mod_nss module. To use NSS format, call genkey with the --nss parameter:

# genkey --nss

genkey will ask you whether to set a passphrase for the private key. If you set a passphrase, any time you start or restart your webserver (including any time the system is booted), you will have to enter this passphrase: Apache startup will not proceed unless it is entered. If you do not set a passphrase, you will not have to do this, but it is essential that you guard the key file carefully, as anyone who gains access to it can impersonate your server and intercept 'secure' traffic. Ensure it is owned by root.root and has permissions 0600, be very careful about security of backups, and restrict access to the server machine as strictly as you can (this is a good security practice in any case).

The last step is to configure the webserver of your host for the TLS protocol using the key and the certificate you have just created.

Create a certificate using OpenSSL

First generate the private key, in this example we will use a 2048 RSA key

# openssl genrsa -out 2048

Create a Certificate Signing Request(CSR). The Common Name field must be your server's hostname

# openssl req -new -key -out -sha512

A message digest algorithm like SHA2 or stronger is recommended, but it's more important for the certificate than for the request. However your CA decides which message digest they use for the certificate.

Now give your CSR to your Certificate Authority(CA) so they can sign your key and give you a certificate. Alternatively you can self-sign it, but bear in mind of the security issues that it poses and that browser will warn users about this:

# openssl x509 -req -days 365 -in -signkey -out -sha512

Once your CA has signed it they will give you the certificate(.crt file). Now move the private key and the certificate to their respective directories:

# cp /etc/pki/tls/certs/
# cp /etc/pki/tls/private/

The Certificate Signing Request(CSR) can be deleted as it becomes useless once you have obtained your certificate. Alternatively put it along your private key.

# cp /etc/pki/tls/private/

Set the correct context of these files for SELinux:

# restorecon -RvF /etc/pki

The last step is to configure the webserver of your host for the TLS protocol using the key and the certificate files you have just created.