Paolo Coveri - Realizzazione siti internet, consulenza informatica e servizi - Forlì, Cesena, Ravenna, Rimini e oltre - Installazione di un WEB Server Apache sicuro

Approfondimenti

Qualcosa di personale

Paolo Coveri
47122 Forlì
Cell. 338.5869070
P.IVA 03306540406

"Sulla strada di Emmaus", parrocchia virtuale fondata da don Marco Pozza (don Spritz)

Home

LINUX

Installazione di un WEB Server Apache sicuro

venerdì 11 maggio 2007

Indice articolo
Installazione di un WEB Server Apache sicuro
Pagina 2
Pagina 3
Pagina 4
Pagina 5

Pagina 4 di 5

CREAZIONE CERTIFICATI PER IL SERVER

***
Posizionarsi nella directory dove si vuole creare la chiave privata del server...

[root@Linux-Server root]# cd /usr/local/apache/conf/ssl.key

***
Se non lo si è già fatto una prima volta, creare un file con dati casuali...

[root@Linux-Server ssl.key]# dd if=/dev/random of=.casuale bs=1b count=1k

[root@Linux-Server ssl.key]# chmod 400 .casuale

***
Generare la chiave privata del server...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl genrsa -des3 -rand .casuale -out pacserver.key 1024
2022 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[root@Linux-Server ssl.key]#

[root@Linux-Server ssl.key]# chmod 400 pacserver.key

***
Se si vuole visualizzare la chiave appena generata...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl rsa -noout -text -in pacserver.key
read RSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:b5:f4:e0:f6:27:01:25:c5:10:ab:8f:5a:a7:e7:
9c:72:f0:39:72:29:bd:69:4a:ed:1b:cb:56:65:3e:
f8:f5:aa:22:61:25:84:3e:38:2b:c1:4e:2a:35:57:
8e:10:dd:29:7f:0a:05:ac:98:f8:f7:a0:65:94:23:
...
coefficient:
74:ce:21:3e:54:60:89:e0:86:b8:3e:44:1a:62:30:
f5:ed:44:c2:7b:0c:ae:53:d6:85:08:7f:29:bb:31:
43:f2:3e:d6:79:47:69:c9:83:e7:0e:66:8c:f1:12:
76:55:b4:74:4e:c6:ea:39:02:5a:cd:40:60:c8:9c:
b9:b0:65:8e
[root@Linux-Server ssl.key]#

***
Se si vuole togliere la protezione dalla chiave privata del server (non consigliato)...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl rsa -in pacserver.key -out pacserver.key.nonsicura
read RSA key
Enter PEM pass phrase:
writing RSA key
[root@Linux-Server ssl.key]#

***
Creare la richiesta di certificazione...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl req -new -key pacserver.key -out ../ssl.csr/pacserver.csr
Using configuration from /usr/local/ssl/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italia
Locality Name (eg, city) []:Forli
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paolo Coveri - Consulenza Informatica
Organizational Unit Name (eg, section) []:Consulenza Linux
Common Name (eg, YOUR name) []:192.168.0.2
Email Address []: Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:chiavesegreta
An optional company name []:Paolo Coveri - Consulenza Linux
[root@Linux-Server ssl.key]#

***
Se si vuole visualizzare la richiesta di certificazione...

[root@Linux-Server ssl.key]# cd ../ssl.csr

[root@Linux-Server ssl.csr]# /usr/local/ssl/bin/openssl req -noout -text -in pacserver.csr
Using configuration from /usr/local/ssl/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IT, ST=Italia, L=Forli, O=Paolo Coveri - Consulenza Informatica, OU=Consulenza Linux, CN=192.168.0.2/Email= Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b5:f4:e0:f6:27:01:25:c5:10:ab:8f:5a:a7:e7:
9c:72:f0:39:72:29:bd:69:4a:ed:1b:cb:56:65:3e:
...
d7:0a:c4:26:03:b1:28:4c:93:e3:63:a6:d2:20:f0:
e6:14:12:51:e9:5d:91:f6:b7
Exponent: 65537 (0x10001)
Attributes:
challengePassword :chiavesegreta
unstructuredName :Paolo Coveri - Consulenza Linux
Signature Algorithm: md5WithRSAEncryption
08:52:91:05:5f:cc:b7:b9:55:fe:75:b0:fb:2d:3f:1d:08:0b:
d9:a2:b9:b0:37:0a:40:ef:04:83:f4:65:03:c9:dc:30:3f:57:
...
19:3b:a0:ce:8d:be:50:bf:4e:97:56:49:f6:57:79:4f:16:5c:>
9c:6a
[root@Linux-Server ssl.csr]#

***
Per autofirmare il proprio certificato è necessario prima creare la chiave privata della propria Autorità di Certificazione (CA)...

[root@Linux-Server ssl.csr]# cd ../ssl.key

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl genrsa -des3 -out pac-ca.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
........................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[root@Linux-Server ssl.key]#

[root@Linux-Server ssl.key]# chmod 400 pac-ca.key

***
Se si vuole visualizzare la chiave appena generata...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl rsa -noout -text -in pac-ca.key
read RSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:c0:5b:4e:ae:f9:57:91:d8:fe:93:87:8e:09:a0:
68:63:14:b5:d6:4c:70:1f:79:1d:f9:49:a4:d6:2d:
53:5d:50:ce:13:37:ba:8c:b7:8d:a8:06:7e:76:35:
...
coefficient:
5b:ff:01:f6:2a:4b:f9:49:0d:1e:de:55:15:b3:1f:
2f:26:92:aa:37:13:ad:b2:d0:49:62:0c:dd:fe:df:
d8:63:cf:2d:33:f1:dd:72:c2:6d:07:c0:81:f0:0f:
34:bc:80:42:e8:07:5c:80:17:2e:a4:9e:aa:69:42:
26:d3:ac:54
[root@Linux-Server ssl.key]#

***
Se si vuole togliere la protezione dalla chiave privata della propria Autorità di Certificazione (non consigliato)...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl rsa -in pac-ca.key -out pac-ca.key.nonsicura
read RSA key
Enter PEM pass phrase:
writing RSA key
[root@Linux-Server ssl.key]#

***
Creazione del Certificato autofirmato (chiave pubblica) della propria Autorità di Certificazione...

[root@Linux-Server ssl.key]# /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key pac-ca.key -out ../ssl.crt/pac-ca.crt
Using configuration from /usr/local/ssl/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italia
Locality Name (eg, city) []:Forli
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paolo Coveri - Consulenza Informatica
Organizational Unit Name (eg, section) []:Consulenza Linux
Common Name (eg, YOUR name) []:Paolo Coveri
Email Address []: Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo
[root@Linux-Server ssl.key]#

[root@Linux-Server ssl.crt]# chmod 400 pac-ca.crt

***
Se si vuole visualizzare il Certificato appena generato...

[root@Linux-Server ssl.key]# cd ../ssl.crt

[root@Linux-Server ssl.crt]# /usr/local/ssl/bin/openssl x509 -noout -text -in pac-ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IT, ST=Italia, L=Forli, O=Paolo Coveri - Consulenza Informatica, OU=Consulenza Linux, CN=Paolo Coveri/Email= Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo
Validity
Not Before: Jan 21 10:39:46 2001 GMT
Not After : Jan 21 10:39:46 2002 GMT
Subject: C=IT, ST=Italia, L=Forli, O=Paolo Coveri - Consulenza Informatica, OU=Consulenza Linux, CN=Paolo Coveri/Email= Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c0:5b:4e:ae:f9:57:91:d8:fe:93:87:8e:09:a0:
68:63:14:b5:d6:4c:70:1f:79:1d:f9:49:a4:d6:2d:
...
e3:cb:9a:ff:b6:f5:a1:3f:03:aa:e8:01:7c:08:f3:
14:61:11:26:18:72:16:62:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
18:BD:57:02:65:AB:A7:35:0B:29:6B:38:63:48:AD:30:15:8F:84:07
X509v3 Authority Key Identifier:
keyid:18:BD:57:02:65:AB:A7:35:0B:29:6B:38:63:48:AD:30:15:8F:84:07
DirName:/C=IT/ST=Italia/L=Forli/O=Paolo Coveri - Consulenza Informatica/OU=Consulenza Linux/CN=Paolo Coveri/Email= Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo
serial:00

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
41:7d:b1:92:de:db:f4:a1:4e:1c:d4:18:4c:6e:a1:0f:fc:36:
08:ca:0d:05:a4:b4:08:ee:89:5a:d8:02:c3:cf:b1:98:78:4c:
...
c3:d8:c5:6e:57:2d:2f:d4:3a:c8:5e:d8:5e:82:ab:dc:92:69:
1a:6b
[root@Linux-Server ssl.crt]#

***
Se non è stato fatto già una prima volta, copiare ed editare lo script sign.sh fornito con mod_ssl...

[root@Linux-Server ssl.crt]# cp /usr/src/server/mod_ssl-2.8.4-1.3.20/pkg.contrib/sign.sh .

[root@Linux-Server ssl.crt]# vi sign.sh

...
certificate = \$dir/pac-ca.crt
private_key = \../ssl.key/pac-ca.key
...
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
/usr/local/ssl/bin/openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
/usr/local/ssl/bin/openssl verify -CAfile pac-ca.crt $CERT
...

***
Ora si può procedere ad effettuare la creazione del Certificato del Server...

[root@Linux-Server ssl.crt]# cp ../ssl.csr/pacserver.csr .

[root@Linux-Server ssl.crt]# ./sign.sh pacserver.csr
CA signing: pacserver.csr -> pacserver.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'IT'
stateOrProvinceName :PRINTABLE:'Italia'
localityName :PRINTABLE:'Forli'
organizationName :PRINTABLE:'Paolo Coveri - Consulenza Informatica'
organizationalUnitName:PRINTABLE:'Consulenza Linux'
commonName :PRINTABLE:'192.168.0.2'
emailAddress :IA5STRING:' Indirizzo e-mail protetto dal bots spam , deve abilitare Javascript per vederlo '
Certificate is to be certified until Jan 21 12:54:30 2002 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: pacserver.crt <-> CA cert
pacserver.crt: OK
[root@Linux-Server ssl.crt]#

[root@Linux-Server ssl.crt]# chmod 400 pacserver.crt

[root@Linux-Server ssl.crt]# rm pacserver.csr
rm: rimuovere `pacserver.csr'? y
[root@Linux-Server ssl.crt]#

***
Se non lo si è già fatto in una prima occasione, editare il file Makefile...

[root@Linux-Server ssl.crt]# vi Makefile

##
## Makefile to keep the hash symlinks in SSLCACertificatePath up to date
## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
##

SSL_PROGRAM=/usr/local/ssl/bin/openssl
...

***
Creare i link simbolici ai certificati col comando...

[root@Linux-Server ssl.crt]# make
ca-bundle.crt ... Skipped
ca.crt ... 85b11d2e.0
pac-ca.crt ... d8290a11.0
pacserver.crt ... dd0523d2.0
server.crt ... ed9a6ef0.0
snakeoil-ca-dsa.crt ... 0cf14d7d.0
snakeoil-ca-rsa.crt ... e52d41d0.0
snakeoil-dsa.crt ... 5d8360e1.0
snakeoil-rsa.crt ... 82ab5372.0
[root@Linux-Server ssl.crt]#

***
Modificare il file di configurazione del server...

[root@Linux-Server ssl.crt]# cd /usr/local/apache/conf

[root@Linux-Server conf]# vi httpd.conf

...
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateFile /usr/local/apache/conf/ssl.crt/pacserver.crt
#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/pacserver.key
#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key

...

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/pac-ca.crt
#SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
...

***
Ora è possibile riavviare il server.

<< Prec. - Pross. >>

< Prec.

[Indietro]

Approfondimenti

CREAZIONE CERTIFICATI PER IL SERVER

Chi è Online

Latest News

I più letti