166 | | === Secure Sockets (https) === #ssl |
167 | | '''Note:''' Establishing Secure Sockets is a fairly extensive process. This is simply a shortcut for testing purposes. |
168 | | |
169 | | This works for a development system (not recommended for production!). |
170 | | |
171 | | {{{ |
172 | | openssl genrsa -des3 -out server.key 1024 |
173 | | # [enter your passphrase, a simple password we will remove soon] |
174 | | openssl req -new -key server.key -out server.csr |
| 166 | === Apache SSL/TLS Encryption (aks Secure Sockets or https) === #ssl |
| 167 | '''Note:''' Establishing Secure Sockets is a fairly extensive process. One should first read the current Apache2 documentation found in the Apache2 manual: |
| 168 | {{{ |
| 169 | http://httpd.apache.org/docs/2.2/ssl/ |
| 170 | }}} |
| 171 | ==== Generate a self-signed certificate ==== |
| 172 | The following instructions are to generate a "self-signed" certificate.\\ |
| 173 | This is simply a shortcut for testing purposes (a self-signed certificate is not recommended for production!).\\ |
| 174 | The complete dialog is listed here for reference. The commands necessary are prefixed as "$ sudo", with comments prefixed with a #.\\ |
| 175 | |
| 176 | {{{ |
| 177 | $ sudo openssl genrsa -des3 -out server.key 1024 |
| 178 | # Enter pass phrase for server.key [enter your passphrase, a simple password we will remove soon] |
| 179 | |
| 180 | Generating RSA private key, 1024 bit long modulus |
| 181 | .....++++++ |
| 182 | ................++++++ |
| 183 | e is 65537 (0x10001) |
| 184 | Enter pass phrase for server.key: |
| 185 | Verifying - Enter pass phrase for server.key: |
| 186 | |
| 187 | |
| 188 | $ sudo openssl req -new -key server.key -out server.csr |
| 189 | # |
176 | | openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt |
177 | | # [will ask for passphrase] |
178 | | cp server.key server.key.bak |
179 | | openssl rsa -in server.key.bak -out server.key |
180 | | # [passphrase needs to be typed] |
181 | | sudo cp server.crt /opt/local/apache2/conf/ |
182 | | sudo cp server.key /opt/local/apache2/conf/ |
| 191 | |
| 192 | Enter pass phrase for server.key: |
| 193 | You are about to be asked to enter information that will be incorporated |
| 194 | into your certificate request. |
| 195 | What you are about to enter is what is called a Distinguished Name or a DN. |
| 196 | There are quite a few fields but you can leave some blank |
| 197 | For some fields there will be a default value, |
| 198 | If you enter '.', the field will be left blank. |
| 199 | ----- |
| 200 | Country Name (2 letter code) [AU]: |
| 201 | State or Province Name (full name) [Some-State]: |
| 202 | Locality Name (eg, city) []: |
| 203 | Organization Name (eg, company) [Internet Widgits Pty Ltd]: |
| 204 | Organizational Unit Name (eg, section) []: |
| 205 | Common Name (e.g. server FQDN or YOUR name) []: |
| 206 | Email Address []: |
| 207 | |
| 208 | Please enter the following 'extra' attributes |
| 209 | to be sent with your certificate request |
| 210 | A challenge password []: |
| 211 | An optional company name []: |
| 212 | |
| 213 | |
| 214 | $ sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt |
| 215 | # [will ask for passphrase - the same as you entered in the first step] |
| 216 | |
| 217 | Signature ok |
| 218 | subject=/C=US/ST=Pennsylvania/L=Elizabethtown/O=MVE/OU=Elizabethtown/CN=mcgillsociety.org/emailAddress=magill@icloud.com |
| 219 | Getting Private key |
| 220 | Enter pass phrase for server.key: |
| 221 | |
| 222 | $ sudo cp server.key server.key.bak |
| 223 | $ sudo openssl rsa -in server.key.bak -out server.key |
| 224 | # [will ask for passphrase - the same as you entered in the first step] |
| 225 | |
| 226 | Enter pass phrase for server.key.bak: |
| 227 | writing RSA key |
| 228 | |
| 229 | $ sudo cp server.crt /opt/local/apache2/conf/ |
| 230 | $ sudo cp server.key /opt/local/apache2/conf/ |
| 231 | }}} |
| 232 | '''Note:''' Certificate generation can be accomplished in any directory. If you did so in ''"/opt/local/apache2/conf"'' the last two copy commands are redundant, and will generate the following errors respectively: |
| 233 | {{{ |
| 234 | cp: /opt/local/apache2/conf/server.crt and server.crt are identical (not copied). |
| 235 | cp: /opt/local/apache2/conf/server.key and server.key are identical (not copied). |
| 246 | After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect. |
| 247 | {{{ |
| 248 | $ /opt/local/apache2/bin/apachectl -t |
| 249 | $ sudo port unload apache2 |
| 250 | $ sudo port load apache2 |
| 251 | }}} |
| 252 | |
| 253 | The most likely error you will receive is: |
| 254 | {{{ |
| 255 | Syntax error on line 120 of /opt/local/apache2/conf/extra/httpd-ssl.conf: |
| 256 | SSLCertificateFile: file '/opt/local/apache2/conf/server.crt' does not exist or is empty |
| 257 | }}} |
| 258 | If so, simply revisit the instructions above to create a self-signed certificate. |
| 259 | |
| 260 | ==== Verify your success ==== |
| 261 | |
| 262 | type ''"https://<your server address>"'' in Safari. \\ |
| 263 | Safari should return the pop-up: "Safari can't verify the identity of the website "<your server address>" \\ |
| 264 | At which point you can view the details of your certificate and select your appropriate actions. |
| 265 | |