Prérequis
Il faut avoir httpd installé ainsi que mod_ssl.
Utilisez la commande yum -y install httpd mod_ssl si vous ne les avez pas encore. Les dépendances seront installées en même temps que ces paquets.
Activez apache au démarrage du serveur avec la commande chkconfig httpd on
Pour ce qui est du certificat ssl, vous pouvez créer une demande de cerificat comme indiqué ci-dessous et demander sa signature auprès d’une autorité officielle.
Mais pour un usage interne du serveur comme celui-ci, je vais créer une autorité locale.
Création d’une certificate autority ( CA) locale
Ici, je vais utiliser password comme mot de passe pour l’autorité de certification et monpass comme mot de passe de la clef du serveur web. Adaptez ceci à votre besoin ainsi que les informations données, comme la situation géographique et la société.
Mes choix seront encadré par un double [ dans les commandes suivantes.
Par facilité, je vais créer des certificats valides 10 ans, mais c’est pas terrible au niveau sécu, faites comme bon vous semble.
vi /usr/share/ssl/misc/CA
C’est la ligne DAYS= »-days 365″ en DAYS= »-days 3650″ qui réalise celà.
[root@CentOS ~]# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)
[[enter]]
Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:[[password]]
Verifying - Enter PEM pass phrase:[[password]]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:[[FR]]
State or Province Name (full name) [Berkshire]:[[MidiPyrenees]]
Locality Name (eg, city) [Newbury]:[[Castres]]
Organization Name (eg, company) [My Company Ltd]:[[ma-societe]
Organizational Unit Name (eg, section) []:[[enter]]
Common Name (eg, your name or your server's hostname) []:[[monserveur.monfai.fr]]
Email Address []:[[email@fai.fr]]
Le dossier de votre CA est créé :
[root@CentOS ~]# ls
demoCA Desktop
[root@CentOS ~]# ls demoCA/
cacert.pem certs crl index.txt newcerts private serial
Créons un fichier crl qui sert lors des révocations de certifcats.
[root@CentOS ~]# openssl ca -gencrl -out crl.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:[[password]]
[root@CentOS ~]# mv crl.pem demoCA/crl/
Vous pouvez maintenant utiliser votre autorité de certifcat pour produire des certificats.
Générer un certificat pour le serveur apache.
On prépare une demande de certificat pour le serveur.
[root@CentOS ~]# /usr/share/ssl/misc/CA -newreq
Generating a 1024 bit RSA private key
...................................++++++
....++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:[[monpass]]
Verifying - Enter PEM pass phrase:[[monpass]]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:[[FR]]
State or Province Name (full name) [Berkshire]:[[MidiPyrenees]]
Locality Name (eg, city) [Newbury]:[[Castres]]
Organization Name (eg, company) [My Company Ltd]:[[ma-societe]]
Organizational Unit Name (eg, section) []:[[enter]]
Common Name (eg, your name or your server's hostname) []:[[apache.ma-societe.fr]]
Email Address []:[[email@fai.fr]]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[[enter]]
An optional company name []:[[enter]]
Request (and private key) is in newreq.pem
[root@CentOS ~]#
On signe le certificat avec notre CA.
[root@CentOS ~]# /usr/share/ssl/misc/CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:[[password]]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 20 20:09:53 2006 GMT
Not After : Mar 20 20:09:53 2007 GMT
Subject:
countryName = FR
stateOrProvinceName = MidiPyrenees
localityName = Castres
organizationName = ma-societe
commonName = apache.ma-societe.fr
emailAddress = email@fai.fr
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:1D:CC:FD:34:20:DA:79:1C:FD:98:7D:FF:FB:31:65:D7:33:CC:E7
X509v3 Authority Key Identifier:
keyid:05:84:91:DE:B8:60:6E:BD:53:33:E1:44:03:6A:E8:D0:34:87:0D:13
DirName:/C=FR/ST=MidiPyrenees/L=Castres/O=ma-societe/CN=monserveur.monfai.fr/emailAddress=email@fai.fr
serial:00
Certificate is to be certified until Mar 20 20:09:53 2007 GMT (365 days)
Sign the certificate? [y/n]:[[y]]
1 out of 1 certificate requests certified, commit? [y/n][[y]]
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FR, ST=MidiPyrenees, L=Castres, O=ma-societe, CN=monserveur.monfai.fr/emailAddress=email@fai.fr
Validity
Not Before: Mar 20 20:09:53 2006 GMT
Not After : Mar 20 20:09:53 2007 GMT
Subject: C=FR, ST=MidiPyrenees, L=Castres, O=ma-societe, CN=apache.ma-societe.fr/emailAddress=email@fai.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:83:58:70:5f:5d:79:f1:fe:32:37:e5:8a:02:
54:b7:4f:3b:d2:ff:f3:1a:81:d4:c4:d4:60:37:65:
fb:c3:b6:eb:c1:f2:8e:70:9f:3a:74:10:26:7f:bd:
1e:4a:bf:6e:ac:42:65:40:89:26:c8:ae:e0:20:46:
ac:56:4d:2a:53:c6:aa:02:d3:6d:01:60:59:46:b9:
d8:5a:c7:0e:e8:7b:ad:a7:1a:13:3b:29:f3:f2:bd:
8f:9c:a4:89:29:d4:28:26:73:e5:9b:1a:63:ba:22:
f2:d7:f1:fb:c1:85:46:bb:8f:b9:b4:cc:ec:3b:bf:
e0:c0:f3:15:aa:a0:a2:de:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:1D:CC:FD:34:20:DA:79:1C:FD:98:7D:FF:FB:31:65:D7:33:CC:E7
X509v3 Authority Key Identifier:
keyid:05:84:91:DE:B8:60:6E:BD:53:33:E1:44:03:6A:E8:D0:34:87:0D:13
DirName:/C=FR/ST=MidiPyrenees/L=Castres/O=ma-societe/CN=monserveur.monfai.fr/emailAddress=email@fai.fr
serial:00
Signature Algorithm: md5WithRSAEncryption
1f:22:51:7c:3a:80:8b:3f:b6:be:b3:16:a0:d5:c7:4e:56:ea:
8a:2f:22:81:fb:81:f7:77:f8:56:ff:bd:4a:73:62:16:a1:98:
e9:46:60:a4:28:d4:7c:24:eb:99:0f:e8:19:7b:03:09:07:5f:
24:54:c5:03:ae:db:92:ae:07:ba:f7:6c:c2:00:5d:ae:d8:b2:
7e:f7:97:63:0c:c6:59:3a:07:37:5e:95:d8:9b:eb:71:5d:30:
23:8d:88:10:ea:e5:3e:82:8c:a7:76:fd:ab:b2:6d:17:37:9c:
89:ea:c4:cd:9c:69:ee:f3:27:c1:67:e9:a4:4c:85:1d:ac:fb:
75:a8
BEGIN CERTIFICATE-----
MIIDnDCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCRlIx
FTATBgNVBAgTDE1pZGlQeXJlbmVlczEQMA4GA1UEBxMHQ2FzdHJlczEUMBIGA1UE
ChMLQ0FQTEFTRVIgU0ExHTAbBgNVBAMTFG1vbnNlcnZldXIubW9uZmFpLmZyMRsw
GQYJKoZIhvcNAQkBFgxlbWFpbEBmYWkuZnIwHhcNMDYwMzIwMjAwOTUzWhcNMDcw
MzIwMjAwOTUzWjCBhjELMAkGA1UEBhMCRlIxFTATBgNVBAgTDE1pZGlQeXJlbmVl
czEQMA4GA1UEBxMHQ2FzdHJlczEUMBIGA1UEChMLQ0FQTEFTRVIgU0ExGzAZBgNV
BAMTEmFwYWNoZS5jYXBsYXNlci5mcjEbMBkGCSqGSIb3DQEJARYMZW1haWxAZmFp
LmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWg1hwX1158f4yN+WKAlS3
TzvS//MagdTE1GA3ZfvDtuvB8o5wnzp0ECZ/vR5Kv26sQmVAiSbIruAgRqxWTSpT
xqoC020BYFlGudhaxw7oe62nGhM7KfPyvY+cpIkp1Cgmc+WbGmO6IvLX8fvBhUa7
j7m0zOw7v+DA8xWqoKLe5QIDAQABo4IBFDCCARAwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FMQdzP00INp5HP2Yff/7MWXXM8znMIG1BgNVHSMEga0wgaqAFAWEkd64YG69UzPh
RANq6NA0hw0ToYGOpIGLMIGIMQswCQYDVQQGEwJGUjEVMBMGA1UECBMMTWlkaVB5
cmVuZWVzMRAwDgYDVQQHEwdDYXN0cmVzMRQwEgYDVQQKEwtDQVBMQVNFUiBTQTEd
MBsGA1UEAxMUbW9uc2VydmV1ci5tb25mYWkuZnIxGzAZBgkqhkiG9w0BCQEWDGVt
YWlsQGZhaS5mcoIBADANBgkqhkiG9w0BAQQFAAOBgQAfIlF8OoCLP7a+sxag1cdO
VuqKLyKB+4H3d/hW/71Kc2IWoZjpRmCkKNR8JOuZD+gZewMJB18kVMUDrtuSrge6
92zCAF2u2LJ+95djDMZZOgc3XpXYm+txXTAjjYgQ6uU+goyndv2rsm0XN5yJ6sTN
nGnu8yfBZ+mkTIUdrPt1qA==
END CERTIFICATE-----
Signed certificate is in newcert.pem
On place le certificat et la clef dans les dossiers d’apache.
[root@CentOS ~]# mv newcert.pem /etc/httpd/conf/ssl.crt/apache.ma-societe.fr.crt
[root@CentOS ~]# mv newreq.pem /etc/httpd/conf/ssl.key/apache.ma-societe.fr.key
Ici, on entre dans le paramétrage d’Apache à proprement parler.
[root@ns1 root]# cd /etc/httpd/conf.d/
[root@ns1 conf.d]# vi ssl.conf
Modifiez les lignes SSLCertificateFile et SSLCertificateKeyFile comme suit :
SSLCertificateFile /etc/httpd/conf/ssl.crt/apache.ma-societe.fr.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/apache.ma-societe.fr.key
Redémarrez Apache avec la commande service httpd restart et le système vous demande le mot de passe de votre clef privée.
Pour ne pas avoir à taper le mot de passe du certificat a chaque démarrage d’apache, on doit valider la clef par sa clef privée.
[root@CentOS ~]# cd /etc/httpd/conf/ssl.key/
[root@CentOS ssl.key]# openssl rsa -in apache.ma-societe.fr.key -out apache.ma-societe.fr.key
Enter pass phrase for apache.ma-societe.fr.key:[[monpass]]
writing RSA key
[root@CentOS ssl.key]#
Redémarrez Apache avec la commande service httpd restart et cette fois, le système ne vous demande pas le mot de passe.
C’est quand même plus pratique…
Attention !! Pour Centos 5, la méthode à changé.
Cf cette doc http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html
C’est bien plus simple à mon avis 🙂