Protect your web server with SSL certificate

If you are a system administrator who is running a web server then you may want to protect it so that no one can hack into it and misuse the important data. Networks by themseleves are not secure enough, you will have to find other ways to make your server more secure. Here in this article we will examine ways in which you can help guard your important data.

Nowadays all the E-commerce applications (banking and online shopping for example) are encrypted using either SSL or TLS specifications. SSL stands for Secure Socket Layer and TLS means Transport Layer Security. Actually TLS is based on SSL 3.0 hence they are very similar in nature. For secure web connections first of all the SSL connection is established and then the HTTP communication is “tunneled” through it.

Note: Since name-based virtual hosting occurs at HTTP layer and as I said that SSL gets established before any HTTP communication, it causes problems with name-based virtual hosting. In short name-based virtual hosting does not work easily with SSL.

To verify the identities and for establishing session parameters along with a session key, asymmetric cryptography is used during connection establishment between an SSL client and SSL server. Then a symmetric encryption algorithm (DES or RC4) is used with the negotiated key to encrypt all the data which is being transmitted during the session. This means that asymmetric encryption (during the handshaking phase) provides safe communication whereas symmetric encryption works on the session data (for faster and more practical use).

For the client to verify the identity of the server, the server must have a private key and a certificate (which contains the public key and information about the server). The client also contains a public key, which it uses to verify the certificate of the server (matches public key of client with the public key of server which is mentioned in the certificate).

Certificates are generally digitally signed by third-party certificate authorities (CA) which have verified the identities of the requester and the validity of the requests to have the certificate signed. In most of the cases CA is a company which contacts with vendors of web browsers to have its own certificate installed and trusted by default client installations. Then certificate authorities earn by charging server operators for its services.

There are many commercial certificate authorities which differ in features, price but as people say “Price is not always an indication of quality“. VeriSign, InstantSSL and Thawte are some popular CAs.

Instead of going for certificate authorities you can create self-signed certificates, but those should be used only for testing if the number of people who will be accessing your server are less.

Another option is to run your own certificate authority but we are not going to cover that in this article.

Generating SSL keys

Delete the old key and certificate

chankey@linuxstall:$ rm /etc/pki/tls/private/localhost.key
chankey@linuxstall:$ rm /etc/pki/tls/certs/localhost.crt

Create your own key

chankey@linuxstall:$ cd /etc/pki/tls/certs
chankey@linuxstall:$ make genkey
umask 77 ; \
	/usr/bin/openssl genrsa -aes128 2048 > /etc/pki/tls/private/localhost.key
Generating RSA private key, 2048 bit long modulus
.................+++
.......................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

Creating self-signed certificate

chankey@linuxstall:$ make testcert
umask 77 ; \
	/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
Enter pass phrase for /etc/pki/tls/private/localhost.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Rajasthan
Locality Name (eg, city) [Default City]:Jaipur
Organization Name (eg, company) [Default Company Ltd]:Linux Stall
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.linuxstall.com
Email Address []:admin@linuxstall.com

This is how it looked on my server:

ssl certificate linux

This will create a file localhost.crt in /etc/pki/tls/certs/. Now open the file ssl.conf which is located at /etc/httpd/conf.d/ and edit it with the content given below:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Restart your web server

chankey@linuxstall:$ service httpd restart

Now you’re done. Open your browser and use httpd in front of each URL instead of http. You can ignore the certification validation message which your web browser may prompt.

Removing password encryption on private key

You will notice that whenever you restart your server it asks for certificate password. This is for security purpose so that no one can break into your server and steal your private key. You are safe in the knowledge that the private key is a jumbled mess. The cracker will not be able to make use of it but without such protection, a cracker could get your private key and easily masquerade as you, appearing to be legitimate in all cases.

If you are willing to accept the risk and cannot stand having to enter the password every time your server starts, you can remove the password encryption on private key by entering the command given below:

chankey@linuxstall:$ cd /etc/pki/tls/private
chankey@linuxstall:$ /usr/bin/openssl rsa -in localhost.key -out localhost.key
Enter pass phrase for localhost.key: *******

Now you will be able to restart the server without entering a pass phrase.

Troubleshooting

Following tips will help if you are having problems with your SSL certificate:

  • You should know that only one SSL certificate can be used for one IP. If you want to add more than one web site (SSL enabled) to your server, you must bind another IP address to the network interface.
  • Don’t block port 443 on your server. All https request come on port 443. If this port is blocked then you will not be able to get secure pages.
  • The certificate expires after one year. Don’t forget to renew your certificate with your CA before expiration.
  • mod_ssl package should be installed on your server. If it is not then you will not be able to serve any SSL-enabled traffic.

About the author

Chankey Pathak is the founder of Linux Stall. He is a Perl developer at Wokana Technologies. He is a Linux and Perl enthusiast. Check out his latest website on Tech News. You may follow him on Google+.