If you are a system administrator who is running a web server then you may want to protect it so that no one can hack into it and misuse the important data. Networks by themseleves are not secure enough, you will have to find other ways to make your server more secure. Here in this article we will examine ways in which you can help guard your important data.
Nowadays all the E-commerce applications (banking and online shopping for example) are encrypted using either SSL or TLS specifications. SSL stands for Secure Socket Layer and TLS means Transport Layer Security. Actually TLS is based on SSL 3.0 hence they are very similar in nature. For secure web connections first of all the SSL connection is established and then the HTTP communication is “tunneled” through it.
Note: Since name-based virtual hosting occurs at HTTP layer and as I said that SSL gets established before any HTTP communication, it causes problems with name-based virtual hosting. In short name-based virtual hosting does not work easily with SSL.
To verify the identities and for establishing session parameters along with a session key, asymmetric cryptography is used during connection establishment between an SSL client and SSL server. Then a symmetric encryption algorithm (DES or RC4) is used with the negotiated key to encrypt all the data which is being transmitted during the session. This means that asymmetric encryption (during the handshaking phase) provides safe communication whereas symmetric encryption works on the session data (for faster and more practical use).
For the client to verify the identity of the server, the server must have a private key and a certificate (which contains the public key and information about the server). The client also contains a public key, which it uses to verify the certificate of the server (matches public key of client with the public key of server which is mentioned in the certificate).
Certificates are generally digitally signed by third-party certificate authorities (CA) which have verified the identities of the requester and the validity of the requests to have the certificate signed. In most of the cases CA is a company which contacts with vendors of web browsers to have its own certificate installed and trusted by default client installations. Then certificate authorities earn by charging server operators for its services.
There are many commercial certificate authorities which differ in features, price but as people say “Price is not always an indication of quality“. VeriSign, InstantSSL and Thawte are some popular CAs.
Instead of going for certificate authorities you can create self-signed certificates, but those should be used only for testing if the number of people who will be accessing your server are less.
Another option is to run your own certificate authority but we are not going to cover that in this article.
Generating SSL keys
Delete the old key and certificate
Create your own key
umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > /etc/pki/tls/private/localhost.key Generating RSA private key, 2048 bit long modulus .................+++ .......................................................................................................................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
Creating self-signed certificate
umask 77 ; \ /usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0 Enter pass phrase for /etc/pki/tls/private/localhost.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :Rajasthan Locality Name (eg, city) [Default City]:Jaipur Organization Name (eg, company) [Default Company Ltd]:Linux Stall Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :www.linuxstall.com Email Address :[email protected]
This is how it looked on my server:
This will create a file localhost.crt in /etc/pki/tls/certs/. Now open the file ssl.conf which is located at /etc/httpd/conf.d/ and edit it with the content given below:
Restart your web server
service httpd restart
Now you’re done. Open your browser and use httpd in front of each URL instead of http. You can ignore the certification validation message which your web browser may prompt.
Removing password encryption on private key
You will notice that whenever you restart your server it asks for certificate password. This is for security purpose so that no one can break into your server and steal your private key. You are safe in the knowledge that the private key is a jumbled mess. The cracker will not be able to make use of it but without such protection, a cracker could get your private key and easily masquerade as you, appearing to be legitimate in all cases.
If you are willing to accept the risk and cannot stand having to enter the password every time your server starts, you can remove the password encryption on private key by entering the command given below:
/usr/bin/openssl rsa -in localhost.key -out localhost.key
Enter pass phrase for localhost.key: *******
Now you will be able to restart the server without entering a pass phrase.
Following tips will help if you are having problems with your SSL certificate:
- You should know that only one SSL certificate can be used for one IP. If you want to add more than one web site (SSL enabled) to your server, you must bind another IP address to the network interface.
- Don’t block port 443 on your server. All https request come on port 443. If this port is blocked then you will not be able to get secure pages.
- The certificate expires after one year. Don’t forget to renew your certificate with your CA before expiration.
- mod_ssl package should be installed on your server. If it is not then you will not be able to serve any SSL-enabled traffic.