Brief SSL Primer

shoulderslyricalAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)


Brief SSL Primer

This section will serve as a very brief introduction to SSL, the Secure Socket Layer.
Cryptography is a very extensive topic which literally fills volumes of texts. The
following is an extremely simplified view of how SSL is implemented an
d what part the
certificate plays in the entire process. There may be some small inaccuracies in an effort
to present the information in the easiest possible format.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to
the right tools can snoop all of that traffic. Obviously, this can lead to problems,
especially where security and privacy is necessary, such as in credit card data and bank
transactions. The Secure Socket Layer is used to encrypt the data stream between t
he web
server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as
public key cryptography (PKI). With public key cryptography, two keys are created, one
public, one private. Anything encrypt
ed with either key can only be decrypted with its
corresponding key. Thus if a message or data stream were encrypted with the server's
private key, it can be decrypted only using its corresponding public key, ensuring that the
data only could have come fro
m the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the
Internet, why is a certificate necessary? The technical answer to that question is that a
certificate is not really necessary
the data is secure and canno
t easily be decrypted by a
third party. However, certificates do serve a crucial role in the communication process.
The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate
holder is really who he claims to be. Without
a trusted signed certificate, your data may
be encrypted, however, the party you are communicating with may not be whom you
think. Without certificates, impersonation attacks would be much more common.

Apache need module ssl

You will need to go back and
rebuild apache with loadable module mod_ssl
. After you
have rebuilded Apache you will probably need to

# cd /usr/local/src/apache

# ./configure

# make &&
make install

Then you will need to add the ssl_module to httpd.conf:

LoadModule ssl_module lib/httpd/modules/

Generating a Private Key and CSR

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing
Request). It
can also be used to generate self
signed certificates which can be used for
testing purposes or internal usage. The utility used to do all of these tasks is known
simply as
. It should be installed in the

directory. You
may want t
o add this directory to your
, or copy or link the openssl utility to a
directory that is already in your

so that you do not have to type the full path to the
executable. The examples below will assume that

is in a location that is
ble to you without using the full path to the command.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is
encrypted using Triple
DES and stored in a PEM format so that it is readable as ASCII
text. We will use severa
l files as random seed enhancers which will help to make the key
more secure. Text files that have been compressed with a utility such as

are good
choices. The key is generated using the following command, where

represents the random c
ompressed files.

$ openssl genrsa
rand file1:file2:file3:file4:file5
server.key 1024

The command will prompt you for a pass
phrase and then store the key in the file
It is critical that the pass
phrase be secure and not forgotten.

If either the
key is lost, or the pass
phrase is forgotten,
the certificate will be useless!

It cannot be
stressed enough how important the private key is to the certificate. If the private key and
phrase are compromised, the certificate will have to
be revoked, costing you the
price of the certificate all over again if you have paid an authority for the certificate. It
may be a wise idea to back this file up to secure media, such as tape or diskette.

Remove passphrase:

One unfortunate side
effect of
the pass
phrased private key is that
Apache will ask for the pass
phrase each time the web server is started. Obviously this is
not necessarily convenient as someone will not always be around to type in the pass
phrase, such as after a reboot or crash. mod
_ssl includes the ability to use an external
program in place of the built
in pass
phrase dialog, however, this is not necessarily the
most secure option either. It is possible to remove the Triple
DES encryption from the
key, thereby no longer needing to
type in a pass
phrase. If the private key is no longer
encrypted, it is critical that this file
only be readable by the root user!

If your system is
ever compromised and a third party obtains your unencrypted private key, the
corresponding certificate will

need to be revoked. With that being said, use the following
command to remove the pass
phrase from the key:

$ openssl rsa
in server.key
out server.pem

Once the private key is generated a Certificate Signing Request can be generated. The
CSR is then use
d in one of two ways. Ideally, the CSR will be sent to a Certificate
Authority, such as


who will verify the identity of the requestor and
issue a signed certific
ate. The second option is to self
sign the CSR, which will be
demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of
information. These are the X.509 attributes of the certificate. One of the prompts

will be
for "
Common Name (e.g., YOUR name)
". It is important that this field be filled in with
the fully qualified domain name of the server to be protected by SSL. If the website to be
protected will be
, then enter

at this
prompt. The command to generate the CSR is as follows:

$ openssl req
key server.key
out server.csr

For our Apache we however use the passphrase less key:

$ openssl req
key server.pem
out server.csr

A sample CSR generation session

is shown below, with sample responses shown in bold:

$ openssl req
key server.

out server.csr

Using configuration from /usr/local/ssl/openssl.cnf

(If you use the server.key
Enter PEM pass phrase:
Enter pass phrase

You are about to be aske
d to enter information that will be

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a

There are quite a few fields but you can leave some blank

For some fields there will be a default va

If you enter '.', the field will be left blank.


Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:
te, AB.

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An op
tional company name []:

Generating a Self
Signed Certificate

At this point you will need to generate a self
signed certificate because you either don't
plan on having your certificate signed by a CA, or you wish to test your new SSL
implementation while t
he CA is signing your certificate. In my experience dealing with
Thawte, it can take up to a week or more before receiving your signed certificate. The
time it takes to receive the certificate will vary based on how quickly they receive your
required docum
entation. This temporary certificate will generate an error in the client
browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 60 days, issue the following

$ openssl x509
days 60
n server.csr
signkey server.pem


Certificates and keys is normally not directly stored in /etc/httpd
they rather sit in subdirectories:

# mkdir /etc/httpd/certs

# mv /etc/httpd/server* /etc/httpd/certs/.

nstalling the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache
config directory. The location of this directory will differ depending on how Apache was
compiled. If using my instructions on com
piling Apache, the config directory is
. The directories mod_ssl creates include
, and
These are good locations to store server certificates, CSRs, and private keys, respectively.
If there will be multiple SSL enabled hos
ts on one server, it may be good practice to
name the files with the fully qualified domain name of the SSL enabled host.

When adding SSL enabled virtualhosts to the web server, I prefer to keep all of the SSL
virtualhosts in a separate file. This insures

that all SSL hosts can be easily found in one
location and helps to keep the

file from growing too large. The SSL
virtualhosts will be kept in a file called httpd
. In order for Apache to recognize
and parse this file, it must be includ
ed in the

file with the following

Include /etc/httpd/extra/httpd

Configuring SSL Enabled Virtual Hosts

Extensive examples of SSL configurations for a virtualhost are included as part of the

ile installed with mod_ssl. Please refer to this file
and to the mod_ssl documentation for more detailed information on configuration
options. A basic SSL enabled virtualhost will appear as follows in the ssl.conf file:

# SSL Virtual Hosts

<IfDefine SSL>

<VirtualHost _default_:443>


DocumentRoot /usr/local/httpd/securedocs


ScriptAlias /cgi
bin/ /usr/local/httpd/cgi

SSLEngine on

SSLCertificateFile /etc/httpd/server.crt

e /etc/httpd/server.pem

SetEnvIf User
Agent ".*MSIE.*" nokeepalive ssl

CustomLog /var/log/httpd/ssl_request_log

" %b"

<Directory />

AllowOverride FileInfo AuthConfig Limit

ons Indexes MultiViews Includes ExecCGI FollowSymLinks


Order allow,deny

Allow from all



Order deny,allow

ny from all





This will create an SSL virtualhost named www.
.com, which is accessed via port
443 (the standard port for https) on the default IP address of the web server. It is possible
to add as

many additional virtualhosts as there are IP addresses that the web server listens
to. Simply add additional virtualhost blocks

of the
<IfDefine SSL>


tags. Due to the nature of the SSL encryption of the HTTP traffic,
it is
NOT possi
ble to have name
based (HTTP1.1) SSL virtual hosts.

To create a new SSL
virtualhost on a different IP address, simply replace

with the IP address of the

After adding the virtualhost to the

file, Apache must be killed
restarted in order for it to recognize the new virtualhost. Unfortunately, this is one of the
rare instances where a simple

signal will not work. After restarting the server,
depending on whether the encrypted or unencrypted key was used, Apache wi
ll prompt
you for the pass
phrase(s) of the SSL virtualhost(s). Enter the pass
phrase(s) and the web
server will start.

Now, point your favorite browser to the new virtualhost you just created, remembering to
use https:// instead of http://, and you shoul
d be greeted with a warning dialog if you are
using the self
signed certificate. Acknowledge the dialog and the page will continue to
load, protected by SSL. The status bar of your browser should be graced by the 'lock'
icon, which signifies the page is pr
otected via SSL.
This is all there is to it!