HallmarcDotNet

Marc Elliot Hall's Blog

Headlines

Thomas wrote about our community Saint Peters, Missouri...

Christmas card is up Check out the Flash...

Blog-o-licious We've got blogs...

Site Redesigned HallmarcDotNet has a new look...

 

Welcome to Marc's Weblog

— also known as my vanity gripe page

Although I'm currently working in Anchorage, Alaska, you may be interested in my abilities for your project. If so, please view my résumé and Open Letter to Recruiters if you are looking for an experienced, senior technical manager, project manager, business analyst, team lead, software engineer, web application developer, webmaster, system administrator, technical writer, or technical editor.

March
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
2009
Months
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec

Thu, 19 Mar 2009


Unlocking Cryptography

Generating SSL Keys on Debian Linux

As reported in my last entry, I recently created updated SSL keys for my server. This is a somewhat arcane process, involving wizardly incantations on the command line. As a service to the community, I will now describe this process and provide a simple script to stramline the process.

First, the reason it was necessary to generate these keys is that the default Debian install creates keys that are only good for one year. Further, these keys are “snakeoil”; that is literally what the configuration calls them, which serves as a reminder to sys-admins that they are the default configuration (generally more exploitable), they are not part of a chain-of-trust (nobody else is vouching that you are who you say you are), and they potentially do not uniquely identify your server (setting up a series of servers with the same configuration can cause confusion among various connecting hosts).

These instructions apply to generating a self-signed key: just as with the default Debian key, nobody else is vouching that you are who you say you are. If you want to get an “official” key, you have several options, of varying expense:

Unless you are going to be selling something to the general public, or will be accepting payments from people you don’t personally know, however, these are all overkill. A self-signed cert will work just fine for you if you are using this server inside an organization where you have control over browser deployments, or if you are working with a technical audience of people you already know.

On to the steps!

Remember, these are specific to Debian GNU/Linux default installs. If your system is on another version of Linux, you’ve customized your install in some unusual way, or you’re using another OS, you will have to modify these instructions to match your environment.

Login as root:

sudo su -

Change directories to your SSL configuration directory:

cd /etc/ssl;

Create the seed for your private key:

openssl genrsa -out example.com.key 1024;

Use the seed to generate a public/private key pair request:

openssl req -new -key example.com.key -out example.com.csr;

Generate and sign the keys:

openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt;

copy the old/default key to a timestamped file:

mv /etc/ssl/example.com.csr "/etc/ssl/example.com.csr.`/bin/date +%Y%m%d`";

Copy the old/default apache certificate to a timestamped file:

mv /etc/apache-ssl/apache.pem "/etc/apache-ssl/apache.pem.`/bin/date +%Y%m%d`";

Copy the new private key to the apache-ssl certificate:

cp -p example.com.key /etc/apache-ssl/apache.pem;

Sign the new apache-ssl certificate:

cat example.com.crt >> /etc/apache-ssl/apache.pem;

Change permissions on the certificate to avoid security issues:

chmod 600 /etc/apache-ssl/apache.pem;

Delete the originals:

rm /etc/apache2/apache.pem;

link the apache-ssl certificate to apache2’s, so you don’t deal with multiple certs when you don’t need to:

ln /etc/apache-ssl/apache.pem /etc/apache2/apache.pem;

copy the apache cert to the generic ssl cert library:

cp -p /etc/apache-ssl/apache.pem /etc/ssl/certs/ssl-cert-example.com.pem;

copy the private key to a restricted area:

mv ./example.com.key /etc/ssl/private/;

Change permissions on the private keys to ensure they remain private:

chmod 600 /etc/ssl/private/*;

change ownership on the private keys, as well:

chown root.ssl-cert /etc/ssl/private/example.com.key;

Move the public key into the certificate directory:

mv example.com.crt /etc/ssl/certs/;

Change permissions on the public keys, also:

chmod 600 /etc/ssl/hall*;
chmod 600 /etc/ssl/certs/example.com.crt;
chmod go+r /etc/ssl/certs/example.com.pem;

Restart Apache and your mailserver (I use Postfix rather than Exim) so that they reload their keys:

etc/init.d/./apache2 restart;

/etc/init.d/./postfix reload;

All done!

I’ve also written a script to automate this process. Feel free to use it, but remember I’m not responsible if it breaks anything.

Comments, criticisms, and corrections are welcome.

posted at: 01:00 |

Marc Elliot Hall St. Peters, Missouri 

Page created: 21 January 2002
Page modified: 31 December 2009

spacer About Us | Site Map | Privacy Policy | Contact Us | ©1999 - 2009 Marc Elliot Hall