yum install httpd mod_ssl Create a private Certification Authority (CA) 1. Create a private CA using OpenSSL in Linux openssl genrsa -out ca.key 1024 -des3 openssl req -new -key ca.key -out ca.csr PT
Coimbra
Coimbra
UC
DEI
STI_CA
dario@student.dei.uc.pt
openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key openssl x509 -in ca.crt -text 2. Create a X.509 certificate for the Apache server using the new CA openssl genrsa -out apache.key 1024 -des3 openssl req -new -key apache.key -out apache.csr
NOTA: Common Name: tem que ser hostname/website
PT
Coimbra
Coimbra
UC
DEI
www.uc.pt
dario@student.dei.uc.pt
touch /etc/pki/CA/index.txt openssl ca -in apache.csr -cert ca.crt -keyfile ca.key -out apache.crt openssl x509 -in apache.crt -text Configure Apache with server authentication 3. Configure Apache to use the previously created X.509 certificate nano /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/CA/apache.crt
SSLCertificateKeyFile /etc/pki/CA/apache.key
SSLCACertificateFile /etc/pki/CA/ca.crt
4. Connect to the server (the new CA isn’t recognized yet) 5. Install the CA on the browser and repeat the previous test Configure Apache with client authentication 6. Create a personal X.509 certificate using the new CA 7. Configure Apache to require client authentication using X.509 certificates 8. Connect to the Apache server without using your personal certificate (the connection should be refused, check the server’s logs) 9. Install the personal certificate on the browser and repeat the previous test