Pages - Menu

標籤

AWS (1) bash (1) Boost (2) C (2) CMake (2) Concurrency_Programming (3) CPP (37) Database (2) DNS (1) Docker (4) Docker-Compose (1) ELK (1) emacs (4) gcp (1) gdrive (1) git (1) gitbash (2) gitlab (1) kvm (4) Linux (5) MT4 (4) MT5 (4) Multicast (2) MySQL (2) Nijatrader8 (1) OpenCV (1) Python (4) QT5 (1) R (1) rdp (3) screenshot (1) ssh (3) Tabnine (1) TCP (1) TensorFlow (1) Tools (12) Ubuntu_1904 (11) Ubuntu_20_04 (5) UDP (1) VS2010 (1) VS2015 (1) VS2019 (1) WebServer (1) Win10 (1) winmerge (1) WSL (1) xrdp (1)

搜尋此網誌

2018年6月5日星期二

Setup SSL web server

Aim

  • This post is talking about how to set up a SSL web server by using self signed certification, on ubuntu and using apache

Server info

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Prerequisite

  • sudo apt-get install apache2

Steps - Prepare server

  • Get script from here
  • Generate private keys and certification files
    • bash genKeys.sh
      • You will get
        • root.key ---- Private key of certification authority(CA)
        • root.pem ---- Public key(certificate) of CA
        • server.crt ---- Server certification signed by CA
        • server.csr ---- Server certificate signing request
        • server.key ---- Private key of server
  • Install server private key and certification
    • sudo mkdir /etc/apache2/ssl
    • sudo cp server.crt server.key /etc/apache2/ssl
  • Update apache configuration file
    • meld default.-ssl.conf default.-ssl.conf.bak
      • default.-ssl.conf ---- updated file
      • default.-ssl.conf.bak ---- original file
    • You can now see the difference, update /etc/apache2/sites-available/default.-ssl.conf depends on your needs
  • Enable apache on ssl
    • sudo a2enmod ssl
  • Enable virtual server
    • sudo a2ensite default-ssl.conf
  • Restart apache server
    • sudo service apache2 restart
  • Now, server is ready

Steps - Prepare client

  • Since the steps are varied by different browser and vision, I will only provide a generic description.
  • Include the file root.pem into browser as a trusted authority.
  • If you success, you can visit the web site through:
    • https://sulfred-PC.test.sulfred.com
      • sulfred-PC ---- host name of your server, get it by command `hostname` on your server
    • And you should see
    • A green Secure

 Principle about certificating a web server providing SSL service

  1. There is a third party Certification Authority(CA), and everyone trusts her.
  2. CA has her own private key(root.key) and public key(root.pem)
  3. There is a web server who want to provide SSL service.
  4. She needed to generate her own private key(server.key) and certification request(server.csr).
  5. Web server provider will send the request file(server.csr) to CA.
  6. CA will use her private key and public key to generate a certification file(server.crt) to web server provider.
  7. Web server provider will use private key(server.key) and certification file(server.crt) to set up the server.
  8. Finally, customer needed to insert the CA's public key(root.pem) into their browser so that they can visit the web server in a secure way.

Explanation about Scripts

  • genKeys.sh
    • All the commands are included inside this file. Those four steps covered almost from point 1 to 7 of the above section.
    • There are comments inside this file which reveal the meaning of those configuration files.
  • ./config/v3.ext
    • This file included v3 extension information
    • This is used to solve error:
      • missing_subjectAltName
    • Important information is the alternative dns name, which is needed for latest chromium browser, especially the version later than 58, reference
  • ./config/root.csr.cnf
    • This is used to create root.pem file
  • ./config/server.csr.cnf
    • This is used to create server.csr file

on
標籤:

沒有留言:

發佈留言

訂閱: 發佈留言 (Atom)