COMPILING OPENSSL 0.9.6

OpenSSL is a freeware package that supports SSL. To install OpenSSL 0.9.6, download the file openssl-0.9.6.tar.gz from the OpenSSL homepage ( http://www.openssl.org ).

tar xvfz openssl-0.9.6.tar.gz
cd openssl-0.9.6
./config
make
make test

This will configure and compile (and test) the cryptographic openssl tool, needed to generate a Certificate Signing Request (CSR).

The openssl package can be then be installed into /usr/local/ssl by typing,

make install

To read the documentation of the tools, and to be able to run the openssl executables, modify the PATH and MANPATH :

PATH=/usr/local/ssl/bin:$PATH
MANPATH=/usr/local/ssl/man:$MANPATH
export PATH MANPATH

To make the above changes permanent, modify the file /etc/profile (or similar files, such as /etc/csh.login for tcsh users).

GENERATING A KEYPAIR : CERTIFICATE SIGNING REQUEST (CSR)

To generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, "myserver", use the following command :

openssl req -new -nodes -keyout myserver.key -out myserver.csr

This creates a two files (you will be asked a few questions, see below). The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it, if it would ever get lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:be
State or Province Name (full name) [Some-State]:Brussel
Locality Name (eg, city) []:Brussel
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:System Administration Common Name (eg, YOUR name) []:myserver.mydomain.be
Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request :

A challenge password []:
An optional company name []:

Use the name of the webserver as Common Name (CN). If the domain name is "mydomain.be" append the domain to the hostname (use the fully qualified hostname).

The fields "email address", "optional company name" and "challenge password" can be left blank for a webserver certificate.

OBTAINING THE CERTIFICATE FOR YOUR WEBSERVER (CRT)

Send the file myserver.csr to Cybertrust in the request procedure for an SSL Certificate , but do not disclose the file myserver.key to anyone. In particular do not send the private key to Cybertrust. Cybertrust merely needs a signing request file (CSR).

The Cybertrust website ( https://cybertrust.omniroot.com ) offers a convenient way to request an SSL certificate. There’ s a web-based registration procedure, and at the end of this procedure, you obtain the address (URL) of the site where you can download your certificate.

Save the certificate in a file called, myserver.crt. This file is PEM encoded.

COMPILING APACHE 1.3.14 WITH MODSSL 2.7.1 SUPPORT

The modssl package is an Apache webserver extension. modssl is released as a patch to a specific Apache version. For example, modssl 2.7.1 is a patch to Apache 1.3.14. To install the webserver, download a version from http://www.apache.org and a corresponding modssl patch from http://www.modssl.org .

cd mod_ssl-2.7.1-1.3.14
./configure --with-apache=../apache_1.3.14 \

--with-crt=/path/to/your/myserver.crt \
--with-key=/path/to/your/myserver.key

After patching the Apache webserver to support modssl, proceed and build the Apache webserver itself.

cd ../apache_1.3.14
SSL_BASE=/usr/local/ssl
./configure --enable-module=ssl
make
make install

The installation procedure copies your private key and certificate to the configuration directory of the Apache daemon. You can find the key file in Apache's conf/ssl.key/server.key and the certificate in the conf/ssl.crt/server.crt. Make sure the key is not world or group readable (the private key should be carefully protected).

INSTALLING THE CYBERTRUST ROOT CERTIFICATES ON THE WEBSERVER

As noted, the certificate file of your webserver can be found in the directory conf/ssl.crt.

This directory should also contain PEM encoded versions of the Cubertrust root certificates.

Download those certificates from the Cybertrust website, and, if you've downloaded DER encoded versions, convert them to PEM format. (Cybertrust will make PEM encoded versions available in the future, but you can if necessary, convert the DER encoded versions yourself to PEM format).

For example, if you download

Convert these DER files to PEM format using the command :

openssl x509 -inform DER -in ct_root.cacert -outform PEM -out ct-root.crt
openssl x509 -inform DER -in CTRoot-R2.cacert -outform PEM -out CTRoot-R2.crt
openssl x509 -inform DER -in SureServerEV.cacert -outform PEM -out SureServerEV.crt

You end up with the PEM encoded certificates of Cybertrust (Cybertrust SureServer CA) and your own, webserver certificate, server.crt :

server.crt # your own certificate
ct-root.crt # PEM encoded Cybertrust certificates
CTRoot-R2.crt
SureServerEV.crt

After installing those .crt certificate files in the directory conf/ssl.crt, run the Makefile to update the ssl.crt directory :

cd conf/ssl.crt
make

This will create or update a number of symbolic links to the .crt files.

Now the directory is ready to be used as CA Certificate Path directory. Modify the file httpd.conf :

SSLCACertificatePath /full/path/to/apache/conf/ssl.crt

To summarize, we've installed our private key in the directory conf/ssl.key and our public certificate in the directory conf/ssl.crt, together with the Cybertrust chain of root certificates.

To summarize, the ssl.crt directory now contains your own webserver certificate, the root certificate of GTE CyberTrust, a certificate of GlobalSign (Cybertrust) that is used to sign server certificates.

STARTING THE WEBSERVER

Start the server with the command,

bin/apachectl startssl

The netstat command can be used to verify that the server is indeed up and running.

netstat -an
Active Internet connections (servers and established)

The ephemeral ports 8080 and 8443 are sometimes used for testing purposes. Your server may be listening to port 80 and 443, instead.

It is now possible to connect to the server from the command line, using the openssl tool.

openssl s_client -CApath conf/ssl.crt -connect myserver.mydomain.be:8443
SSL handshake has read 4012 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:

Key-Arg : None
Start Time: 973175053
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

The s_client command connects to the webserver and prints information on the chain of certificates being used. Note that the option -CApath is used by this client tool using the Cybertrust root certificates that were installed on the server.

If this was succesful, you can proceed to use other client tools, and use webbrowsers such as Netscape or Internet Explorer. Just as with the openssl s_client tool, you also have to install the Cybertrust root certificates in your webbrowser.

After doing this, you can connect to your webserver at either port 80 (plain HTTP) or port 443 (HTTPS).

http://myserver.mydomain.be:8080 # plain HTTP

https://myserver.mydomain.be:8443 # HTTP over SSL

RUNNING THE printenv PROGRAM

Once you're set and running Apache with ModSSL support, it's a good idea to run the printenv Perl program to inspect the environment variables that are exported to Common Gateway Interface (CGI) programs.

Verify in the file conf/httpd.conf that the ExecCGI option is set for the cgi-bin directory (and that the printenv program itself is chmod a+x made executable), then type :

https://myserver.mydomain.be:8443/cgi-bin/printenv

The variables that are printed include such information as SSL_CIPHER and SSL_PROTOCOL.