A little while ago I migrated the parkytowers website to https - not a particularly onerous task as my hosting company had already installed Let's Encrypt certificates and the https version just worked. The only extra work involved was adding a few lines to the root .htaccess file to ensure that all variants of the web site were redirected to https://www.parkytowers.me.uk and that any other explicit links or redirects on the site were edited to use the https variant of the site.
After that it was a matter of bringing my local mirror in step with the real world by switching it to use SSL as well. The steps I took are documented in this article.
I'm assuming that you know the basic whys and wherefores of SSL. If you don't there are many resources on the web that will provide explanations.
In the big wide world Certificates are part of a chain of trust that stretches back from the Certificate presented by a server ("This is who I claim I am") through zero or more intermediate certificates to a 'Root' certificate issued by trusted Certification Authority. These trusted root certificates are embedded in your browser/OS.
In a world where you have no real idea of where the server you are connecting to is, or how and over what the data is travelling, the Certification Authority (and SSL) plays an important role.
However, in the scenario we're looking at here where we are the only ones connecting to our own local server in a test/development environment there is absolutely no need to go to the trouble/expense of getting a Certificate from a recognised Certification Authority. We can be our own Certification Authority and just self-certify our server's certificate.
Sorting this out is a simple a four step process:
All the cryptography is done for us using the OpenSSL suite. With my Tiny Core set up OpenSSL was already installed as part of my installation of dropbear. A simple check as to whether you have it installed is to type:
tc@mirror:~$ which openssl /usr/local/bin/openssl tc@mirror:~$
..to see if you have it installed. If it isn't fire up the App Browser and install it.
You need somewhere to store the keys and certificates. In line with my current practice I've opted to use the persistent directory /opt/ssl. The first thing to do is create it:
tc@mirror:~$ mkdir /opt/ssl tc@mirror:~$ cd /opt/ssl tc@mirror:/opt/ssl$
...and 'cd' into it to save you having to prefix file names with the '/opt/ssl/' path in what follows.
Everything starts with creating a RSA public/private key pair. For our test purposes I'm quite happy using a 2048 bit key and not bothering to encrypt the private key. The command to generate the key pair is quite simple:
tc@mirror:/opt/ssl$ openssl genrsa -out /opt/ssl/rootCA.key 2048 Generating RSA private key, 2048 bit long modulus ..........+++ ......................................+++ e is 65537 (0x10001) tc@mirror:/opt/ssl$
The next step is to generate the actual root certificate. For clarity I've shown the command split over several lines but you can obviously just type it in as a single line.
tc@mirror:/opt/ssl$ openssl req \
-x509 \
-new \
-nodes \
-key rootCA.key \
-sha256 \
-days 1725 \
-out rootCA.pem
Here's a breakdown of the command line parameters
When the command runs you will be asked a series of questions - some which you can leave blank. Here are the questions along with what I filled in (in red):
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:Suffolk Locality Name (eg, city) []:Ipswich Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chaotic Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:parkytowers Email Address []: tc@mirror:~$
This is a similar process to the above but with an extra tweak. My server has a variety of names but I generally refer to it by the imaginative name of mirror. The Apache installation hosts a number of websites two of which I access as ptowers and idive - these names being mapped to the server's IP address in my hosts file. In using a X509 v3 certificate we can create a single certificate that will cover both these sites. To do this we need to create a file (/opt/v3.ext) with the following content:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = ptowers DNS.2 = idive
As before the first step in to generate a keyset for the server (mirror) along with a csr.
tc@mirror:/opt/ssl$ openssl req -new \
-sha256 \
-nodes \
-out /opt/ssl/mirror.csr \
-newkey rsa:2048 \
-keyout /opt/ssl/mirror.key
Generating a 2048 bit RSA private key
.................+++
..................................................+++
writing new private key to '/opt/ssl/mirror.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Suffolk
Locality Name (eg, city) []:Ipswich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chaotic
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mirror
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
tc@mirror:/opt/ssl$
Then we generate the actual certificate for the server:
tc@mirror:/opt/ssl$ openssl x509 -req
-in mirror.csr \
-CA rootCA.pem \
-CAkey rootCA.key \
-CAcreateserial \
-out mirror.crt \
-days 500 \
-sha256 \
-extfile v3.ext
Signature ok
subject=/C=UK/ST=Suffolk/L=Ipswich/O=Chaotic/CN=mirror
Getting CA Private Key
tc@mirror:/opt/ssl$
That's it as far as generating certificates. We now have:
The first thing to do is to make sure we have mod_ssl enabled. In my configuration that's a matter of editing the file /opt/conf/httpd.conf and ensuring the line:
LoadModule ssl_module modules/mod_ssl.so
is not commented out. In my file this is around line 158.
Next we need to setup a virtual host to accept https traffic on port 443 and also make sure that apache listens on that port. You can do both in the httpd-vhosts.conf file.
I took the existing entry for ptowers, duplicated it and then changed the VirtualHost declaration from port 80 to port 443. Next I added three lines to enable SSL. Finally I added the 'Listen' option just before the entry. The new entry starts:
Listen 443
<VirtualHost *:443>
DocumentRoot "/home/ptowers/parkytowers"
ServerName ptowers
SSLEngine on
SSLCertificateFile /opt/ssl/mirror.crt
SSLCertificateKeyFile /opt/ssl/mirror.key
....
My main system is Windows. I found this excellent article on superuser.com that shows you how to import the rootCA.pem file into Windows. It actually covers adding two certificates: one to do with client authentication; one to do with server authentication. You can just ignore the client authentication steps as we're only interested in server authentication.
If you're using something other than Windows then I'm afraid you'll have to use Google to find what you have to do....