Enabling HTTPS web service in Ubuntu 10.04 LTS

posted in: Networking | 5

The first step to enable https web service (port 443) in Ubuntu 10.04 LTS is enabling SSL module for apache2, by issuing the following command (bold face) in command prompt:

marinyo@paparisa:~$ sudo a2enmod ssl
Enabling module ssl. (SSL Engine)
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Next step is to generate keys. This section will cover generating a key with a passphrase, and one without. The non-passphrase key will then be used to generate a certificate that can be used with various service daemons such as apache2.
Note: Running a secure service without a passphrase is convenient because it will not needed to enter the passphrase every time a secure service is started. But it is insecure and a compromise of the key means a compromise of the server as well.

To generate the keys for the Certificate Signing Request (CSR) run the command:

marinyo@paparisa:~$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for server.key:yourpass phrase
Verifying - Enter pass phrase for server.key:yourpass phrase

Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in the server.key file.

Next create the insecure key, the one without a passphrase,

marinyo@paparisa:~$ openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:yourpass phrase
writing RSA key

And, next, shuffle the key names by using the following commands:

marinyo@paparisa:~$ mv server.key server.key.secure
marinyo@paparisa:~$ mv server.key.insecure server.key

The insecure key is now named server.key, and it can be used to generate the CSR without passphrase.

Next is creating CSR, to create the CSR, run the following command at a terminal prompt:

marinyo@paparisa:~$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:your country code
State or Province Name (full name) [Some-State]:your state
Locality Name (eg, city) []: your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:your company
Organizational Unit Name (eg, section) []:your dept
Common Name (eg, YOUR name) []:your common name
Email Address []:youremail@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yourchallenge password
An optional company name []:your company

=== Once you have entered all these details, your CSR will be created and it will be stored in the server.csr file.

=== Creating a Self-Signed Certificate

=== To create the self-signed certificate, run the following command at a terminal prompt:

marinyo@paparisa:~$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=your state/L=your city/O=your company/OU=your dept/CN=your common name/emailAddress=email@yourdomain.com
Getting Private key

Next, copy the generated certificate to their place in the system:

marinyo@paparisa:~$ sudo cp server.crt /etc/ssl/certs
marinyo@paparisa:~$ sudo cp server.key /etc/ssl/private

Next step is to create and edit config file(s) in /etc/apache2/sites-available

marinyo@paparisa:~$ cd /etc/apache2/sites-available/

Create new config file named ssl for https service using template of default configuration file

marinyo@paparisa:/etc/apache2/sites-available$ sudo cp default ssl

Edit default configuration file:

marinyo@paparisa:/etc/apache2/sites-available$ sudo nano default

Do the following:

=== change: NameVirtualHost * to NameVirtualHost *:80
=== change: <VirtualHost *> to <VirtualHost *:80>
=== Save changes

Edit ssl configuration file:

marinyo@paparisa:/etc/apache2/sites-available$ sudo nano ssl

Do the following:

=== change: NameVirtualHost * to NameVirtualHost *:443
=== change: <VirtualHost *> to <VirtualHost *:443>

==== Find line: DocumentRoot /var/www/
==== add the following lines below it

SSLEngine on
SSLOptions +StrictRequire

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

=== Save changes

Next move to /etc/apache2/sites-available

marinyo@paparisa:/etc/apache2/sites-available$ cd ../sites-enabled

Enabling ssl site config by issuing the following command:

marinyo@paparisa:/etc/apache2/sites-enabled$ sudo a2ensite ssl
Site ssl installed; run /etc/init.d/apache2 reload to enable.

Restart Apache2 service:

marinyo@paparisa:/etc/apache2/sites-enabled$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2

Check whether the https web service is available by browsing to https://yourdomain.com