Web Security

Exercise HTTPS, Certificates and PKI

Solutions for this exercise

We want to install a Secure application

First step is to create an application that needs to be secured.

Create a directory htdocs-secure in the directory where you find htdocs.
In this new directory copy the following file index.php (don't forget to rename it into index.php and not index.phps). Then create a directory secureArea in the new directory. Copy the file index-secureArea.php in the secureArea. Rename it as index.php.
Change the document root of HTTPS server of Apache. In the directory xampp/etc/extra or xampp/extra/, you edit the file httpd-ssl.conf. Update the instruction DocumentRoot, such that it point toward your new directory:
```
<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "/opt/lampp/htdocs-secure"
```
Restart Apache, then test if it worked: https://localhost

Create certificates

We need to create:

A Certificate Authority (we use the same for the server and the clients)
A Certificate for the Server
Some Certificates for the Users

Tools

In this exercise, we use the Apache mod_ssl module, such as the Openssl software. Both are contained in the XAMPP distribution.
We will use the file httpd.conf that contains the main configurations of Apache. This file referes to another file extra/httpd-ssl.conf which contains the configurations for the mod_ssl module.
The server is preinstalled with self signed certificate and key, which are stored in the directories ssl.crt/ (CRT for certificate) and ssl.key/. The following lines in the config file correspond to the two directories:

SSLCertificateFile /opt/lampp/etc/ssl.crt/server.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server.key

Creation of a Certifiate Authority (CA)

In the config directory of XAMPP, you find a file openssl.cnf (on the Linux platform it may be found in the directory /opt/lampp/etc/). You may edit this file if you want to change default values for the creation of a new certificate (country, Organisational Unit, etc.).
Execute the following command in a working directory:

/opt/lampp/bin/CA.pl -newca

(for windows, you may use CA.BAT or CA.pl (even if the file is a phps file, rename it as CA.pl) instead)
Just fill out all the questions. This program creates a directory ./demoCA which contains all the demo files needed.
If you are under windows, this part may not work at all, so you can simply download a demoCA directory demoCA.zip. In this version, the passphrase is albert (it is used to access the private key of the CA).
Now, we are the certificate authority.

Configure Apache to recognise users authentified by this CA

Edit extra/httpd-ssl.conf

Change the pointer to the CA certificate (the file cacert.pem in the directory demoCA)

SSLCACertificateFile /home/bie1/svn/bie1/webSecurity/web/exercises/https/demoCA/cacert.pem

Start verification of clients certificates

SSLVerifyClient require
SSLVerifyDepth  1

Link the CA Revocation link in your demoCA
```
SSLCARevocationPath ....
```

Create Certificate for new Users

Generate a new private key, public key pair (here a 1024 bit RSA key encrypted with triple DES)
```
openssl genrsa -des3 -out mykey.key 1024
```
Generate a new CSR (Certificat Signing Request)
```
openssl req -new -key mykey.key -out myname.req
```
This information is sent to the CA, together with a proof of the identity.
The CA creates a certificate corresponding to the CSR
Let the CA sign your CSR, this produces a certificate
Then create a corresponding certificate
```
openssl ca -in myname.req -out newcert.pem -config /opt/lampp/etc/openssl.cnf
```
In the directory demoCA/ the index is updated, serial number will be increased in the subdirectory newcerts/
You need to change the format of your certificate, in order to import inside your browser. The required format is PKCS12.
```
openssl pkcs12 -export -in newcert.pem -inkey mykey.key -out cert.p12 -name "name for certificate"
```
The PKCS12 file combines both the certificate and the private key. It can be used directly inside a client.

Configure your browser(s)

Try to access your https server from your browser https://localhost: It should not work.
Install the new certificate in your browser. If your browser is Firefox: In the Preferences menu, select the Advanced tab, then the cypher subtag, and import a new certificate.
Try to access your https site: https://localhost. It should work now!

Restrict access only to the folder secureArea

Change the config file, such that the certificate is required only for the clients visiting the directory secureArea
```
SSLVerifyClient none

<Location /secureArea>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
```
Try with different browsers (one with certificate, one without).