The first step is to create a certificate authority:
bie1@linux-ibm:~/workdir> /opt/lampp/bin/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
.......++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuertemberg
Locality Name (eg, city) []:Freiburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Freiburg
Organizational Unit Name (eg, section) []:IIG
Common Name (eg, YOUR name) []:Emmanuel Benoist
Email Address []:emmanuel@benoist.ch
bie1@linux-ibm:~/workdir>
If you are under windows, download this demoCA directory demoCA.zip. In this version, the passphrase is albert.
Now, we are the certificate authority.
Configure Apache
We need to change apache config file. We edit the file /opt/lampp/etc/extra/httpd-ssl.conf. Here is the result httpd-ssl.conf.
Interesting lines are:(in this first part, we focalize on the server certificate as server). The Server is authenticated using a self-signed certificate.
the config of the document root:
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/opt/lampp/htdocs-secure"
Enabling of the SSL engine (for serving https pages).
Apache requires also a CA to authenticate the users
In the second part, we configure apache to point toward our demoCA and to grant access to some directories only to users having a certificate delivered by this demoCA.
We define a pointer toward the directory where the demoCA is
bie1@linux-ibm:~/workdir> openssl genrsa -des3 -out emmanuel.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for emmanuel.key:
Verifying - Enter pass phrase for emmanuel.key:
We produced the key file emmanuel.key. The password used was emmanuel.
We create a new request for certificate (Certificate Signing Request-CSR)
bie1@linux-ibm:~/workdir> openssl req -new -key emmanuel.key -out emmanuel.req
Enter pass phrase for emmanuel.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuertemberg
Locality Name (eg, city) []:Freiburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Freiburg
Organizational Unit Name (eg, section) []:IIG
Common Name (eg, YOUR name) []:Emmanuel
Email Address []:bie1@bfh.ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
bie1@linux-ibm:~/workdir> openssl ca -in emmanuel.req -out CertificateEmmanuel.pem
Using configuration from /opt/lampp/share/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 7 08:41:44 2008 GMT
Not After : May 7 08:41:44 2009 GMT
Subject:
countryName = DE
stateOrProvinceName = Baden-Wuertemberg
organizationName = University of Freiburg
organizationalUnitName = IIG
commonName = Emmanuel
emailAddress = bie1@bfh.ch
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8A:21:40:20:C4:BC:23:79:52:8B:6B:E5:67:79:8D:3E:F4:FA:4C:FE
X509v3 Authority Key Identifier:
keyid:DB:B2:E0:0E:F8:C5:B5:C8:3F:F1:1C:9A:80:96:25:1D:1D:F7:B2:2F
Certificate is to be certified until May 7 08:41:44 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
bie1@linux-ibm:~/workdir>
Now change the format of the certificate into PKCS12 (format for entering a certificate into a browser). This format combines both the certificate (to be sent to the partner) and the private key (that remains secret).
bie1@linux-ibm:~/workdir> openssl pkcs12 -export -in CertificateEmmanuel.pem -inkey emmanuel.key -out cert-emmanuel.p12
Enter pass phrase for emmanuel.key:
Enter Export Password:
Verifying - Enter Export Password:
The Export password used emmanuel. We produced the file cert-emmanuel.p12
Configure the browser
Import the file cert-emmanuel.p12 into the browser (procedure depends on the browser).
Copyright Emmanuel Benoist 2008-2013