Thursday, June 12, 2008

Creating Apache Certificates

OK I spent the weekend doing something I haven't done in awhile and man was I rusty. I had to enable HTTPS on an Apache server, create a CSR, and install a certificate. I wanted to walk you through the commands I used to generate the CSR and install the certificate. As a bonuse I will also show you how to generate a self-signed certificate. This was done using OpenSSL on a Debian system.

Step One - Create a server key


openssl genrsa -des3 -out server.key 4096

This command will generate a file called server.key. It will prompt you for a password. Typically you don't really want a password, I will explain this more later, but you don't really have a chose you have to enter one just make sure you remember what you enter. We'll address this more after the next couple of steps

Step Two - Create a Certificate Server Request (CSR)


openssl req -new -key server.key -out server.csr

This is what you are going to provide your Certificate provider to generate your actual certificate. You will be prompted for your password again. Then you are prompted with a bunch of follow up question, the one you want to really pay attention to and make sure you get right is the "Common Name". This is the URL you are trying to get a certificate for so make sure you get it right. Don't put in http:// or https:// just the URL (example www.mydomain.com). Near the end you will be prompted for a "Challenge Password", this does not have to be the same as the password you provided for your server.key file. You will need to remember this challenge password because you will be prompted for it again when you go to install the certificate. I believe you can actually leave this one blank but I wouldn't.

Step Two.One - Generate a Self Sign Certificate

At this point you have a CSR file to send into a Certificate Provider and get a real certificate generated for you. However, these certificates are not cheap and if this is not a production environment or if its just a administrative area, you might be happier with the much cheaper alternative of a "Self Signed Certificate". This is a certificate you generate yourself. Now since it's not a certificate from a recognized certificate provider, you will be prompted if you do actually want to accept this certificate. So why would you do this, well as I mentioned its cheaper and the end result is that it still encrypts you traffic. So let's generate a self sign certificate, if you are going the way of getting a certificate from a provider you can skip this step.


openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


Step Three - Remove Password From Server.key File


By this step, you should have a actual certificate file either by self generating or purchasing, problem is if you install everything as is, you will be prompted for the password you provided when you generated the server.key file every time you go to start up your web server. You can imagine how this could be a annoying. If you are OK with entering your password every time the Apache service starts (including reboots), then you can skip this step. If not, then we are going to remove the password from the server.key file.

Generate a non-password version of the server.key file

openssl rsa -in server.key -out server.key.insecure

It's a good idea to keep the original server.key file that has the password so lets rename that file

mv server.key server.key.secure

And now we'll make our insecure version the main file

mv server.key.insecure server.key


Move the Files

That should be pretty much it now all you need to do is move your files to the correct locations

mv server.key /etc/ssl/private/
mv server.crt /etc/ssl/certs/


Now, you just need to enable the site as HTTPS in Apache. If you are not sure how to do this, I will post that in the next couple of days as well.



Sunday, June 8, 2008

rsync Over ssh

I love the rsync command. A great tool for grabbing a copy of files you need from one location. If the server is remote, you probably want to make sure you are transferring these files securely. For this we are going to use rsync in conjunction with ssh. One thing to note, in order to do this you will need to set up ssh between the two servers to use keys.

Here is a simple rsync+ssh example:

rsync -ave ssh username@www.remoteserver.com:/location/on/remote/server/ /location/on/local/machine/


Here is how the command breaks down:

rsync (Start of the command)
-a (archive mode)
v (verbose, will show you what is being copied as it is being copied)
e
(specify the remote shell to use)
ssh (how to connect to remote server)
username (username to connect as)
@www.remoteserver.com (remote server to connect to)
:/location/on/remote/server/ (location on remote machine of file(s) you want to copy)
/location/on/local/machine/ (location of location machine where you want to copy the files to)


A lot more can be done using rsync. For more ideas please run 'man rsync' on you local Linux box.

Friday, May 18, 2007

mv (and cp) Shortcut

Shortcut command for move and copy. The format is simple. You simply add an {,.addname} to the end of the filename you are trying to mv or cp.

example:
$ mv filename{,.backup}