Zuletzt angesehen: » 1. Erzeugung des SSL Zertifikats
Sie befinden sich hier: IspCP Documentation » ispCP Dokumentation » HowTo's für ispCP » security » 1. Erzeugung des SSL Zertifikats
Translations of this page?:
Inhaltsverzeichnis

Dieses Howto führt euch Schritt bfür Schritt durch die Erzeugung eines SSL Zertifikates und zeigt dann auf wie man diverese Dienste (Apache, Courier, Postfix, ProFTPD) mit SSL schützen kann.

[Dank für den SSL-CA-Teil geht an http://fra.nksteidl.de/Erinnerungen/OpenSSL.php]

1. Erzeugung des SSL Zertifikats

1.1 Installation des openssl-Pakets

Zuerst müssen wir das openssl Paket installieren: 

 
 apt-get install openssl

1.2 Anpassen der Konfigurationsdateien

Danach öffnen wir die openssl Konfigurationsdatei unter /etc/ssl/openssl.cnf und passen es wie folgt an (Das Beispiel geht von der CA (Zertifizierungsausteller) mit dem Namen „RootCA“ aus. Man kann dies jedoch beliebig umbenennen): 

 
 Line 32: default_ca = RootCA
 Line 35: [ RootCA ]
 Line 37: dir = /root/RootCA
 Line 41: unique_subject = no # only if you need this
 Line 70: default_md = md5

Wenn wir wollen können wir die Werte in dem [req_destinquished_name] Bereich an unsere Sprache anpassen.: 

 
 [ req_distinguished_name ]
 countryName                     = Land (2stelliger Code)
 countryName_default             = DE
 countryName_min                 = 2
 countryName_max                 = 2
 stateOrProvinceName             = Bundesland (voller Name)
 stateOrProvinceName_default     = MeinBundesland
 localityName                    = Ort, Stadt
 localityName_default            = MeineStadt
 0.organizationName              = Firmenname
 0.organizationName_default      = MeineFirma
 # Dies wird normalerweise nicht gebraucht, aber wir können es trotzdem nutzen :-)
 #1.organizationName             = Second Organization Name (eg, company)
 #1.organizationName_default     = World Wide Web Pty Ltd
 organizationalUnitName          = Abteilung
 #organizationalUnitName_default =
 commonName                      = Common Name (z.B. IHR Name, die Serverdomain)
 commonName_max                  = 64
 emailAddress                    = E-Mail-Addresse
 emailAddress_max                = 64

1.3 Anlegen der benötigten Verzeichnisse und Dateien

Nun müssen wir die in der openssl.cnf angegebenen Verzeichnisse und Dateien anlegen: 

 
 mkdir /root/RootCA		# oder der welcher Name/ welches Verzeichniss oben ausgewählt wurde
 cd /root/RootCA
 mkdir newcerts certs crl private
 touch index.txt
 # Serialnr starts with 01
 echo "01" > serial

1.4 Zufällige Daten für das CA Zertifikat generieren

Damit wir das Programm uuencode nutzen können, muss das sharutils Paket installiert sein. 

 
 cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g"\
   | tail -18 | xargs | sed "s/ //g" > /root/RootCA/private/.rand
 chmod 770 /root/RootCA/private/.rand
 ls -alh  /root/RootCA/private/.rand

1.5 Das CA Zertifikat erzeugen

Nun können wir das Zertifikat erzeugen…

Erzeugung des Schlüssel. Damit der Schlüssel auch noch in den nächsten Jahren eine Sicherheit darstellt sollten wir eine starke passphrase verwenden! 

 
 openssl genrsa -aes256 -out private/RootCA.key.pem -rand private/.rand 2048

Das Zertifikat erzeugen: 

 
 openssl req -new -x509 -days 1827 -key private/RootCA.key.pem -out RootCA.cert.pem

(-days 1827 erzeugt ein Zertifikat, das 5 Jahre gültig ist)

Wir überprüfne die Zertifikats-Daten: 

 
 openssl x509 -in RootCA.cert.pem -text | less

Wir kopieren das Zertifikaten und den Privaten Schlüssel zu den in der openssl.cnf vorgegebene Orten: 

 
 cp /root/RootCA/RootCA.cert.pem /root/RootCA/cacert.pem
 cp /root/RootCA/private/RootCA.key.pem /root/RootCA/private/cakey.pem

–here i am Put the certificate under the control of the CA. Therefore it has to be copied with its serialnumber as filename into the directory certs and linked there with its hash-value: 

 
 cd /root/RootCA
 cp RootCA.cert.pem /root/RootCA/certs/00.pem
 cd /root/RootCA/certs/
 ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0

1.6 Publish the CA certificate

Now the CA is initialized and you can distribute its certificate. To do so, rename the .cert.pem-file as .crt-file, copy it in a place reachable via the internet and make it accessible by everybody: 

 
 cp /root/RootCA/RootCA.cert.pem /var/www/virtual/yourdomain.com/htdocs/RootCA.crt
 chmod 444 /var/www/virtual/yourdomain.com/htdocs/RootCA.crt

Now it's time to import the certificate into your browser. Therefore, just surf to http://yourdomain.com/RootCA.crt

2. Create the server certificates

2.1 Sample server certificate generation

All server certificates are created the same way. They shouldn't have a passphrase because you don't want to enter this passphrase everytime you start your apache or another server. Disabling the passphrase is done by omitting the encryption-algorithm when creating the private key. 

 
 cd /root/RootCA
 openssl genrsa -out server.key.pem -rand private/.rand 2048     # Generate the key
 openssl req -new -key server.key.pem -out server.req.pem        # Generate the certificate request
 openssl ca -name RootCA -in server.req.pem -out server.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)

Move the certificate into the certs-directory and link it with its hash-value: 

 
 mv newcerts/01.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
 cd certs
 ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0

I suppose to save the originial certificate-files into a subdirectory called server: 

 
 mkdir /root/RootCA/server
 mv server.*.pem server/

2.2 Create the certificate for the apache server

Generate a server certificate as described under 2.1 (choose apache.key.pem, apache.req.pem and apache.cert.pem as filenames). When generating the apache.req.pem, enter this: 

 
 Organizational Unit Name []:Apache Webserver
 Common Name (eg, YOUR name) []:yourdomain.com

It is important to enter the domain name under which you want to reach ispCP, because otherwise you get a domain mismatch error when connecting via ssl.

After you've generated the certificate, change the following settings in /etc/apache2/mods-available/ssl.conf (replace 512 with 2048): 

 
 SSLRandomSeed           startup /dev/urandom 2048
 SSLRandomSeed           connect /dev/urandom 2048

Then make the directory and copy the certificate files (with secure file permissions): 

 
 mkdir /etc/apache2/ssl
 cp apache.cert.pem apache.key.pem /etc/apache2/ssl
 chmod 400 /etc/apache2/ssl/apache.cert.pem /etc/apache2/ssl/apache.key.pem

Tell apache to listen on the ssl-port (443) - therefore add 

 
 Listen 443

to the file /etc/apache2/ports.conf and enable mod_ssl: 

 
 a2enmod ssl

As last step you have to add a new VirtualHost, which listens on port 443 and has the SSL engine enabled: 

 
 cp /etc/apache2/sites-available/00_master.conf /etc/apache2/sites-available/01_ssl_master.conf

Change the 01_ssl_master.conf file like this: 

 
 #
 # SSL Master Begin
 #
 <VirtualHost xxx.xxx.xxx.xxx:443>
     #
     # SSL Start
     #
     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.cert.pem
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key.pem
     #
     # SSL End
     #
     ServerAdmin     admin@yourdomain.com
     DocumentRoot    /var/www/ispcp/gui
     ServerName      yourdomain.com
     ErrorLog        /var/log/apache2/users/ssl.yourdomain.com-error.log
     TransferLog     /var/log/apache2/users/ssl.yourdomain.com-access.log
     CustomLog       /var/log/apache2/ssl.yourdomain.com-traf.log traff
     CustomLog       /var/log/apache2/ssl.yourdomain.com-combined.log combined
 #
 # ... below here, nothing has to be changed
 #
 </VirtualHost>
 #
 # SSL Master End
 #

Enable the ssl site: 

 
 a2ensite 01_ssl_master.conf

Now reload the apache server: 

 
 /etc/init.d/apache2 reload

and you're done!

Open your browser and enter https://yourdomain.com and you should see the ispCP login - SSL encrypted. (By the way, phpMyAdmin and the Webmail interface are now also encrypted)

2.3 Create the certificate for the courier server

At first, you have to install the ssl-packages for courier: 

 
 apt-get install courier-imap-ssl courier-pop-ssl

Now you can generate the server certificate as described under 2.1 (choose courier.key.pem, courier.req.pem and courier.cert.pem as filenames). When generating the courier.req.pem, enter this: 

 
 Organizational Unit Name []:Courier Mailserver
 Common Name (eg, YOUR name) []:mail.yourdomain.com

The courier server needs the cert and the key-file together in one file: 

 
 cd /root/RootCA/server
 cat courier.cert.pem courier.key.pem > courier.pem

Put the Certificates under /etc/courier: 

 
 cd /etc/courier
 cp /root/RootCA/server/courier.pem .
 chmod 400 courier.pem
 ln -s courier.pem imapd.pem
 ln -s courier.pem pop3d.pem

Now you can restart the courier-ssl servers: 

 
 /etc/init.d/courier-imap-ssl restart
 /etc/init.d/courier-pop-ssl restart

and SSL is working for your IMAP and POP3-Server!

2.4 Create the certificate for the ProFTPD server

Generate the server certificate as described under 2.1 (choose proftpd.key.pem, proftpd.req.pem and proftpd.cert.pem as filenames). When generating the proftpd.req.pem, enter this: 

 
 Organizational Unit Name []:ProFTPD FTP-Server
 Common Name (eg, YOUR name) []:ftp.yourdomain.com

Copy the files in /etc/proftpd: 

 
 cd /etc/proftpd
 cp /root/RootCA/server/proftpd.cert.pem /root/RootCA/server/proftpd.key.pem .
 chmod 400 proftpd.cert.pem proftpd.key.pem

Activate TLS in /etc/proftpd.conf (uncomment these lines): 

 
 #
 # SSL via TLS
 #
 <IfModule mod_tls.c>
   TLSEngine                   on                                      # on for use of TLS
   TLSLog                      /var/log/proftpd/ftp_ssl.log            # where to log to
   TLSProtocol                 SSLv23                                  # SSLv23 or TLSv1
   TLSOptions                  NoCertRequest                           # either to request the certificate or not
   TLSRSACertificateFile       /etc/proftpd/proftpd.cert.pem           # SSL certfile
   TLSRSACertificateKeyFile    /etc/proftpd/proftpd.key.pem            # SSL keyfile
   TLSVerifyClient             off                                     # client verification
 </IfModule>

Restart ProFTPD: 

 
 /etc/init.d/proftpd restart

That's all! Now you can connect to ftp.yourdomain.com via FTP with explicit TLS/SSL.

2.5 Create the certificate for the postfix server

Generate the server certificate as described under 2.1 (choose postfix.key.pem, postfix.req.pem and postfix.cert.pem as filenames). When generating the postfix.req.pem, enter this: 

 
 Organizational Unit Name []:Postfix Mailserver
 Common Name (eg, YOUR name) []:mail.yourdomain.com

Copy the files in /etc/postfix: 

 
 cd /etc/postfix
 cp /root/RootCA/server/postfix.cert.pem /root/RootCA/server/postfix.key.pem .
 chmod 400 postfix.cert.pem postfix.key.pem

Activate TLS/SSL in /etc/postfix/main.cf (uncomment these lines): 

 
 smtpd_tls_loglevel        = 2
 smtpd_tls_cert_file       = /etc/postfix/postfix.cert.pem
 smtpd_tls_key_file        = /etc/postfix/postfix.key.pem
 smtpd_use_tls             = yes
 smtpd_tls_auth_only       = no
 smtpd_tls_received_header = yes

Restart postfix: 

 
 /etc/init.d/postfix restart

And another one… You can now send your emails over an SSL-encrypted connection.

3. Finished

Now you have configured your webserver (for ispCP), your mailservers and your ftp-server to use a ssl-encrypted connection.

Don't forget to distribute the CA-Certificate (it's accessible via http://yourdomain.com/RootCA.crt, isn't it?) to the people who access your server, so that they don't have to accept each single server certificate.

 
de/howto/security/create_your_own_ssl_ca_and_secure_multiple_services.txt · Zuletzt geändert: 2008/07/30 07:36 von iron73
 
Recent changes RSS feed Creative Commons License Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki

| All rights reserved : isp-control.net |