Créer un serveur Web sécurisé sour Mandriva est relativement simple. Les scripts fournis ici facilitent les choses pour la création d’une autorité de certification et de certificats pour le serveur et les clients.
Installation du serveur web
Installez les packages suivants:
apache-mpm-prefork apache-mod_ssl
Ouvrez le service Web dans drakfirewall. Cette opération va ouvrir les ports 80 (http) et 443 (https).
Mise en place de l’autorité de certification locale
Téléchargez ces scripts: SSL.tgz
Editez le fichier SSL/openssl.conf et remplacez les valeurs dans la section [ req_distinguished_name ].
Créez une autorité de certification avec la commande suivante :
[lordikc@localhost SSL]$ ./create_CA.sh Certificate Authority Creation Input the password protecting the CA (ca.key). This password will be needed whenever you creates a new certificate. Pickup a strong password and keep it in a safe place It will be asked several times during this script. Generating a 1024 bit RSA private key ......++++++ .......................++++++ writing new private key to 'CA/private/ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [IdF]: Locality Name (eg, city) [Paris]: Organization Name (eg, company) [Lordikc]: Organizational Unit Name (eg, section) []:Certificate Authority Lordikc Common Name (eg, your name or your server's hostname) []:www.lordikc.com Email Address []:xxx@yyy.fr Initialize CRL Using configuration from CA/openssl.cnf Enter pass phrase for /home/lordikc/SSL/CA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 17 18:56:42 2009 GMT Not After : Nov 17 18:56:42 2010 GMT Subject: countryName = FR stateOrProvinceName = Revocation initilization localityName = Revocation initilization organizationName = Revocation initilization organizationalUnitName = Revocation initilization commonName = Revocation initilization X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 8B:BF:B3:24:61:32:F2:01:85:EA:2C:BF:91:66:62:E1:BC:1B:46:C6 X509v3 Authority Key Identifier: keyid:B9:BE:09:DF:FA:69:FB:53:85:57:71:D6:B0:51:69:0A:D6:53:AE:15 Certificate is to be certified until Nov 17 18:56:42 2010 GMT (365 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated Using configuration from CA/openssl.cnf Enter pass phrase for /home/lordikc/SSL/CA/private/ca.key: Revoking Certificate 01. Data Base Updated Using configuration from CA/openssl.cnf Enter pass phrase for /home/lordikc/SSL/CA/private/ca.key: CA created
Ce script a créé l’autorité de certification avec un certificat et une clé privée (à ne fournir à personne!!!). Il a également initialisé la liste de revocation de certificat qui vous permettra, si besoin, d’invalider des certificats existants.
Configuration du serveur Web
Créez un certificat et une clé privée pour le serveur web avec ce script :
[lordikc@localhost SSL]$ ./create_client_certificate.sh web_server Country Name (2 letter code) []:FR State or Province Name (full name) []:IdF Locality Name (eg, city) []:Paris Organization Name (eg, company) []:Lordikc Organizational Unit Name (eg, section) []:Web Server In case of a certificate for Apache or JBoss, input the public adresse here: Common Name (eg, YOUR name) []:www.lordikc.com Email Address []:xxx@yyy.fr Country Name (2 letter code): FR State or Province Name (full name): IdF Locality Name (eg, city): Paris Organization Name (eg, company): Lordikc Organizational Unit Name (eg, section): Web Server Common Name (eg, YOUR name): www.lordikc.com Email Address: lordikc@lordikc.com Correct (y/n)? [n]:y Using configuration from CA/openssl.cnf Enter pass phrase for /home/lordikc/SSL/CA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Nov 17 18:59:13 2009 GMT Not After : Nov 17 18:59:13 2010 GMT Subject: countryName = FR stateOrProvinceName = IdF localityName = Paris organizationName = Lordikc organizationalUnitName = Web Server commonName = www.lordikc.com emailAddress = lordikc@lordikc.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 25:92:89:27:B6:7C:46:51:B6:39:2F:5F:6B:0D:18:80:5B:91:64:73 X509v3 Authority Key Identifier: keyid:B9:BE:09:DF:FA:69:FB:53:85:57:71:D6:B0:51:69:0A:D6:53:AE:15 Certificate is to be certified until Nov 17 18:59:13 2010 GMT (365 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated Set the PKCS12 password for this key. This is NOT the password of the CA. This password should be provided to the client. Enter Export Password: Verifying - Enter Export Password: Certificate created in CA/client_certificates/web_server total 40 -rw-r--r-- 1 lordikc lordikc 1387 2009-11-17 19:59 ca.crt -rw-r--r-- 1 lordikc lordikc 984 2009-11-17 19:59 ca.der -rw-r--r-- 1 lordikc lordikc 1387 2009-11-17 19:59 ca.pem -rw-r--r-- 1 lordikc lordikc 372 2009-11-17 19:59 README -rw-r--r-- 1 lordikc lordikc 3342 2009-11-17 19:59 web_server.crt -rw-r--r-- 1 lordikc lordikc 810 2009-11-17 19:59 web_server.der -rw-r--r-- 1 lordikc lordikc 887 2009-11-17 19:59 web_server.key -rw-r--r-- 1 lordikc lordikc 1972 2009-11-17 19:59 web_server.p12 -rw-r--r-- 1 lordikc lordikc 4229 2009-11-17 19:59 web_server.pem Provide this directory to the client as well as the PKCS12 password.
Ce script a créé le répertoire suivant CA/client_certificates/web_server qui contient tout ce qu’il faut pour mettre en place le serveur HTTPS.
Editez le fichier /etc/httpd/conf/vhosts.d/01_default_ssl_vhost.conf :
SSLCertificateFile doit pointer vers web_server.crt
SSLCertificateKeyFile doit pointer vers web_server.key
SSLCACertificateFile doit pointer vers ca.crt
SSLCARevocationFile doit pointer vers ca.crl
Il est préférable de les copier dans l’arborescence /etc/pki/tls (voir les valeurs par défaut dans 01_default_ssl_vhost.conf).
Redémarrez le serveur web avec /etc/init.d/httpd restart et le tour est joué.
Authentification par certificat
Dans ce mode d’authentification vous devez fournir un certificat à vos utilisateurs. L’utilisateur devra fournir ce certificat pour se connecter à votre serveur Web. Cette opération est prise en charge par le navigateur.
Créez un certificat pour un utilisateur :
[lordikc@localhost SSL]$ ./create_client_certificate.sh client Country Name (2 letter code) []:FR State or Province Name (full name) []:IdF Locality Name (eg, city) []:Paris Organization Name (eg, company) []:Client Corp Organizational Unit Name (eg, section) []: In case of a certificate for Apache or JBoss, input the public adresse here: Common Name (eg, YOUR name) []:John Doe Email Address []:john.doe@nowhere.earth Country Name (2 letter code): FR State or Province Name (full name): IdF Locality Name (eg, city): Paris Organization Name (eg, company): Client Corp Organizational Unit Name (eg, section): Common Name (eg, YOUR name): John Doe Email Address: john.doe@nowhere.earth Correct (y/n)? [n]:y Using configuration from CA/openssl.cnf Enter pass phrase for /home/gilles/SSL/CA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 3 (0x3) Validity Not Before: Nov 17 19:03:01 2009 GMT Not After : Nov 17 19:03:01 2010 GMT Subject: countryName = FR stateOrProvinceName = IdF localityName = Paris organizationName = Client Corp commonName = John Doe emailAddress = john.doe@nowhere.earth X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 38:EF:23:C0:E4:09:17:72:45:CF:E0:3A:A2:1D:09:B1:B5:B5:41:71 X509v3 Authority Key Identifier: keyid:B9:BE:09:DF:FA:69:FB:53:85:57:71:D6:B0:51:69:0A:D6:53:AE:15 Certificate is to be certified until Nov 17 19:03:01 2010 GMT (365 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated Set the PKCS12 password for this key. This is NOT the password of the CA. This password should be provided to the client. Enter Export Password: <= PKCS12 Verifying - Enter Export Password: Certificate created in CA/client_certificates/client total 40 -rw-r--r-- 1 gilles gilles 1387 2009-11-17 20:03 ca.crt -rw-r--r-- 1 gilles gilles 984 2009-11-17 20:03 ca.der -rw-r--r-- 1 gilles gilles 1387 2009-11-17 20:03 ca.pem -rw-r--r-- 1 gilles gilles 3299 2009-11-17 20:03 client.crt -rw-r--r-- 1 gilles gilles 788 2009-11-17 20:03 client.der -rw-r--r-- 1 gilles gilles 891 2009-11-17 20:03 client.key -rw-r--r-- 1 gilles gilles 1918 2009-11-17 20:03 client.p12 -rw-r--r-- 1 gilles gilles 4190 2009-11-17 20:03 client.pem -rw-r--r-- 1 gilles gilles 372 2009-11-17 20:03 README Provide this directory to the client as well as the PKCS12 password.
Donnez le répertoire CA/client_certificates/client à votre utilisateur ainsi que le mot de passe PKCS12. Ce répertoire contient le certificat de l’autorité de certification, la clé privé et le certificat de l’utilisateur sous différentes formes.
L’utilisateur peut importer le certificat client.p12 dans firefox. Pour ce faire il faudra qu’il saisisse les mot de passe PKCS12.
Wget utilise les fichiers client.key et client.crt.
Internet Explorer, je sais pas…
Ajoutez l’entrée suivante dans 01_default_ssl_vhost.conf :
<Directory /var/www/html/Protected>
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
Gestion des certificats
[lordikc@localhost SSL]$ ./list_certificates.sh
Valid certificate
#:Start :End :Subject
2:Nov 17 18:59:13 2009 GMT:Nov 17 18:59:13 2010 GMT:C=FR, ST=IdF, L=Paris, O=Lordikc, OU=Web Server, CN=www.lordikc.com/emailAddress=lordikc@lordikc.com
3:Nov 17 19:03:01 2009 GMT:Nov 17 19:03:01 2010 GMT:C=FR, ST=IdF, L=Paris, O=Client Corp, CN=John Doe/emailAddress=john.doe@nowhere.earth
Revoked certificate
#:Start :End :Subject
1:Nov 17 18:56:42 2009 GMT:Nov 17 18:56:42 2010 GMT:C=FR, ST=Revocation initilization, L=Revocation initilization, O=Revocation initilization, OU=Revocation initilization, CN=Revocation initilization
[lordikc@localhost SSL]$ ./revoke_certificate.sh 3
Using configuration from CA/openssl.cnf
Enter pass phrase for /home/gilles/SSL/CA/private/ca.key:
Revoking Certificate 03.
Data Base Updated
Using configuration from CA/openssl.cnf
Enter pass phrase for /home/gilles/SSL/CA/private/ca.key:
Copiez le fichier ca.crl vers l’arborescence du serveur web (SSLCARevocationFile).
[lordikc@localhost SSL]$ ./list_certificates.sh
Valid certificate
#:Start :End :Subject
2:Nov 17 18:59:13 2009 GMT:Nov 17 18:59:13 2010 GMT:C=FR, ST=IdF, L=Paris, O=Lordikc, OU=Web Server, CN=www.lordikc.com/emailAddress=lordikc@lordikc.com
Revoked certificate
#:Start :End :Subject
1:Nov 17 18:56:42 2009 GMT:Nov 17 18:56:42 2010 GMT:C=FR, ST=Revocation initilization, L=Revocation initilization, O=Revocation initilization, OU=Revocation initilization, CN=Revocation initilization
3:Nov 17 19:03:01 2009 GMT:Nov 17 19:03:01 2010 GMT:C=FR, ST=IdF, L=Paris, O=Client Corp, CN=John Doe/emailAddress=john.doe@nowhere.earth
