LinOxide

How to Setup PKI and Secure Apache Web server

Updated May 6, 2016SECURITY, UBUNTU HOWTO

The focus of this tutorial is working of  Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. Different concept related to  PKI will be explained first and later a test bed using Ubuntu 14.04 LTS will be prepared to apply  PKI knowledge.  In this article, detailed explanation will be given on the generation of certification authority (CA), server and user keys/certificates. In the end, generated keys/certificates will be used in different scenarios.

About Public Key Infrastructure (PKI)

It is used to establish trust and security in computer networking. The purpose of PKI is to bind public keys with attributes which are used in various applications and protocols for following security features.

  • digital signature,
  • authentication,
  • non repudiation
  • S/MIME.

PKI consist of key pairs which has private and public keys. As name indicates,  Private Key (Pr) should always be kept secure and  Public key (Pu) is distributed to all participants for trusted communication. Both keys can be used for encryption and decryption however their usage in application is different.

  • Public key is used for encryption, then associated private key is used for decryption.

Public_key_encryption.svg

  • Private key is used for encryption, then associated public key is used for decryption. (S/MIME)

Public_key_signing.svgRSA (Rivest Shamir Adleman) is the most well-known algorithm used for PKI  and it supports different sizes of key length (512,1024,2048 etc). RSA keys are composed of 2 prime numbers which  should be very large otherwise it will decrease the security of algorithm.

In the PKI system, digital certificate is the main component which binds the public key to a user/web site with extra details.  Basically ownership of public key is proved using digital certificates because it include information about the generated key, owner's identity and allowed operation (like digital signature, non-repudiation & server authentication etc ).  There are two parts of digital certificates

  • Data part
  • Signature part

The name of an entity (user or web site), generated public key for the entity, other useful information (e.g., Common Name, Organizational Unit, validity period for the public key etc) are included in the Data part.  The digital signature  generated by CA over the data part is known as signature part

Data part

data part

Signature part

signature-part

A PKI system includes following components.

  1.  CA’s -->  Responsible for issuing and revoking digital certificates to the users or subscribers.
  2. Registration Authorities (RA’s) -->  verify the binding between identities of their holders and public keys.
  3. Digital certificate holders --> Computers, people, network devices that have been issued with certificates.
  4. End Clients --> These validate digital signatures and the certificates of the communicating parties.

Installation and Configuration

In this article, Uuntu 14.04 LTS  is installed on the VM and following required packages are installed.

Install apache web server using following command

apt-get install apache2

Install OpenSSL package using following command

apt-get install openssl.

Key is generated for CA  using following command.

openssl genrsa -out myCA_key.pem 2048

key_generation

A custom configuration file ( my_ca.cfg) is created for CA.

[ ext ] keyUsage = critical, cRLSign, keyCertSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash

[ req ] distinguished_name      = req_distinguished_name
[ req_distinguished_name ] CN = Common Name
CN_default="My CA"
policy = policy_supplied

[ policy_supplied ] CN = supplied

custom-cfg

Run following command to create self signed certificate for CA.

 openssl req -config my_ca.cfg -extensions ext -days 180 -new -x509 -key myCA_key.pem  -out myCA_cert.crt -set_serial 11 -batch -text

self signed CA cert

Generated CA certificate is shown in following snapshots.

1.

CA-cert1

2. CA-cert2

Now, generate keys and certificates for Apache server.

 openssl genrsa -out apache_server.key 2048

server_key

A Certificate Signing Request (CSR) will be generated for the Apache server then it will be signed using our CA.

openssl req  -out apache_server.csr -key apache_server.key -new -batch

csr

CSR request is shown in following snapshot

cs-req

Signing apache server certificate using following command.

openssl x509 -req -extensions req_ext -in apache_server.csr -CA myCA_cert.crt -CAkey myCA_key.pem -out apache_server.crt -days 720 -set_serial 10 -text

server-apache_certificate

Now, Apache server will be configured to use above generated keys and certificate.  Currently it is running on http (port 80).

testCreate directory "certificates" under /etc/apache2 path using following command.

mkdir /etc/apache2/certificates

cd /etc/apache2/certificates

directory

Copy CA certificate, server certificate and server key under "/etc/apache2/certificates"  directory.

copy

Change ssl configuration file "default-ssl.conf" exists under /etc/apache2/sites-available path with newly generated certificates and key. For testing, add following in the ssl configuration file and restart the apache server.

NameVirtualHost 0.0.0.0:80
NameVirtualHost 0.0.0.0:443

<VirtualHost 0.0.0.0:80>
DocumentRoot /var/www/html/
ServerName test
VirtualHost>

<VirtualHost 0.0.0.0:443>

DocumentRoot /var/www/html/
ServerName test
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/certificates/apache_server.crt
SSLCertificateKeyFile /etc/apache2/certificates/apache_server.key
SSLCACertificateFile /etc/apache2/certificates/myCA_cert.crt

</VirtualHost>

apache-confi

Before restarting Apache web server, make sure "ssl" module is enabled.  Use following command to enable ssl module of Apache.

 a2enmod ssl

ssl-enabled

Enable ssl web site using following command.

 a2ensite default-ssl

enable

Add CA certificate on client browser like shown below.

adding -ca

Finally, Apache web server is configured to listen on port 443 (https).

finalConclusion

PKI is the critical component in the IT world and it is integrated with many applications.  It provides the authenticity of entity and encrypted channel for secure communication.

shah 10:30 am

About shah

He is passionate about open source tools and good skills on Linux security and firewall tools.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.

Hand-picked related articles

How to Install Kanboard and Authenticate Using Ldap on Ubuntu Linux
How to Install Kanboard and Authenticate Using Ldap on Ubuntu Linux

Kanboard is a free and open source project management software program which is designed to manage projects efficiently using kanban methodology. Using kanban method one can visualize the work-flow, limiting work in progress and work efficiently. There is a clear [...]

How to Configure Tripwire IDS on Debian

This article is about Tripwire installation and configuration on Debian OS. It is a host based Intrusion detection system (IDS)  for Linux environment. Prime function of tripwire IDS is to detect and report any unauthorized change (files and directories ) [...]

An Ultimate Guide to Secure Ubuntu Host
An Ultimate Guide to Secure Ubuntu Host

Ubuntu is termed as the highly secured operating system available but it has flaws in its default install like every other operating system. To remove these weaknesses, IT Security specialist has issued guidelines to combat your system's back-doors/weaknesses and protect you [...]

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.