Tuesday, April 17, 2007

Make a CA for My Own

It's lucky to have a sever on my own computer. So I get chance to know more about how to protect web server. It is not enough make strict privilege access to certain folders and files. One good way to protect communication between server and client is to assign a CA to client at the beginning of communication, and in this way, a unique encryption system can be set up every time client connect to server.

Normally, certification issuers, which are called Certificate Authority, are big security companies. Their CA sometimes play a more important role than a business certification, because this CA can not be modified or counterfeited. But in a cyber world, everybody can be an Authority, everybody can issue his own certification. Although this kind of CA cannot enjoy high prestige as commercial one. But it can still be very useful for encryption messages sent between server and client.

Here is a simple way to set up a HTTPS server on Ubuntu:

1. install Openssl and get root CA

sudo apt-get install openssl

/* setup a root CA, and make sure the password is complex enough */

openssl genrsa -des3 2048 > rootca.privatekey

Work out a self-certificate based on the root CA,change the valid time if needed.

openssl req -new -x509 -key rootca.privatekey -days 3650 -out rootca.cert

In the process,you will be asked to provide your information, including organization name and physical location and so on.

Open /etc/ssl/openssl.cnf modify the environment variable like this:

dir = /etc/ssl/CA

Set up several folders to reserve the private files:

sudo mkdir -p /etc/ssl/CA/certs
sudo mkdir -p /etc/ssl/CA/newcerts
sudo touch /etc/ssl/CA/index.txt
sudo echo “01″ > /etc/ssl/CA/serial

copy the root CA to this folder

sudo cp rootca.privatekey /etc/ssl/CA/private/cakey.pem
sudo cp rootca.cer /etc/ssl/CA/cacert.pem

change privilege to deny all access but from root:

cd /etc/ssl
sudo chmod go-rwx CA -R

2. Set Up Certification for Apache SSL

Generate a user CA first, an the process is similar to set up a root CA:

openssl genrsa -des3 2048 > my.privatekey

Generate a key file based on the user CA:

openssl req -days 3650 -key my.privatekey -new -out my.csr

Private information needed,Orgnization Name and location must be the same with root CA. Common Name is your web site's FQDN(fully qualified domain name. For example www.gezhi.org,and note that www.gezhi.org and gezhi.org are different sites )

then use root CA to authorize the user certification we made for apache:

openssl ca -out my.pem -days 3650 -infiles my.csr

3. Config apache

Ubuntu apache2 intalled mod_ssl on default,so just enable the modulate: a2enmod ssl

/* combine my.privatekey and my.pem, copy it to /etc/apache2/ssl/apache.pem */

cat my.privatekey my.pem > apache.pem
sudo cp apache.pem /etc/apache2/ssl/apache.pem

Set up the virtual host in /etc/apache2/sites-enabled/youdomain.conf (or in /etc/apache2/apache2.conf), it must include following lines:


ServerName mydomain.com
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
DocumentRoot /directory/to/mydomain/dir/



Add https listen port in /etc/ports.conf

Listen 443

restart the apache server:

sudo /etc/init.d/apache2 restart

when apache2 starts, it will ask for password for my.privatekey