- •Table of Contents
- •Introduction
- •Saving Time with This Book
- •Foolish Assumptions
- •Part I: Making the Desktop Work for You
- •Part II: Getting the Most from Your File System
- •Part III: Good Housekeeping with Linux
- •Part IV: Tweaking the Kernel on Your Linux System
- •Part V: Securing Your Workspace
- •Part VI: Networking Like a Professional
- •Part VII: Monitoring Your System
- •Part VIII: Serving Up the Internet and More
- •Part X: Programming Tricks
- •Part XI: The Scary (Or Fun!) Stuff
- •Icons Used in This Book
- •Discovering Your Protocols
- •Managing Snapshots with the camera: Protocol
- •Remote File Management with fish:
- •Getting Help with help:, info:, and man:
- •Other KDE Protocols
- •Using GNOME VFS Modules
- •Stacking VFS Modules
- •Working with Packages: rpm and rpms
- •Putting VFS to Work at the Command Line
- •Burning CDs with a VFS
- •Skinning Your Desktop with VFS
- •Classifying Data with MIME
- •Creating KDE File Associations
- •Creating New MIME Types with GNOME
- •Making Basic Prompt Transformations
- •Adding Dynamically Updated Data to Your Prompt
- •Colorizing Your Prompt
- •Seeing a Red Alert When You Have Superuser Privileges
- •Saving Your Work
- •Completing Names Automatically
- •Using the Escape Key to Your Advantage
- •Customizing Completion for Maximum Speed
- •Using cd and ls to Navigate through bash
- •Setting Your CDPATH Variables to Find Directories Fast
- •Streamlining Archive Searches
- •Turning the Output of a Command into a Variable with $( )
- •Using $UID and $EUID in Shell Scripts
- •Customizing Variables for Rapid Transit
- •Finding the Right Shell Script
- •Choosing your victims
- •Timing is everything
- •Cleaning up made easy
- •Changing prototype scripts
- •Customizing Your Autostart File
- •Navigating the History List
- •Scrolling
- •Summoning a command by number
- •Searching through history
- •Customizing the History List
- •Adjusting key default settings
- •Filtering the history list
- •Executing Commands Quickly with History Variables
- •Viewing Your Aliases
- •Using Aliases for Complex Commands
- •Automating Tedious Tasks with Functions
- •Filtering file searches by file type
- •Automatic downloading
- •Monitoring Your System in a Snap
- •Un-tarring the Easy Way
- •What Is Samba?
- •Getting Up and Running with Samba
- •Checking whether Samba is installed
- •Enabling Samba
- •Adjusting the workgroup name and creating user accounts
- •Giving a Windows machine access to your home directory
- •Sharing Linux files and directories with other computers
- •Hooking Everyone Up to the Printer
- •Sharing Linux printers with SWAT
- •Using a Windows printer from Linux
- •Plugging In to Remote Data with Linux Programs Quickly
- •Finding Files with locate
- •Finding Files with find
- •Qualifying Your Search with the find Command
- •Doing updated filename searches
- •Adding time-based qualifications
- •Filtering by file size
- •Perusing commonly used qualifications
- •Acting on What You Find
- •Displaying specific info with -printf
- •Checking disk usage by user
- •Executing commands with find
- •Building Complex Commands with xargs
- •Creating Archives with File Roller
- •Inspecting and Extracting Archives with File Roller
- •Adding Functionality to tar with Complex Commands
- •Building archives from the command line
- •Archiving complex search results
- •Backing up an installed package
- •Uprooting Entire Directory Trees with scp
- •Splitting Big Files into Manageable Chunks
- •Building Software from Downloaded tarballs
- •Compiling a tarball: The basic steps
- •Downloading and compiling SuperKaramba
- •Versatile Downloading with wget
- •Mirroring sites with wget
- •Verifying your bookmarks with wget
- •Downloading files with wget
- •Downloading and unpacking in one quick step
- •Downloading and Uploading with curl
- •Setting Up ADIOS
- •Downloading ADIOS
- •Burning ADIOS to CD
- •Installing ADIOS
- •Finding Your Way around UML
- •Connecting to the Internet from an ADIOS VM
- •Using a GUI with UML
- •Installing Software into UML
- •Merging Changes to Your Prototype
- •Querying RPM Packages for Content
- •Digesting Information
- •Creating a Package Index
- •Querying for Prerequisites
- •Dissecting an RPM Package
- •Using RPM at the Command Line
- •Removing RPMs
- •Flagging Down RPM
- •Getting Graphic with RPM
- •Using Rpmdrake to install from media
- •Installing from your Konqueror browser
- •Verifying Your System
- •Reading the Tamper-Proof Seal
- •Setting Up Synaptic and apt in a Snap
- •Keeping Up-to-Date with apt and Synaptic: The Basics
- •Handy Hints about Synaptic
- •Changing repositories
- •Viewing package details
- •Installing new packages with Synaptic
- •Importing the Keys to the Repository
- •Letting Task Scheduler Work for You
- •Scheduling a new task
- •Editing a task
- •Adding environment variables
- •Reining In Resources with Disk Quotas
- •Installing the quota RPM package
- •Enabling file system quotas
- •Getting your files together
- •Setting quotas
- •Reviewing your quotas
- •Using System Accounting to Keep Track of Users
- •Setting up system accounting
- •Looking up user login hours
- •Checking out command and program usage
- •Running Down the Runlevels
- •Runlevel basics
- •Customizing runlevels in Fedora
- •Customizing runlevels in SuSE
- •Customizing runlevels in Mandrake
- •Customizing runlevels at the command line
- •Switching to a new runlevel
- •Disabling Unused Services
- •Removing Unneeded Services
- •Learning about modules
- •Installing a module with insmod
- •Taking care of dependencies automatically with modprobe and depmod
- •Loading a module for a slightly different kernel with insmod and modprobe
- •Removing modules with rmmod
- •Step 1: Making an Emergency Plan, or Boot Disk
- •Step 2: Finding the Source Code
- •Step 4: Customizing the Kernel
- •Step 5: Building the Kernel
- •Understanding the Principles of SELinux
- •Everything is an object
- •Identifying subjects in SELinux
- •Understanding the security context
- •Disabling or Disarming SELinux
- •Playing the Right Role
- •Exploring the Process-Related Entries in /proc
- •Surveying Your System from /proc
- •Popping the Cork: Speeding Up WINE with /proc
- •Reading and Understanding File Permissions
- •Controlling Permissions at the Command Line
- •Changing File Permissions from a Desktop
- •Encryption Made Easy with kgpg and the KDE Desktop
- •Creating keys with kgpg
- •Sharing your key with the world
- •Importing a public key from a public-key server
- •Encrypting and decrypting documents with drag-and-drop ease
- •Encrypting Documents with gpg at the Command Line
- •Sharing a secret file
- •Creating a key pair and receiving encrypted documents
- •Encrypting documents on your home system
- •Encrypting E-Mail for Added Security
- •Encrypting with Ximian Evolution
- •Setting up Mozilla e-mail for encryption
- •Sending and receiving encrypted messages with Mozilla mail
- •Using Cross-Platform Authentication with Linux and Windows
- •Prepping for cross-platform authentication
- •Setting up cross-platform authentication
- •Using PAM and Kerberos to Serve Up Authentication
- •Establishing synchronized system times
- •Testing your domain name server (DNS)
- •Setting up a Key Distribution Center
- •Setting up automatic ticket management with Kerberos and PAM
- •Adding users to the Key Distribution Center
- •Building Good Rules with PAM
- •Phase
- •Control level
- •Module pathname
- •Arguments
- •Dissecting a Configuration File
- •Skipping a Password with PAM
- •Feeling the Power
- •Gaining Superuser Privileges
- •Pretending to Be Other Users
- •Limiting Privileges with sudo
- •Installing sudo
- •Adding Up the Aliases
- •Adding Aliases to the sudo Configuration File
- •Defining the Alias
- •Creating a User_Alias
- •Creating a Runas_Alias
- •Simplifying group managment with a Host_Alias
- •Mounting and unmounting CDs without the superuser password
- •Managing access to dangerous commands with command aliases
- •Using SSH for Top-Speed Connections
- •Setting Up Public-Key Authentication to Secure SSH
- •Generating the key pair
- •Distributing your public key
- •Passing on your passphrase
- •Logging In with SSH and Key Authentication
- •Starting from the command line
- •Getting graphic
- •Creating Shortcuts to Your Favorite SSH Locations
- •Copying Files with scp
- •Secure (And Fast) Port Forwarding with SSH
- •Finding Your Firewall
- •Setting up a simple firewall in Mandrake Linux
- •Setting up a simple firewall in Fedora Linux
- •Setting up a simple firewall in SuSE Linux
- •Editing the Rules with Webmin
- •Starting a Webmin session
- •Reading the rules with Webmin
- •Changing the rules
- •Editing existing rules
- •Adding a new rule with Webmin
- •Sharing Desktops with VNC
- •Inviting Your Friends to Use Your Desktop
- •Serving Up a New Desktop with VNC Server
- •Using tsclient to View Remote Desktops from Linux
- •Using tsclient with a VNC server
- •Using tsclient with an RDP server
- •Creating New VNC Desktops on Demand
- •Switching display managers in SuSE Linux
- •Switching display managers in Mandrake Linux
- •Connecting gdm and VNC
- •Exploring Your Network with lsof
- •Running lsof
- •Interpreting the lsof output
- •Reading file types
- •Discovering Network Connections
- •Other Timesaving lsof Tricks
- •Packet Sniffing with the Ethereal Network Analyzer
- •Starting Ethereal
- •Capturing packets
- •Applying filters to screen packets
- •Peeking in packets
- •Color-coding packets coming from your network
- •Getting Up and Running with Nessus
- •Installing programs Nessus needs to run
- •Installing Nessus
- •Adding a user to Nessus
- •Generating a certificate
- •Starting the daemon and the interface
- •Reading the grim results
- •Keeping Your Plug-ins Up-to-Date
- •Chatting in the Fedora Chat Room
- •Looking for Answers in the SuSE Chat Room
- •Processing Processes with procps
- •Using ps to filter process status information
- •Viewing ps output the way you want to see it
- •Making parent-child relationships stand out in a ps listing
- •Climbing the family tree with pstree
- •Finding processes with pgrep
- •Killing Processes with pkill
- •Killing Processes with killall
- •Closing Windows with xkill
- •Managing Users and Groups with the Fedora/Mandrake User Manager
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Managing Users and Groups with the SuSE User Administrator
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Adding and deleting log files from the viewer
- •Setting up alerts and warnings
- •Viewing your log files from SuSE
- •Monitoring your log files from SuSE
- •Customizing Your Log Files
- •Keeping an Eye on Resources with KDE System Guard
- •Finding and killing runaway processes
- •Prioritizing processes to smooth a network bottleneck
- •Watching your system load
- •Creating a new worksheet
- •Creating system resource logs
- •Displaying network resources
- •Using Synaptic to download and install Apache
- •Installing Apache from disc
- •Starting the Apache Service
- •Building a Quick Web Page with OpenOffice.org
- •Taking Your Site Public with Dynamic DNS
- •Understanding how dynamic DNS works
- •Setting up dynamic DNS
- •Updating your IP address
- •Installing the Fedora HTTP Configuration tool
- •Putting the HTTP Configuration tool to work
- •Watching Your Web Server Traffic with apachetop
- •Installing apachetop
- •Running and exiting apachetop
- •Navigating apachetop
- •Switching among the log files (or watching several at once)
- •Changing the display time of apachetop statistics
- •Accessing MySQL Control Center features
- •Viewing, managing, and repairing a database with the Databases controls
- •Putting the Server Administration controls to work
- •Adding a new user
- •Watching Your MySQL Traffic with mtop
- •Gathering all the packages that mtop needs
- •Installing mtop
- •Monitoring traffic
- •Building a MySQL Server
- •Installing the necessary packages
- •Starting the MySQL server
- •Replicating MySQL Data
- •Configuring replication: The three topologies
- •Setting up replication for a single slave and master
- •Choosing a Method to Back Up MySQL Data
- •Backing Up and Restoring with mysqldump
- •mysqldump backup options
- •Backing up multiple databases
- •Compressing the archive
- •Restoring a mysqldump archive
- •Making a mysqlhotcopy of Your Database
- •Archiving a Replication Slave
- •Taking Care of Business with MySQL Administrator
- •Installing MySQL Administrator
- •Starting MySQL Administrator
- •Choosing an SSL Certificate
- •Creating a Certificate Signing Request
- •Creating a Signing Authority with openssl
- •Creating a certificate authority
- •Signing a CSR
- •Exploring Your Certificate Collection with Mozilla
- •Introducing hotway
- •Getting Started with hotway
- •Setting Up Evolution to Read HTTPMail Accounts with hotway
- •Ringing the Bells and Blowing the Whistles: Your Evolution Summary Page
- •Installing SpamAssassin
- •Installing from the distribution media
- •Installing from RPM downloads
- •Starting the service
- •Fine-Tuning SpamAssassin to Separate the Ham from the Spam
- •Customizing settings
- •Saving your settings
- •Adding a New Filter to Evolution
- •Serving Up a Big Bowl of the RulesDuJour
- •Registering Your Address
- •Taming a Sendmail Server
- •Tweaking Your Configuration Files with Webmin
- •Serving up mail for multiple domains
- •Relaying e-mail
- •Using aliases to simplify mail handling
- •Deciding What to Archive
- •Choosing Archive Media
- •Tape drives
- •Removable and external disk drives
- •Removable media
- •Optical media (CDs and DVDs)
- •Online storage
- •Choosing an Archive Scheme
- •Full backups
- •Differential backups
- •Incremental backups
- •Incremental versus differential backups
- •Choosing an Archive Program
- •Estimating Your Media Needs
- •Creating Data Archives with tar
- •Backing up files and directories
- •Backing up account information and passwords
- •Targeting bite-sized backups for speedier restores
- •Rolling whole file systems into a tarball
- •Starting an Incremental Backup Cycle
- •Restoring from Backup with tar
- •Backing Up to CD (Or DVD) with cdbackup
- •Creating the backup
- •Restoring from a CD or DVD backup
- •Restoring from a disc containing multiple archives
- •Combining the Power of tar with ssh for Quick Remote Backups
- •Testing the ssh connection to the remote host
- •Creating a tar archive over the ssh connection
- •Backing up to tape drives on remote machines
- •Backing Up to a Remote Computer with rdist and ssh
- •Testing the ssh connection to the remote host
- •Creating the distfile
- •Backing up
- •Getting Started with CVS
- •Checking whether CVS is installed
- •Discovering what to use CVS for
- •Creating a CVS Repository
- •Populating Your Repository with Files
- •Simplifying CVS with cervisia
- •Installing cervisia
- •Putting files in your sandbox
- •Adding more files to your repository
- •Committing your changes
- •Browsing your log files
- •Marking milestones with tags
- •Branching off with cervisia
- •Using the libcurl Library (C Programming)
- •Uploading a File with a Simple Program Using libcurl
- •Line 7: Defining functions and data types
- •Line 14: Calling the initialization function
- •Lines 18– 21: Defining the transfer
- •Line 23: Starting the transfer
- •Line 26: Finishing the upload
- •Installing the Ming Library
- •Building a Simple Flash Movie with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Building Interactive Movies with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Doing the curl E-shuffle with PHP
- •Combining PHP with curl and XML: An overview
- •Checking out the XML file
- •Downloading and displaying the XML file with a PHP script (and curl)
- •Sending E-Mail from PHP When Problems Occur
- •Debugging Perl Code with DDD
- •Installing and starting DDD
- •Examining the main window
- •Reviewing and stepping through source code
- •Making Stop Signs: Using Breakpoints to Watch Code
- •Setting a breakpoint
- •Modifying a breakpoint
- •Opening the data window
- •Adding a variable to the data window
- •Changing the display to a table
- •Using the Backtrace feature
- •Using the Help menu
- •Making Fedora Distribution CDs
- •Downloading the ISO images
- •Verifying the checksums
- •Burning an ISO File to Disc at the Command Line
- •Finding the identity of your drive
- •Running a test burn
- •Burning the distribution discs
- •Burning CDs without Making an ISO First
- •Finding setuid quickly and easily with kfind
- •Finding setuid and setgid programs at the command line
- •Deciding to Turn Off setuid or setgid
- •Changing the setuid or setgid Bit
- •Who Belongs in Jail?
- •Using UML to Jail Programs
- •Using lsof to Find Out Which Files Are Open
- •Debugging Your Environment with strace
- •Investigating Programs with ltrace
- •Handy strace and ltrace Options
- •Recording Program Errors with valgrind
- •Hardening Your Hat with Bastille
- •Downloading and installing Bastille and its dependencies
- •Welcome to the Bastille
- •Addressing file permission issues
- •Clamping down on SUID privileges
- •Moving on to account security
- •Making the boot process more secure
- •Securing connection broker
- •Limiting compiler access
- •Limiting access to hackers
- •Logging extra information
- •Keeping the daemons in check
- •Securing sendmail
- •Closing the gaps in Apache
- •Keeping temporary files safe
- •Building a better firewall
- •Port scanning with Bastille
- •Turning LIDS On and Off
- •Testing LIDS before Applying It to Your System
- •Controlling File Access with LIDS
- •Hiding Processes with LIDS
- •Running Down the Privilege List
- •Getting Graphical at the Command Line
- •Getting graphical in GNOME
- •Getting graphical with KDE
- •Staying desktop neutral
- •Index
Creating a Certificate Signing Request |
341 |
your identity. A passport contains your name, birth date, and birthplace. An SSL certificate contains your name, location (country, state/province, and city), organization name, and e-mail address.
Passports (and SSL certificates) also provide some method for ensuring that your identity is correct. Your passport contains a photograph that someone can compare with your face. An SSL certificate contains the public half of a public/private key pair.
A passport also contains safeguards against forgery: Every passport contains a watermark, and many governments will soon issue passports that contain holograms (which are very difficult to forge). Likewise, an SSL certificate is digitally signed with the issuer’s private key, and any tampering makes the digital signature invalid.
Passports and SSL certificates share another important characteristic: They’re both issued by trusted third parties. A border authority isn’t likely to trust a passport that you’ve issued to yourself. Instead, a passport office (the U.S. State Department, for example) verifies your identity and issues a passport. Foreign governments trust that the passport office has done a thorough job investigating your identity. SSL certificates work the same way.
Choosing an SSL Certificate
To obtain an SSL certificate, you send a request (called a certificate signing request, or CSR), along with proof of your identity, to a trusted authority. The trusted authority (also known as a certification authority, or CA) compares your request to the proof of identity that you provide, and if it’s satisfied that you are who you claim to be, it issues you a certificate. The certificate that you receive is signed with the issuer’s private key — you can verify the signature by using the issuer’s public key.
A self-signed certificate is untrustworthy (but useful for testing).
A certificate signed by a local CA (a CA that you create and manage yourself) can be trusted by your peers.
A certificate signed by a well-known CA can be trusted by outside parties (that is, customers).
Obtaining a signed certificate costs money. The CA assumes the work of verifying your identity and maintaining a database of valid certificates. A number of companies are in the certification business, and two of the best known are VeriSign (www.verisign.com) and thawte (www.thawte.com). If you decide to go this route, see the following section, “Creating a Certificate Signing Request,” for details on how to get the certificate from a CA.
If you want to test out your Web site before you shell out a few bucks to a CA, you can create a self-signed certificate. A self-signed certificate looks and acts like a normal certificate except for one very important difference: You should never trust a self-signed certificate. Trusting a self-signed certificate is like trusting a self-issued passport. Anyone can create a self-signed certificate, and more importantly, anyone can forge a self-signed certificate. We explain how this is done in the “Creating a Self-Signed Certificate” section, later in this technique.
In some cases, you may want to act as a CA yourself. For instance, if you head up the IT department at a large company, you can issue certificates to in-house Web servers without having to pay a third-party CA for each one. You might use your in-house CA to distribute trusted software or deliver confidential content such as payroll information.
Creating a Certificate
Signing Request
You can get three different types of SSL certificate, and each provides a different level of trust:
To request a signed certificate from a CA, you must first create a certificate signing request (or CSR). The
342 Technique 45: Safeguarding Your Apache Server with SSL Certificates
CSR contains two important pieces of information: your identity and your public key.
In an SSL certificate, the identity is called the subject (and the CA is called the issuer). Every subject
(and every issuer) is identified by the following information:
Location (country, state/province, city)
Organization (organization name and organizational unit)
Common name (the name of your Web server, as seen by the outside world)
E-mail address
If you’re a Fedora user, you can use the tools installed with Apache to generate a CSR (we show you how in a moment). If you’re not using Fedora, you have a bit more work to do: We suggest using Webmin and Webmin’s Certificate and Key Management module to generate a CSR. Technique 17 shows you how to install and use Webmin (the Certificate and Key Management module is an add-on that you’ll have to download separately from the www.webmin. com Web site).
Fedora makes it easy to create a CSR (and the public/private key pair that you need in order to sign the CSR):
1. Open a terminal window and give yourself superuser privileges with the su command.
2. Move to the directory /etc/httpd/conf:
# cd /etc/httpd/conf
3.Type make certreq and press Enter.
4.If you have an existing server key (it’s stored in
/etc/httpd/conf/ssl.key/server.key), you’re prompted for the passphrase for that key. If you don’t have an existing server key, OpenSSL creates a new server key for you and asks for a passphrase that will protect your private server key from unauthorized use. In either case, type in the passphrase and press Enter.
The OpenSSL program now asks you a series of questions regarding your identity.
5. Enter the two-letter code for your country.
For example, type US for United States or CA for Canada.
6. Enter the full name (not the abbreviation) for your state or province.
7. Enter the name of your organization (a company name, for example).
8. Enter the name of your department within the organization. Or, if you’re requesting a certificate for your entire organization, just press Enter.
9. Enter the name of your Web server (for example, www.example.com). If you have (or plan to have) multiple Web servers at your site, use a * in place of the host name, like this: *.example. com (you still need to include your domain name).
It’s very important that you enter your real Web server name here. When the CA issues a certificate, it belongs to a specific Web site. If you try to use that certificate on a Web server with a different name, visitors to your Web site will be greeted with a scary message warning of certificate forgery.
10. Enter your e-mail address.
11. Next, you’re prompted for two extra pieces of information: a challenge password and an optional company name. Just press Enter twice to ignore those questions.
OpenSSL saves the resulting CSR (certificate signing request) in /etc/httpd/conf/ssl.csr/ server.csr.
If you’d like to see what’s inside the CSR in humanreadable form, use the following command:
$openssl req -text -in ssl.csr/server.csr.
You see a result similar to that shown in Listing 45-1.
Creating a Certificate Signing Request |
343 |
LISTING 45-1: EXAMINING A CERTIFICATE SIGNING REQUEST
Certificate Request: Data:
Version: 0 (0x0)
Subject: C=US, ST=Virginia, L=Anytown, O=TrixieWare, OU=Cosmology, CN=www.trixieware.com/emailAddress=newdoo@trixieware.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)
Modulus (1024 bit): 00:ac:fd:51:b4:b0:42:80:eb:cf:7f:53:54:64:1b: 8a:13:fe:45:81:9c:7b:d5:a4:58:23:68:3a:d1:84: 0e:51:77:57:21:27:b6:3a:5b:e1:50:ca:81:2e:5e: e2:65:36:9e:64:ed:63:88:a7:d0:55:2f:58:a9:19: 39:2b:85:0a:c2:a2:3b:a6:ce:3e:a1:57:a8:99:72: 32:6d:40:70:32:86:10:a6:f0:09:ac:f9:66:e9:64: c1:a0:d3:ca:7a:61:01:4a:b0:3f:5b:0d:15:1d:58: 6a:01:b9:ca:e2:c8:dd:ac:49:03:4e:e4:3e:1d:fb: c3:ef:ca:30:c0:1e:6f:a9:39
Exponent: 65537 (0x10001) Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption 04:61:e0:3d:4b:69:2b:92:27:fb:e7:f1:a1:e2:2a:21:3d:89: 7f:ba:67:9a:34:9c:9e:73:00:f4:79:6c:0a:bf:57:99:6d:08: 0e:ad:4d:a8:0c:5a:f3:fc:43:a2:4a:fc:5a:24:c7:4b:02:55: 1d:be:d8:2a:12:49:91:d0:f1:c3:61:62:d8:73:95:62:c9:f8: ca:6a:c2:34:f7:67:02:34:5d:dc:b6:36:59:46:c7:9d:36:7a: 29:8a:4d:de:5e:f6:b9:52:26:33:e5:8d:f2:fd:cf:da:4b:65: f6:4f:fa:12:cf:10:13:d7:bb:1b:f7:22:60:b9:9a:4d:20:49: 81:80
-----BEGIN CERTIFICATE REQUEST-----
MIIB3DCCAUUCAQAwgZsxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWYTETMBEGA1UE
BxMKRnJvZyBMZXZlbDETMBEGA1UEChMKVHJpeGllV2FyZTESMBAGA1UECxMJQ29z
bW9sb2d5MRswGQYDVQQDExJ3d3cudHJpeGlld2FyZS5jb20xJDAiBgkqhkiG9w0B
CQEWFW5ld2Rvb0B0cml4aWV3YXJlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEArP1RtLBCgOvPf1NUZBuKE/5FgZx71aRYI2g60YQOUXdXISe2OlvhUMqB
Ll7iZTaeZO1jiKfQVS9YqRk5K4UKwqI7ps4+oVeomXIybUBwMoYQpvAJrPlm6WTB
oNPKemEBSrA/Ww0VHVhqAbnK4sjdrEkDTuQ+HfvD78owwB5vqTkCAwEAAaAAMA0G
CSqGSIb3DQEBBAUAA4GBAARh4D1LaSuSJ/vn8aHiKiE9iX+6Z5o0nJ5zAPR5bAq/
V5ltCA6tTagMWvP8Q6JK/Fokx0sCVR2+2CoSSZHQ8cNhYthzlWLJ+MpqwjT3ZwI0
Xdy2NllGx502eimKTd5e9rlSJjPljfL9z9pLZfZP+hLPEBPXuxv3ImC5mk0gSYGA
-----END CERTIFICATE REQUEST-----
You can see that the certificate contains all the information that you entered. The CSR is digitally signed with your private key; the CA verifies the signature by using the public key included in the CSR.
Send the CSR (/etc/httpd/conf/ssl.csr/server.csr) to the certification authority that you’ve selected, along with the proof-of-identity documents that it requires.
344 Technique 45: Safeguarding Your Apache Server with SSL Certificates
When you receive the final certificate, simply copy it to /etc/httpd/conf/ssl.crt/server.crt and restart your Apache server.
Creating a Self-Signed
Certificate
Creating a self-signed certificate with Fedora is just as easy as creating a CSR, but you end up with a test certificate rather than a request that you send to a CA. Again, if you’re not using Fedora, we recommend that you generate SSL certificates with the help of Webmin’s Certificate and Key Management module (see Technique 17 for more details).
Here are the steps you need to follow to create a selfsigned certificate with Fedora:
1. Open a terminal window and give yourself superuser privileges with the su command.
2. Move to the directory /etc/httpd/conf:
# cd /etc/httpd/conf
3.Type make testcert and press Enter.
4.You’re prompted for the password that protects your private server key. Type in the password and press Enter.
5.OpenSSL prompts you for the same information that you provide when creating a CSR (location, organization, e-mail address, and so on). Answer each question in turn.
After you’ve answered the last question (your e-mail address), OpenSSL creates a self-signed certificate and saves it in /etc/httpd/conf/ssl. crt/server.crt.
To view the certificate at the command line, use the following command:
# openssl x509 -in ssl.crt/server.crt -text
You’ll see that the issuer and subject are identical — that’s a self-signed certificate.
Fedora automatically saves the self-signed certificate where Apache expects to find it. To see your certificate in action, restart your Apache server:
# /sbin/service httpd restart Stopping httpd: [OK] Starting httpd:
Apache/2.0.47 mod_ssl/2.0.47 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server localhost.localdomain:443 (RSA) Enter pass phrase:
Ok: Pass Phrase Dialog successful.
Notice that Apache now asks for the passphrase that protects your server’s private key.
Now, open a Web browser and connect to
https://127.0.0.1
Notice the preceding URL starts with https rather than http. That means it’s connecting to a secure server.
You’ve just created a self-signed certificate and installed it on your own Apache server.
Because your users may receive a warning when they encounter this certificate, it’s a good idea to give them a little forewarning about what’s going on. See the sidebar, “When Mozilla encounters a selfsigned certificate,” for details on how this works.
When Mozilla encounters a self-signed certificate
Self-signed certificates are not very trustworthy. When you visit a site with a self-signed certificate, you should receive a warning screen from Mozilla asking if you know this joker and if his certificate is good enough for you (see the following figure). From here, follow these steps to examine the certificate: