LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 8th, 2014
Linux Advisory Watch: September 5th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Using Certificates in Applications

Chapter 3. Using Certificates in Applications

3.1. Securing Internet Protocols.

3.1.1. Using a certificate with mod_ssl in apache

First never use your self-signed root CA Certificate with any application and especially with apache as it requires you to remove the passphrase on your private key.

First generate and sign a certificate request with the Common Name (CN) as www.mysite.com. Remove any extra information to keep only the ---CERTIFCATE --- part.

The key needs to be made insecure, so no password is required when reading the private key. Take the newreq.pem files that contains your private key and remove the passphrase from it.

openssl rsa -in newreq.pem -out wwwkeyunsecure.pem

Because the key (PRIVATE Key) is insecure, you must know what you are doing: check file permissions, etc... If someone gets its hand on it, your site is compromised (you have been warned). Now you can use the newcert and cakeyunsecure.pem for apache.

Copy wwwkeyunsecure.pem and newcert.pem in the directory /etc/httpd/conf/ssl/ as wwwkeyunsecure.pem and wwwcert.crt respectively.

Edit /etc/httpd/conf/ssl/ssl.default-vhost.conf.

---- 
# Server Certificate: 
# Point SSLCertificateFile at a PEM encoded certificate. If 
# the certificate is encrypted, then you will be prompted for a 
# pass phrase. Note that a kill -HUP will prompt again. A test 
# certificate can be generated with `make certificate' under 
# built time. 
#SSLCertificateFile conf/ssl/ca.crt 
SSLCertificateFile wwwcert.crt
# Server Private Key: 
# If the key is not combined with the certificate, use this 
# directive to point at the key file. 
#SSLCertificateKeyFile conf/ssl/ca.key.unsecure 
SSLCertificateKeyFile wwwkeyunsecure.pem 
----

Stop and start httpd (/etc/rc.d/init.d/httpd stop) ensure that all processes are dead (killall httpd) and start httpd (/etc/rc.d/init.d/httpd start)

3.1.2. Using a certificate with IMAPS

Read the paragraph on “Using a certificate with POPS”, for more information.

3.1.3. Using a certificate with POPS

A pem file for ipop3sd can be created by generating a certificate, unsecuring the private key and combining the two into /etc/ssl/imap/ipop3sd.pem. This is the location where the imap rpm on Mandrake 9.0 expects to find the file. A similar procedure can be used for imap and putting the file in /etc/ssl/imap/imapsd.pem.

The CN should be the name that the mail client connects to (e.g mail.xyz.org). In MS-Outlook, on the server tab, enter for the incoming mail server mail.xyz.org and on the Advanced tab check the “This server requires a secure connection (SSL)”, this will change the connection port to 995 (imaps). The trusted root CA must be installed in MS Internet Explorer to validate the certificate from mail.xyz.org.

3.1.6. Generate and Sign a key with Microsoft Key Manager

In Microsoft Key Manager, select the service you want to create a key for, for instance IMAP (or WWW). Use the wizard to generate a new key. Ensure that the distinguished name won't be identical to previous generated keys, for Instance for the Common Name (CN) use imap.mycompany.com. The wizard will place the request in the file C:\NewKeyRq.txt. Key Manager shows a Key with a strike to indicate the key is not signed.

Import this file in the OpenSSL /var/ssl directory, rename it to newreq.pem and sign the request as usual.

CA.pl -sign

The file newcert.pem is not yet suitable for key manager as it contains some text and the -CERTIFICATE- section. We have to remove the text, the easy way is to do:

openssl x509 -in newcert.pem -out newcertx509.pem

Using a text editor is also suitable to delete everything outside the -CERTIFICATE- section.

The newcertx509.pem file now contains only the -CERTIFICATE- section.

Export the file newcertx509.pem to the Computer running key Manager and while selecting the key icon in the Key Manager application, right click and click on Install the Key Certificate, select this file, enter the passphrase. The key is now fully functional.

    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Apache Warns of Tomcat Remote Code Execution Vulnerability
Cloud security: We're asking the wrong questions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.