Next: Configuring mod-SSL Up: Security Previous: Security Contents
There are a great amount of documentation on cryptography and concretely on SSL, a system of encriptación with public and private key.
As the package openSSL already we have it installed from the previous steps, we must create the certificates that we will use in our Web server.
we will save the certificates in/etc/apache2/ssl/gosa.pem
| #>FILE=/ect/apache2/ssl/gosa.pem |
| #>export RANDFILE=/dev/random |
| #>openssl req -new -x509 -nodes -out $FILE -keyout /etc/apache2/ssl/apache.pem |
| #>chmod 600 $FILE |
| #>ln -sf $FILE /etc/apache2/ssl/`/usr/bin/openssl x509 -noout -hash < $FILE`.0 |
With this we have created a certificate that allows SSL access to our pages.
If what we want is a configuration that allows us not only that traffic is codified, but that in addition the client guarantees that he is a valid user, we must force the server to requests a client certification
In this way we will follow a longer procedure, first will be creation of a certification of CA:
| #>CAFILE=/ect/apache2/ssl/gosa.ca |
| #>KEY=/etc/apache2/ssl/gosa.key |
| #>REQFILE=/etc/apache2/ssl/gosa.req |
| #>CERTFILE=/ect/apache2/ssl/gosa.cert |
| #>DAYS=365 |
| #>export RANDFILE=/dev/random |
| #>openssl req -x509 -keyout $CAKEY -out $CAFILE $DAYS |
After several questions we will have a CA, now we make a requirement to the created CA:
| #>openssl req -new -keyout $REQFILE -out $REQFILE $DAYS |
Sign the new certificate:
| #>openssl ca -policy policy_anything -out $CERFILE -infiles $REQFILE |
and we created a pkcs12 certidicate to configure the clients:
| #>openssl pkcs12 -export -inkey $KEY -in $CERTFILE -out certificado_cliente.pkcs12 |
This certificate will be installed in the client, and in the the configuration of the Web server in the way explained in the following point, we will have the security that the clients will accede to the server are in a secure machine and its communication will be strictly confidential.
aescanero AT gmail.com