Homework help
Question # 40521 | Computer Science | 1 year ago |
---|
$20 |
---|
Complete the attached lab and upload the files to show that you did the work.
Log into Athena and then use Putty to connect to icarus.cs.weber.edu to complete the assignment. If you are running Linux or a Macintosh you may connect to Icarus via ssh. Follow the directions on the lab. Substitute your name (i.e. John Doe) where the lab uses www.yourname.com
Please submit the file as a .doc or .pdf attachment with your name (I.e. JohnDoe_CreatingCertificateLab.doc or JohnDoe_CreatingCertificateLab.pdf)
Creating a SSL Certificate
Please take screen shots of your work and explain what you did and what you have learned.
If you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate
from a valid organization like Verisign or Thawte. You can also generate self signed SSL
certificate for testing purpose.
In this article, let us review how to generate private key file (server.key), certificate signing
request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache
server with mod_ssl.
Key, CSR and CRT File Naming Convention
I typically like to name the files with the domain name of the HTTPS URL that will be using this
certificate. This makes it easier to identify and maintain.
Instead of server.key, use www.yourname.com.key
Instead of server.csr, use www.yourname.com.csr
Instead of server.crt, use www.yourname.com.crt
1. Generate Private Key on the Server Running Apache + mod_ssl
First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.
openssl genrsa -des3 -out www.yourname.com.key 1024 (Note that www.yourname.com should be www.WaldoWildcat.com if your name was Waldo Wildcat)
-------------------------
Generating RSA private key, 1024 bit long modulus
.......................................++++++
...................................................++++++
e is 73547 (0x01001)
Enter pass phrase for www.yourname.com.key: (this would be a password that you chose to enter)
Verifying - Enter pass phrase for www.yourname.com.key:
Run the following command to make sure the file was generated (Note the it is a lower case L and not the number 1)
ls -ltr www.yourname.*
-rw-r--r-- 1 root root 963 Jun 13 20:26 www.yourname.com.key
To see what the generated private key looks like the following.
cat www.yourname.com.key
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,485B3C6371C9916E ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2 jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr -----END RSA PRIVATE KEY-----
2. Generate a Certificate Signing Request (CSR)
Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below. openssl req -new -key www.yourname.com.key -out www.yourname.com.csr
Enter pass phrase for www.yourname.com.key: (Pass phrase is any password you choose to use)
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
US State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:The Geek Stuff Organizational
Unit Name (eg, section) :IT
Common Name (eg, your name or your server's hostname) : yourname
Email Address:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Run the following command to make sure the file was created
ls -ltr www.yourname.*
------------------------
-rw-r--r-- 1 root root 963 Jun 13 20:26 www.yourname.com.key
-rw-r--r-- 1 root root 664 Jun 13 20:35 www.yourname.com.csr
3. Generate a Self-Signed SSL Certificate
For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.
openssl x509 -req -days 365 -in www.yourname.com.csr -signkey www.yourname.com.key -out www.yourname.com.crt (Note this entire command is all on one line)
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=yourname/OU=IT/CN=www.yourname.com
Getting Private key
Enter pass phrase for www.yourname.com.key:
Run the following command to make sure file was created
ls -l www.yourname.*
-rw-r--r-- 1 root root 963 Jun 13 20:26 www.yourname.com.key
-rw-r--r-- 1 root root 664 Jun 13 20:35 www.yourname.com.csr
-rw-r--r-- 1 root root 879 Jun 13 20:43 www.yourname.com.crt
Run the following command to see the contents of the certificate
cat www.yourname.com.crt
-----BEGIN CERTIFICATE-----
haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29
-----END CERTIFICATE-----
You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.
4. Explain what you learned by doing this lab. Why did you go through each of the steps? Why did one step's output feed into another step's input? What was the end result and how would this be used on a web server?
Original source found at: http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/