How to Establish the SSL port 443 with a Test CA (Certificate Authority)?
How to establish the SSL port 443 with a test CA (Certificate Authority)?¶
Introduction
SSL (secure sockets layer) is secure protocols created in order to place normal traffic in a protected, encrypted upper. [1]We'll cover how to establish a self-signed SSL certificate for Apache2 on an Raspbian.
Equipment
Operation System: Raspbian (NOOBS v1.3.10)
Web Site version: apache2_2.4.10-8
SSL version: OpenSSL 1.0.1j 15 Oct 2014
Usage
1.. To find out SSL modules in Apache2.
root@raspberrypi:/# cd /etc/apache2
root@raspberrypi:/etc/apache2/mods-available# ls | grep ssl
ssl.conf
ssl.load
2.. To establish the key file.
The key file includes secret and public key group. We use random data to establish our key file with server record files (/var/log/messages). This part involves your operation system environment. You should decide by yourself.
root@raspberrypi:/etc/apache2/mods-available# openssl genrsa -des3 -rand /var/log/messages -out server.key 1024
286169 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..............++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for server. key: ← (To input your password)
Verifying - Enter pass phrase for server. key: ← (To input your password again)
3.. According to the server. Key to establish CSR (Certificate Signing Request). CSR includes server information, public key and organize information. Follow as below to establish your CSR.
root@raspberrypi:/etc/apache2/mods-available# sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Melbourne
Locality Name (eg, city) []:Melbourne
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mobile Company Ltd.
Organizational Unit Name (eg, section) []:design section
Common Name (e.g. server FQDN or YOUR name) []:secure.example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@raspberrypi:/etc/apache2/mods-available# ls | grep server
server.csr
server.key
root@raspberrypi:/etc/apache2/mods-available#
4.. If you has been finish your CSR (Certificate Signing Request). Normally, you should send the VeriSign Company to prove it correctly. This has to cost to spend. However, we are just to do experiments, so you can signed by yourself.
root@raspberrypi:/etc/apache2/mods-available# sudo openssl x509 -req -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=Melbourne/L=Melbourne/O=Mobile Company Ltd./OU=design section/CN=secure.example.com/emailAddress=admin@example.com
Getting Private key
Enter pass phrase for server. key: ← (To input your password)
5..
root@raspberrypi:/etc/apache2# mkdir ssl
root@raspberrypi:/etc/apache2/mods-available# mv server.key /etc/apache2/ssl/
root@raspberrypi:/etc/apache2/mods-available# mv server.csr /etc/apache2/ssl/
root@raspberrypi:/etc/apache2/mods-available# mv server.crt /etc/apache2/ssl/
root@raspberrypi:/etc/apache2/ssl# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
root@raspberrypi:/etc/apache2/ssl# service apache2 restart
[....] Restarting web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Apache/2.4.10 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Private key localhost:443:0 (/etc/apache2/ssl/server.key)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
. ok
6..
To open your browser to check for SSL enable.
To input the hyper link (https://127.0.1.1), you will see a notice: 'The site's security certificate is not trusted!'. That means you are to establish SSL on your website successful.
Exception
If you had seen a notice: 'This webpage is not available'. That means you aren't to establish SSL on your website. I suggest you should execute this command-line as below.
# a2enmod ssl
Acknowledge
Thank you (Apache2, OpenSSL, Raspbian) very much for this great tool.
