I.T. Consulting
Tutorials
Sysadmin
How RAID Works What's a RAID? Hardware vs Software RAID Striping and Mirroring RAID 2 and 3 RAID 4 and 5 Conclusion
Software RAID on Linux RAID: Quick Recap Software Tools Creating & Using an Array Monitoring an Array Removing & Re-Assembling an Array The mdadm.conf File Deleting an Array Summary & Cheat-Sheet
Network Security
Squid Proxy Server Basic Configuration Controlling Traffic Blocking Access Monitoring Traffic
SSH: Secure Shell Overview Using SSH Encryption Authentication Keys Configuring SSH Advanced Tricks
Implementing HTTPS What Is HTTPS? Setting Up The Server
Linux Skills
The ed Line Editor First Things First Navigating Entering Text Changing Text Line Maneuvers Text Searches Using ed in Real Life Summary
Regular Expressions Text Patterns Extended Expressions
The vi Editor Introduction Operating Modes Navigation Editing Summary
Intermediate vi Power Editing Cut-and-Paste Modifying Text Searches Tips & Tricks The vi Prompt Indenting
Miscellaneous
Creating an eBook Introduction Create an ePub Create a MOBI Create a PDF

HTTPS: What is it?

HTTPS is the protocol that allows you to interact with a website securely, such as for doing your banking or purchasing items online.

To put it simply, HTTPS is merely "encrypted HTTP." The protocol is effectively identical to HTTP except that it uses SSL (Secure Socket Layer) to authenticate the site and encrypt the session, thus providing two critical advantages:

  1. you can rest assured that the site you are connecting to is indeed the "real" site and not an impostor posing as that site; and
  2. everything you enter and everything you see is being encrypted, so it is not possible for onlookers to capture and examine the packets that make up your session.

In other words, your session is secure.

How Does It Work?

The https protocol uses the same technology for authenticating and encrypting sessions as SSH (Secure Shell), which means it uses private and public keys. If you are unfamiliar with this general mechanism, please refer to [** THIS TUTORIAL ON SSH (LINK HERE) **] for an overview.

When your Web browser is pointed to a link that starts with "https://" (port 443 instead of 80), it looks for a file on the server called a digital certificate which contains various pieces of information about this site, including the public key that can be used to encrypt the session. We will see later how you would set this up as the system administrator.

Among other things, this "certificate" includes information about an independent, trusted, third-party organization called a "Certificate Authority," commonly referred to as a "CA," which is prepared to vouch that you are indeed who you claim to be.

The reason these fine folks are willing to do this for you is that you purchased the certificate from them. They will continue to vouch for you until your certificate expires, at which point you can send them another cheque if your want your certificate to remain valid.

Can I Fake It?

You might think that you could generate your own certificate and have it point to yourself as the Certificate Authority, vouching for yourself and circumventing the whole third-party validation... but that wouldn't work.

The reason is that only a limited number of CAs are recognized as "trusted" and those are actually listed in your Web browser. That's right, their names are hard-coded in the Web browsing software. Periodically, new CAs become recognized as trustworthy and their names are integrated into the next release of the browser.

Can I Obtain a Certificate for Free?

Yes, you can obtain a free certificate from some providers. If you do a Web search for "free certificate authority," you will find a number of companies willing to provide this service for free, including cacert.org and startcom.org.

Why should you pay for a certificate when you can get one for free? Honestly, I don't know. I see no particular reason to pay for something that's available for free. You just want to make sure that the company you are getting this certificate from is actually listed with the major Web browsers. If it isn't, the user will get a security warning which may deter them from accessing your site, so that might be a reason to pay money to obtain a certificate from a well-known Certificate Authority.

 

 

Let's Set Up an HTTPS Site

Enough theory; now, let's set up a site with https. There are only two steps required:

  1. obtain a certificate; and
  2. edit your Apache configuration file.

Obtaining a Certificate

To obtain a digital certificate from a CA (Certificate Authority), you need to submit a certificate signing request, or CSR, to a trusted Certificate Authority. This CSR will include some information about you or your organization, including the full domain name of your website and the public key that you wish to use for authenticating and encryption your users' sessions.

The CA will verify the information you have included in your request and may also contact you to satisfy themselves that you are indeed who you say you are. When they are satisfied, they will generate a digital certificate and "sign" it with their own private key before sending it to you.

Creating a Private Key

Before you can create a CSR, you need to generate a pair of authentication keys (one private and one public) that you intend to use for your https website. To create this pair of keys, make sure the OpenSSL package is installed on your system, then issue the following command:

openssl genrsa -des3 -out mykey.pem 2048

This particular example creates an RSA key (you can also create a DSA key using slightly different syntax) in the file mykey.pem. Note that this .pem file contains the private key and sufficient information to derive the public key from it. You can think of it as a container for both keys. If you wanted to obtain the public key from this container, you could use the following command:

openssl rsa -in mykey.pem -pubout -out public.pem

This would create the new file public.pem containing only the public key. However, for our purposes, we will not need this; the original file we created (mykey.pem) is all we need.

NOTE: The option "-des3" tells openssl that you want to protect the private key with a passphrase, and you will therefore be prompted to enter it. This makes your site more secure because if your key is copied by an impostor, this impostor will not be able to use it unless he also knows the passphrase. However, this means you will be prompted to enter this key every time you start your Apache server, including at boot-time. This may be impractical, especially if the server is rebooted unexpectedly (such as after a power outage). If you wish to leave the private key unprotected for greater convenience, simply omit the "-des3" option in the command above, but be sure to take proper precautions to ensure that your private key does not get copied by unauthorized persons.

Creating the CSR

Now that we have generated an RSA key, we can use openssl again to create a CSR (Certificate Signing Request). The following command will take care of this:

openssl req -new -key mykey.pem -out mycert.csr

This will create the new file mycert.csr which you will send to the CA to have them generate a signed digital certificate.

The above command will prompt you for additional information; here is a sample session:

$ openssl req -new -key mykey.pem -out mycert.csr
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Nova Scotia
Locality Name (eg, city) []:Halifax
Organization Name (eg, company) []:CottageDATA Inc.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:www.example.com
Email Address []:me@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:••••••••••
An optional company name []:CottageDATA Inc.
$ _

IMPORTANT: When prompted for "Common Name," enter the name of the website. If the Common Name does not match exactly the name of the website that the certificate is installed on, users will get a security warning.

Creating a Self-Signed Certificate

It is possible to sign your own certificate instead of using a trusted Certificate Authority. Of course, since you are not a trusted CA yourself, users will be given a security warning and will be asked whether they want to accept this certificate. If they accept it, the browser will function normally as if the certificate had been issued by a trusted CA.

This strategy may be suitable for testing purposes or for a private website where users understand the situation and will accept the certificate. However, if your site is meant for the public at large, this strategy is inadvisable since most users will be reluctant (with good reason) to accept the untrusted certificate.

To create your own certificate, use the same command as we used earlier to create a CSR (Certificate Signing Request) but add the option "-x509" which will tell openssl to actually generate a certificate instead of just a request for one, and "-days 365" to indicate that the certificate should expire in one year.

Here is a sample command to generate a self-signed certificate named "server.crt" from the private key we generated earlier (mykey.pem):

openssl req -new -x509 -days 365 -key mykey.pem -out server.crt

 

 

Submitting the Request

[** To Be Completed **]

Configuring Apache

There are a few distinct steps in configuring your Apache server for SSL:

First, enable SSL in Apache using the command a2enmod ssl ("a2enmod" stands for "Apache2 Enable Module"). This actually creates the appropriate symbolic link in /etc/apache2/mods-enabled, so you do not need to re-issue this command across system reboots.

Second, copy your private key (mykey.pem in our example) and server certificate (server.crt in our example) to the Apache "ssl" directory on your server (typically, /etc/apache2/ssl). If the ssl directory does not already exist, create it.

Be sure that your private key is not readable or writable by any users except root, and that the certificate is also owned by root but readable by all.

Third, edit the appropriate file(s) in /etc/apache2/sites-available to specify port 443 (https) instead of 80 (http) and add the following 3 lines to enable SSL and indicate where the private key and server certificate are located:

  <VirtualHost *:443>
      SSLEngine On
      SSLCertificateFile /etc/apache2/ssl/server.crt
      SSLCertificateKeyFile /etc/apache2/ssl/mykey.pem 

      (Rest of the file remains unchanged)

Finally, restart your Apache server when those two files have been copied and their permissions secured, using this command:

service apache2 reload

 

 


Did you find an error on this page or do you have a comment?

Services
Sponsors