Background

iFolder allows for SSL, nonSSL, or BOTH to be configured during setup. However this is a bit confusing as ALL client authentications require a certificate. The following article provides instructions on getting and installing a certificate.

Generating an SSL Certificate

Creating a Self-Signed Certificate

Complete this section if you do NOT want to make a CA (Certificate Authority). If you want to make a CA use the steps outlined in the following section.

Generate a server key:

openssl genrsa -des3 -out server.key 4096 

Then create a certificate signing request with it. This command will prompt for a series of things (country, state or province, etc.). Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one). I also suggest not making a challenge password at this point, since it'll just mean more typing for you.

The default values for the questions ([AU], Internet Widgits Pty Ltd, etc.) are stored here: /etc/ssl/openssl.cnf. So if you've got a large number of certificate signing requests to process you probably want to carefully edit that file where appropriate. Otherwise, just execute the command below and type what needs to be typed:

openssl req -new -key server.key -out server.csr 

Now sign the certificate signing request. This example lasts 365 days:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 

These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.

Creating Your Own CA

If you are signing multiple certificates from one server, you may consider creating a CA. To do so you will need OpenSSL.

Create the CA key

The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In a step below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical.

CA: Common Name (CN): www.somesite.edu CA Organization (O): Somesite Organizational Unit (OU): Development

Server: Common Name (CN): www.somesite.edu Organization (O): Somesite Organizational Unit (OU): Development

If you don't have a fully qualified domain name, you should use the IP that you'll be using to access your SSL site for Common Name (CN). But, again, make sure that something differentiates the entry of the CA's CN from the Server's CN.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create a Server Key and Request For Signing

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority (the one you just created above.)

Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want to worry about the message

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

Sign the Request with the CA

Note that 365 days is used here. After a year you'll need to do this again.

Note also that I set the serial number of the signed server certificate to "01". Each time you do this, especially if you do this before a previously-signed certificate expires, you'll need to change the serial key to something else -- otherwise everyone who's visited your site with a cached version of your certificate will get a browser warning message to the effect that your certificate signing authority has screwed up -- they've signed a new key/request, but kept the old serial number. There are a couple ways to rectify that. crl's (certificate revocation list) is one method, but beyond the scope of the document. Another method is for all clients which have stored the CA certificate to go into their settings and delete the old one manually. But for the purposes of this document, we'll just avoid the problem.

The command below does a number of things. It takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number to 01, and output the signed key in the file named server.crt. If you do this again after people have visited your site and trusted your CA (storing it in their browser), you might want to use 02 for the next serial number, and so on. You might create some scheme to make the serial number more "official" in appearance or makeup but keep in mind that it is fully exposed to the public in their web browsers, so it offers no additional security in itself.

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Convert to Correct Format

iFolder requires certificates in the PEM format. To convert to PEM format simply concatenate the server.key and the .crt key used to sign it. In our examples it could either be server.crt or ca.crt.

cat server.key ca.crt > server.pem

WrapUp

Here's what we have after all that work ...

• server.crt: The self-signed server certificate.
• server.csr: Server certificate signing request.
• server.key: The private server key, it does require a password when starting Apache.
• server.pem: Key in PEM format
• server.der: Key in DER format

If you created a CA, you'll have two additional files:

• ca.crt: The Certificate Authority's own certificate.
• ca.key: The key which the CA uses to sign server signing requests.

The CA files are important to keep if you want to sign additional server certificates and preserve the same CA. You can reuse these so long as they remain secure, and haven't expired.

Installing Certificates

openSUSE 10.3 (maybe others)

• Copy server.crt to /etc/apache2/ssl.crt
• Copy server.key to /etc/apache2/ssl.key
• Copy server.csr to /etc/apache2/ssl.csr
• Copy to /etc/apache2/vhosts.d/vhost-ssl.template to /etc/apache2/vhosts.d/vhost-ssl.conf
• Configure Apache to load SSL module using...

a2enmod ssl

Starting Apache Without Password

Make a version of the server.key which doesn't need a password when starting Apache:

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key