Thursday, May 08, 2008

Apache + SSL + PSK on Ubuntu

This howto describes the process of using Apache and SSL with trusted clients, via Pre Shared Keys. Unlike the usual way of using SSL, this setup requires the server _and_ the client to have valid certificates. This means you need to create a client certificate and deliver it securely to the client.

1. Enable SSL.
sudo a2enmod ssl

2. Generate a private key without a passphrase,
openssl genrsa -out server.key 1024

or with a passphrase.
openssl genrsa -des3 -out server.key 1024

3. Create a certificate signing request.
openssl req -new -key server.key -out server.csr

4. Sign it yourself.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

5. Copy your new certificate and keys to the appropriate places.
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

6. Edit your apache site configuration, add these lines into a VirtualHost section.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/ssl/certs/server.crt

7. Create a certificate which you can give to a client, or a group of clients.
openssl pkcs12 -export -out client_cert.pfx -in server.crt -inkey server.key\
-name 'Certificate Name'

8. Make sure the client gets the client_cert.pfx file, which they install into their browser.

9. To use the client_certificate.pfx in a python httplib or httplib2, it needs to be split into a key and certificate file.
openssl pkcs12 -clcerts -nokeys -in client_cert.pfx -out client_cert.pem
openssl pkcs12 -nocerts -in client_cert.pfx -out client_key.pem

10. Strip the pass phrase from client_key.pem so Python does not prompt for a pass phrase!
openssl rsa -in client_key.pem -out unsecured_client_key.pem


Anonymous said...

And then, 6 days later you need to do it all again :) :

Adem said...

To make it so Apache does not always ask for a password on restart, do the following in terminal:

(4a) openssl rsa -in server.key -out server.key.insecure

(4b) mv server.key

(4c) mv server.key.insecure server.key

Anonymous said...

This is NOT TLS-PSK (pre shared key)
as specified in RFC 4279,
but the usage of pre trusted client and server certificates.

PSK is something different.

Popular Posts