I.2. Generación de la entidad certificadora y los certificados

A continuación se mostrará el proceso que se ha de seguir para la creación de la entidad certificadora y el certificado necesario para que el servidor Apache pueda servir páginas a través de SSL:

Ejemplo I.1. Creación del certificado para el servidor Apache

# /usr/bin/dpkg-reconfigure libapache-mod-ssl
What type of certificate do you want to create?

  1. dummy     (dummy self-signed Snake Oil cert)
  2. test      (test cert signed by Snake Oil CA)
  3. custom    (custom cert signed by own CA)
  4. existing  (existing cert)


Use  dummy     when you are a vendor package maintainer,
     test      when you are an admin but want to do tests only,
     custom    when you are an admin willing to run a real server
     existing  when you are an admin who upgrades a server.

Normally you would choose 2.

your choice: 3
Which algorithm should be used to generate required key(s)?

  1. RSA
  2. DSA

Normally you would choose 1.

your choice: 1
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating custom certificate signed by own CA [CUSTOM]
______________________________________________________________________

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
2477870 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....++++++
..........................................++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:PT
2. State or Province Name   (full name)     [Snake Desert]:Braganca
3. Locality Name            (eg, city)      [Snake Town]:Braganca
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:Companhia GSR
5. Organizational Unit Name (eg, section)   [Certificate Authority]:Servicos web
6. Common Name              (eg, CA name)   [Snake Oil CA]:gsr.pt
7. Email Address            (eg, [email protected]) [[email protected]]:[email protected]
8. Certificate Validity     (days)          [365]: [Enter]
______________________________________________________________________

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=PT/ST=Braganca/L=Braganca/O=Companhia \
                                  GSR/OU=Servicos web/CN=gsr.pt/[email protected]
Getting Private key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache/ssl.crt/ca.crt: /C=PT/ST=Braganca/L=Braganca/O=Companhia \
                                  GSR/OU=Servicos web/CN=gsr.pt/[email protected]
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
2477870 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
........++++++
......++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:PT
2. State or Province Name   (full name)     [Snake Desert]:Braganca
3. Locality Name            (eg, city)      [Snake Town]:Braganca
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:GSR Web
5. Organizational Unit Name (eg, section)   [Webserver Team]:Aplicacoes web
6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:gsr.pt
7. Email Address            (eg, [email protected]) [[email protected]]:[email protected]
8. Certificate Validity     (days)          [365]:[Enter]
______________________________________________________________________

STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=PT/ST=Braganca/L=Braganca/O=GSR Web/OU=Aplicacoes \
                                       web/CN=gsr.pt/[email protected]
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache/ssl.crt/server.crt: OK
______________________________________________________________________

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n 1
Warning, you're using an unencrypted private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n 2
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

RESULT: CA and Server Certification Files

o  /etc/apache/ssl.key/ca.key
   The PEM-encoded RSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o  /etc/apache/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.

o  /etc/apache/ssl.key/server.key
   The PEM-encoded RSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  /etc/apache/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  /etc/apache/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the /etc/apache/ssl.crt/server.crt
   file.

Congratulations that you establish your server with real certificates.

./snakeoil-ca-rsa.crt ... e52d41d0.0
./ca-bundle.crt ... Skipped
./gsr-ca-rsa.crt ... c43c023d.0
./snakeoil-dsa.crt ... 5d8360e1.0
./snakeoil-rsa.crt ... 82ab5372.0
./ca.crt ... 458c23d7.0
./server.crt ... 6219a630.0
./snakeoil-ca-dsa.crt ... 0cf14d7d.0
1 2

Como se está trabajando sobre un equipo destinado a pruebas, se ha decidido no cifrar las llaves generadas, de esta forma se evitará el teclear la clave empleada en el cifrado cada vez que se reinicie el servidor Apache. ¡Esto es un problema muy grabe de seguridad! si está trabajando sobre un servidor en producción, es más que recomendable hacer uso del cifrado en estos puntos.