From Fedora Project Wiki

Revision as of 22:57, 31 August 2014 by Javiertury (talk | contribs) (Created page with "Your webserver is only as secure as you make it but security isn't only about protecting your server against attackers, it is also about protecting your clients from Man In Th...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Your webserver is only as secure as you make it but security isn't only about protecting your server against attackers, it is also about protecting your clients from Man In The Middle(MITM) attacks. Securing your connections using the TLS protocol(successor of SSL) is strongly recommended if your website allows user registration, economic transactions or requests private information, otherwise plain text passwords, credit card numbers or confidential data could be easily stolen by MITM attackers.

There are many cryptographic libraries to choose from. While NSS is recommended, OpenSSL is still dominant.

Openssl

First generate the private key, in this example we will use a 2048 RSA key

# openssl genrsa -out myhost.com.key 2048

Create a Certificate Signing Request(CSR). The Common Name field must be your server's hostname

# openssl req -new -key myhost.com.key -out myhost.com.csr -sha512

A message digest algorithm like SHA2 or stronger is recommended, but it's more important for the certificate than for the request. However your CA decides which message digest they use for the certificate.

Now give your CSR to your Certificate Authority(CA) so they can sign your key and give you a certificate. Alternatively you can self-sign it, but bear in mind of the security issues that it poses and that browser will warn users about this:

# openssl x509 -req -days 365 -in myhost.com.csr -signkey myhost.com.key -out myhost.com.crt -sha512

Once your CA has signed it they will give you the certificate(.crt file). Now move the private key and the certificate to their respective directories:

# cp myhost.com.crt /etc/pki/tls/certs/
# cp myhost.com.key /etc/pki/tls/private/myhost.com.key

The Certificate Signing Request(CSR) can be deleted as it becomes useless once you have obtained your certificate. Alternatively put it along your private key.

# cp myhost.com.csr /etc/pki/tls/private/myhost.com.csr

Set the correct context of these files for SELinux:

# restorecon -RvF /etc/pki

The last step is to configure your webserver of your host for the TLS protocol using the key and the certificate files you have just created.