amin’s info at online

Set Defaults for openssl

amin@freebsd:/home/amin> su

     Password:

root@freebsd:/home/mikey# vi /etc/ssl/openssl.cnf

     dir = /root/sslCA  # Where everything is kept

     default_days= 3650 # how long to certify for

     countryName_default= CA

     stateOrProvinceName_default = ONTARIO

     0.organizationName_default = sao

II. Create a Script to Generate the
Certificate of Authority

root@freebsd:/home/mikey# cd ~

root@freebsd:/root# vi createCA.sh

     #!/bin/sh

     ##############################################

     # CA Creator

     # http://www.freebsdmadeeasy.com/

     #

     # This Script creates a certificate of authority

     # using OpenSSL. It was written and tested on

     # FreeBSD 6.1-RELEASE  Use at your own risk

     #

     #

     ##############################################

     echo “Setting up the directories”

     mkdir ~/sslCA

     echo “sslCA”

     mkdir ~/sslCA/certs

     echo “sslCA/certs”

     mkdir ~/sslCA/private

     echo “sslCA/private”

     mkdir ~/sslCA/newcerts

     echo “sslCA/newcerts”

     cd ~/sslCA

     echo 1000 > serial

     touch index.txt

     echo “Setting the permission to 700 on sslCA”

     chmod -R 700 ~/sslCA

     echo “Creating the CA”

     echo “Use a strong password and keep it safe!”

     openssl req -new -x509 -days 3650 -extensions v3_ca 

-keyout private/cakey.pem -out cacert.pem -config 

/etc/ssl/openssl.cnf     

 

     more ~/sslCA/cacert.pem

     more ~/sslCA/private/cakey.pem

     echo “sslCA/cacert.pem”

     echo “sslCA/private/cakey.pem”

     echo “All Done!”

III. Create the Certificate of Authority

root@freebsd:/root# sh createCA.sh

     Setting up the directories

     sslCA

     sslCA/certs

     sslCA/private

     sslCA/newcerts

     Setting the permission to 700 on sslCA

     Creating the CA

     Use a strong password and keep it safe!

     Generating a 1024 bit RSA private key

     …..++++++

     …….++++++

     writing new private key to ‘private/cakey.pem’

     Enter PEM pass phrase: 

…………………………………………………………………………

sslCA/cacert.pem

     sslCA/private/cakey.pem

     All Done!

For the next step, enter *.aminonline.com for
the Common Name, to also use this certificate
for the subdomains. Leave challenge password blank,
 or it will ask for it every time the Apache restarts.

9:50 root@freebsd:/root# cd ~root/sslCA

9:50 root@freebsd:/root/sslCA#
  openssl req -new -nodes -out NoobTechDev-req.pem
 -keyout private/NoobTechDev-key.pem –config
  /etc/ssl/openssl.cnf

 Generating a 1024 bit RSA private key

     ……………++++++

     ….++++++

 writing new private key to ‘private/NoobTechDev-key.pem’

     -----

 You are about to be asked to enter information that will
 be incorporated into your certificate request.

What you are about to enter is what is called a
 Distinguished Name or a DN.There are quite a few
 fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

     -----

Country Name (2 letter code) [CA]:

State or Province Name (full name) [ONTARIO]:

Locality Name (eg, city) []:

Organization Name (eg, company) [NoobTech]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:*.aminonline.com

     Email Address []:

 Please enter the following ‘extra’ attributes

 to be sent with your certificate request

 A challenge password []:
 Leave this blank, or it will ask for password
 every time you start up apache

An optional company name []:

root@freebsd:/root/sslCA#
 openssl ca -days 3650 -config /etc/ssl/openssl.cnf
 -out NoobTechDev-cert.pem -infiles NoobTechDev-req.pem

 Using configuration from /etc/ssl/openssl.cnf

 Enter pass phrase for /root/sslCA/private/cakey.pem:
 Enter the password you used in the earlier step.

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 4096 (0×1000)

Validity

Not Before: Apr 12 13:58:15 2007 GMT

Not After : Apr  9 13:58:15 2017 GMT

Subject:

countryName               = CA

stateOrProvinceName       = ONTARIO

organizationName          = sao

commonName                = *.aminonline.com

 X509v3 extensions:

 X509v3 Basic Constraints:

   CA:FALSE

   Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

66:28:06:78:DC:91:7E:7B:D1:B1:88:21:41:11:1B:10:74:31:18:AA

X509v3 Authority Key Identifier:

keyid:7A:EC:BB:DF:CF:0A:6B:8A:7B:C1:A0:ED:7D:BC:6F:61:32:EB:C1:74

DirName:/C=CA/ST=ONTARIO/O=NoobTech

serial:D1:CD:8D:62:59:1B:2F:2D

certificate is to be certified until Apr
   9 13:58:15 2017 GMT (3650 days)

     Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

     Write out database with 1 new entries

     Data Base Updated

IV. Configure HTTPS Virtual Hosts with generated CoA

Copy the certificate and key we generated earlier to a
public place for use with apache.
root@freebsd:/root/sslCA# mkdir /etc/ssl/crt
root@freebsd:/root/sslCA# mkdir /etc/ssl/key
root@freebsd:/root/sslCA#
cp ~/sslCA/NoobTechDev-cert.pem /etc/ssl/crt
root@freebsd:/root/sslCA#
cp ~/sslCA/private/NoobTechDev-key.pem /etc/ssl/key

Uncomment the following Include line in httpd.conf

root@freebsd:/usr/local/etc/apache22#
 cd /usr/local/etc/apache22

root@freebsd:/usr/local/etc/apache22#
 vi httpd.conf

     # Secure (SSL/TLS) connections

     Include etc/apache22/extra/httpd-ssl.conf

For the next part, I deleted the whole <VirtualHost>
 section and left the rest of the file intact.
 Then I added the following at the end of the file.

root@freebsd:/usr/local/etc/apache22#
  vi extra/httpd-ssl.conf

     # This must be added, or you will get a nice warning,
  when you try to host more then 1
  VirtualHost on the port 443

     # [warn] _default_ VirtualHost overlap on port 443,

# the first has precedence

     NameVirtualHost *:443

     <VirtualHost *:443>

 ServerName phpmyadmin.noobtechdev.com

 SSLEngine on

 SSLCertificateFile /etc/ssl/crt/NoobTechDev-cert.pem

 SSLCertificateKeyFile /etc/ssl/key/NoobTechDev-key.pem

 DocumentRoot /usr/local/www/phpmyadmin.noobtechdev.com

 CustomLog /usr/local/www/logs/phpmyadmin.noobtechdev.com.
 ssl.access.log combined

  ErrorLog /usr/local/www/logs/phpmyadmin.noobtechdev.com.
 ssl.error.log

  <Directory /usr/local/www/phpmyadmin.noobtechdev.com>

Order Deny,Allow

Allow from all

DirectoryIndex index.php index.html index.htm

      </Directory>

     </VirtualHost>

Now I’m going to create a directory for this new virtual
 host, and create a test page as well for testing purpose.

root@freebsd:/usr/local/etc/apache22#
 mkdir /usr/local/www/phpmyadmin.noobtechdev.com

root@freebsd:/usr/local/etc/apache22#
 echo “Hello World from SLL site” >
 /usr/local/www/phpmyadmin.noobtechdev.com/index.html

18:11 root@freebsd:/usr/local/etc/apache22#
  apachectl restart

Now navigate to https://phpmyadmin.noobtechdev.com/
 and you should be asked to accept a certificate from
 an untrusted authority, which is fine,
 because all we need it for is to use encryption.
After you accept the certificate you see a Hello World
from SLL site message.After this you should now have a working Apache22 with
 PHP5 and SSL. Also you should now be able
to create your own virtual hosts. It took me quite a while
 to get all this working together,
mostly because somehow I had Apache13 installed and then
 when I build my PHP5 it built it for
Apache13 and that most the source of my problems.
 But after I discovered that, and deinstalled
the Apache13 and installed Apache22, I started to
 have problems with PHP, not working with it so
I ended up having to deinstall and distclean the php
 port and reinstall that. And since that point
everything went pretty smooth following this tutorial:

http://www.freebsdmadeeasy.com/tutorials/web-server/

install-php-5-for-web-hosting.php
The one thing to note in that I’ve added a
<Directory> section to the VirtualHost.
Without that I kept getting Access Denied errors
 in my logs like so:
“… client denied by server configuration:
 /usr/local/www/ …”
Also when I tried to go to the website I got
 Restricted: Access denied