Hello everyone, in this article our aim is to create two websites which provides security via ssl certificates. For this purpose we need two computers, one is plays client role and the other one is acting like web server on ubuntu operating system.
Before reading this article you need to know some technical informations. I made a brief description of the headings that need to be known below but this is not enough. You may search these things and learn more about them.
Apache: Apache is open source and free web server program.
SSL(Security Socet Layer): SSL is the process of encrypting data during server and client communication. SSL was developed by netscape in 1994
TLS(Transport Layer Security): TLS is a protocol that allows encryption of data over the Internet during transmission.
SNI(Server Name Indication): SNI allows you to publish multiple certified websites over single IP.
Virtual Host: Virtual host allows multiple sites to be served on a single machine.
Server: Server is hardware or software that distributes data over different networks to
Client: The client is the hardware or software that receives data from the server on
Openssl: OpenSSL is an open source application. Certificate authority is created here.
des3(Data Encryption Standard): It is an encryption algorithm developed by IBM in 1978. DES encryption works in the form of 3 times consecutively.
x.509: A widely used standard for describing digital certificates.
First step we need to turn one computer to web server. Apache is the mostly used webserver software, so we installed apache on ubuntu with command below (Make sure that have root permissions, if not, type sudo su and be root);
apt-get -y install apache2
After installing apache succesfully we can create our websites. Primarily let’s prepare our structure;
mkdir /var/www/html/site1 /var/www/html/site2
sudo vi index.html
Above commands says that create two directories named site1 and site2 under /var/www/html path and create two index.html file for each created directories. After creating index.html files we need to open these and type “Hello site1” and “Hello site2” respectively. We can distinguish which site we are in with these strings which will be displayed on browser screen.
Normally apache allows us to create only one host. But in this situation we have created two websites therefore we need one host for each of them. To do it we used VirtualHost and typed some configurations. ( Attention! Same configuration processes have done for both websites so there is no need to write same things again and again. In this report only one site’s configuration processes showed, a person who have normal intelligence can do same things for other website. )
Apache holds configuration files in /etc/apache2/sites-available path and creates symbolic link in /etc/apache2/sites-enabled folder on ubuntu systems. Basically we entered this directory and created our configuration file named “site1.conf”. Then typed some necessary commands below;
Above commands says that listen port 80 and if request came from site1.com then send client to index file which is under /var/www/html/site1 path.
Because of these domain names have not global dns records we need to type corresponding ip adresses to our host file. Thus when we type “site1.com” to the browser, our computer firstly looks this host file, takes ip adress and send request to this ip adress. We added below lines to our host file which is in the /etc/hosts directory.
After this we can enable our custom configuration file (“site1.conf”) command and restart apache to check if our websites runs correctly.
service apache2 restart
So far we just created two websites and succesfully access through web browser. Next step is to provide security for each website via ssl certificates. For this purpose firstly we created certificate authority then creates certificate signing requests for both websites. After that we signed these requests with our certificate authority. First step is to create file structure for ssl certificates;
mkdir newcerts certs crl private requests
echo ’01’ > serial
Next step is to tell openssl where we hold our certificate authority files. Main openssl configuration file is in the /usr/lib/ssl/openssl.cnf path. So we need to change lines below in it;
dir = /root/ca # Where everything is kept
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
After configuring ssl we can generate ca;
openssl genrsa -des3 -out private/cakey.pem 4096
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
First command after cd says that generate ca key with using des3 and 4096 bit size and place output under private folder. The second command creates our ca certificate file with using key which we created shortly before. Second command ask for some info when creating, after filling these fields we can simply create our certificate signing requests for websites. First step is to create private key again
openssl genrsa -des3 -out site1key.pem 2048
openssl req -new -key site1key.pem -out site1cert.csr -days 3650
openssl ca -in site1cert.csr -out /var/www/html/certs/site1cert.pem
Above command basically says that create private key then create certificate signing request using this key and finally sign this request with our ca and place created certificate under /var/www/certs path.
Last step in server-side operations is tell apache to where is the certificate and private key files. For this purpose we need to append these lines to websites’ configuration file which is in “/etc/apache2/sites-available/site1.conf”.
Basically these lines listens port 443 ( https ) and gives the certificate and private key files’ path. With these options we accomplished that requested files encrypted using our site1key before send to client and client decrypt these files via our ca.
We have done all steps on server-side so next thing we need to do import our ca in client browser and append below lines client computer’s host file. thus client can access our webser without visit any DNS server.