Referece:
Tested on Mac Lion.
STEP 1. CREATING A CERTIFICATE AUTHORITY
Open up Terminal and enter the following commands (don't type the $, that's the prompt):
Open up Terminal and enter the following commands (don't type the $, that's the prompt):
$ cd ~/Documents
This changes to your Documents folder in your Home directory; next, enter:
$ mkdir certs
This create a new directory called certs; you can name to whatever makes sense to you, although non-spaced names are best.
$ /System/Library/OpenSSL/misc/CA.pl -newca
This runs the CA.pl script that is part of the system to create a new Certificate Authority in the certsdirectory. You will get the following output to the Terminal:
CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ..++++++.................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: (enter a new secure password) Verifying - Enter PEM pass phrase: (reenter the same password) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave s ome blank. For some fields there will be a default value, If you enter '.', the field will be left blank.
As prompted, enter the information prompted for; the more meaningful you make it, the easier it is for people visiting your site to know that they aren't getting a bad connection:
----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: sslthis.dyndns.org Email Address []
Once this step is completed, you will have a series of folders inside ~/Documents/certs that make up the necessary structure for a functioning Certificate Authority. Files/directories created so far are:
~/Documents/certs ~/Documents/certs/demoCA ~/Documents/certs/demoCA/cacert.pem ~/Documents/certs/demoCA/certs ~/Documents/certs/demoCA/crl ~/Documents/certs/demoCA/index.txt ~/Documents/certs/demoCA/newcerts ~/Documents/certs/demoCA/private ~/Documents/certs/demoCA/serial
STEP 2. GENERATE A PRIVATE KEY FOR THE WEBSERVER
The next step will be to generate a private key for your webserver.In the ~/Documents/certs directory, enter the following in Terminal:
The next step will be to generate a private key for your webserver.In the ~/Documents/certs directory, enter the following in Terminal:
$ openssl genrsa -des3 -out webserver.key 1024
This will generate an encrypted, private key called webserver.key; use a meaningful name, no spaces. The output will be:
Generating RSA private key, 1024 bit long modulus ....................................++++++ .....................++++++ e is 65537 (0x10001) Enter pass phrase for webserver.key: (enter a new secure password) Verifying - Enter pass phrase for webserver.key: (reenter the same password)
Next, you will have generate a non-password protected copy of the key for Apache so that it can start up without errors.
$ openssl rsa -in webserver.key -out webserver.nopass.key
This will generate a non-password protected copy of the private key you just generated.
Enter pass phrase for webserver.key: (enter the secure password created in step 2) writing RSA key
Files generated at this point:
~/Documents/certs/webserver.key ~/Documents/certs/webserver.nopass.key
3. GENERATE A CERTIFICATE REQUEST
The next step will be to generate a certificate request for your webserver based on the private key generated in step two, in a format that can be signed by the Certificate Authority created in step one. In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
The next step will be to generate a certificate request for your webserver based on the private key generated in step two, in a format that can be signed by the Certificate Authority created in step one. In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
$ openssl req -config /System/Library/OpenSSL/openssl.cnf -new -key webserver.key -out newreq.pem -days 3650
This will tell the system to generate a new certificate request newreq.pem with the default openssl.confconfiguration file and using webserver.key for a validity period of 10 years.
Enter pass phrase for webserver.key: (enter the secure password created in step 2) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, comp any) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:sslthis.dyndns.org Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: leave blank An optional company name []: leave blank
Files generated at this point
~/Documents/certs/newreq.pem
STEP 4. SIGNING THE CERTIFICATE REQUEST
The next step will be to sign the certificate request newreq.pem with the Certificate Authority created in step one. In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
The next step will be to sign the certificate request newreq.pem with the Certificate Authority created in step one. In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
$ /System/Library/OpenSSL/misc/CA.pl -signreq
This will tell the system to sign the 'newreq.pem' file created in step three.
Using configuration from /System/Library/OpenSSL/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: (enter the secure password created in step 1) Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 29 04:00:05 2004 GMT Not After : Nov 27 04:00:05 2014 GMT Subject: countryName = as entered stateOrProvinceName = as entered localityName = as entered organizationName = as entered commonName = sslthis.dyndns.org emailAddress = as entered X509v3 extensions: X509v3 Basic Constrai nts: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D8:C4:76:37:6F:8C:FA:8E:62:95:2C:A3:2E:E9:CC:5C:24:E2:5B:DB X509v3 Authority Key Identifier: keyid:DB:12:B4:DB:77:03:D1:64:DA:87:8A:61:79:AA:38:17:E4:7E:6B:ED DirName: emailAddress= serial:00 Certificate is to be certified until Nov 27 04:00:05 2014 GMT (3650 days) Sign the certificate? [y/n]: (type y to confirm) 1 out of 1 certificate requests certified, commit? [y/n] (type y to confirm) Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Files generated at this point:
~/Documents/certs/newcert.pem
After this is done, I moved all the files created (webserver.key, webserver.nopass.key, newreq.pem, newcert.pem) into a new subdirectory, sslthis.dyndns.org, for keeping things nice and neat.
$ ~/Documents/certs/sslthis.dyndns.orgSTEP 5. BASIC SSL CONFIGURATION FILE- Edit /private/etc/apache2/httpd.conf, and uncomment the following line (it's line 473 in my installation):
Include /private/etc/apache2/extra/httpd-ssl.conf - Edit /private/etc/apache2/extra/httpd-ssl.conf, and make sure that:
- SSLCertificateFile points to newcert.pem
- SSLCertificateKeyFile points to webserver.nopass.key
- SSLCACertificateFile points to demoCA/cacert.pem
- SSLCARevocationPath points to demoCA/crl
Points to note:
- Use su to perform the setup.
- Define virtual host port 80 on httpd.conf only. Don't set port 443 on httpd.conf
- Define virtual host port 443 on httpd-ssl.conf.
- Use ">apachectl configtest" to check if the syntax is OK.
- Location of conf files:
- /private/etc/apache2/httpd.conf
- /private/etc/apache2/extra/httpd-ssl.conf
The "Passenger" ruby gem: (Install in user login is ok, but has to be su for edit httpd.conf)
> gem install passenger
> passenger-install-apache2-module
Edit /private/etc/apache2/httpd.conf
Add the lines like below as instructed by the output of the above passenger install
LoadModule passenger_module /Users/xxx/.rvm/gems/ree-1.8.7-2012.02@xxxxxx/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /Users/xxx/.rvm/gems/ree-1.8.7-2012.02@xxxxxx/gems/passenger-3.0.19
PassengerRuby /Users/xxx/.rvm/wrappers/ree-1.8.7-2012.02@xxxxxx/ruby
Note that the rails will run in "production" environment when it's served by Apache.
============================================
E.g. in httpd-ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host
#DocumentRoot "/Library/WebServer/Documents"
DocumentRoot "/Users/yourname/project/project_name/public"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
============================================<VirtualHost _default_:443>
# General setup for the virtual host
#DocumentRoot "/Library/WebServer/Documents"
DocumentRoot "/Users/yourname/project/project_name/public"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
Common commands:
$> apachectl stop
$> apachectl graceful
$> apachectl start
$> apachectl configtest
$> apachectl stop
$> apachectl graceful
$> apachectl start
$> apachectl configtest
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.