Setting up a Secure Server

Introduction

This document gives instructions for ourshack members on setting up a secure server.

I created 2 certificate authorities, ourshack.org and andywardley.com. You can't sign a server certificate with a CA from the same domain, hence I used andywardley.com CA to sign the ourshack.org server certificate, and vice versa.

The ourshack.org CA is now the default. You can do this to create a new server certificate signing request:

$ cd ~apache
$ bin/mkcsr

It will prompt you to enter the pass phrase for the ourshack.org Certificate Authority. Ask abw for this. When it prompts you for the Common Name, put your domain, e.g. template-toolkit.org.

This creates a server.key and server.csr in ~apache/ssl

Then:

$ cd ~apache/ssl
$ sh sign.sh server.csr

This creates a server.crt which is certificate signed by the ourshack.org Certificate Authority. Now you need to install the certificate and server key into the right place in the apache configuration directory. You should give them names appropriate to the domain, e.g.

$ sudo cp server.crt ~apache/stable/conf/ssl.crt/template-toolkit.crt
$ sudo cp server.key ~apache/stable/conf/ssl.key/template-toolkit.key

You also need to rebuild the certificate index like so:

$ cd ~apache/stable/conf/ssl.crt    
$ sudo make

Then you need to modify your vhosts file to include an HTTPS configuration for your domain. For example:

<IfDefine SSL>

  #-- https://template-toolkit.org --
  <VirtualHost 212.74.28.150:443>
    ServerName   template-toolkit.org
    ServerAlias  www.template-toolkit.org
    ServerAdmin  abw@andywardley.com
    DocumentRoot /usr/www/www.template-toolkit.org/

	# ...plus any other config values...

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /home/apache/stable/conf/ssl.crt/template-toolkit.crt
    SSLCertificateKeyFile /home/apache/stable/conf/ssl.key/template-toolkit.key
    SSLCACertificatePath /home/apache/stable/conf/ssl.crt
    SSLCACertificateFile /home/apache/stable/conf/ssl.crt/ca-bundle.crt

    CustomLog /home/apache/stable/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  </VirtualHost>
</IfDefine>

NOTE: the value for ServerName must match the Common Name you specified when you created the CSR, above.

You now need to restart the server:

$ cd ~apache/stable/bin
$ sudo ./apachectl configtest
Syntax OK
$ sudo ./apachectl stop
$ sudo ./apachectl startssl

Check everything is looking good:

$ tail -f ~apache/stable/logs/error_log