[users@httpd] How to enable 443 on apache2 using provided key files

[ri...@hushmail.com]

Hello,

There is a freshly installed (from Ubuntu 16.04 package) apache server running in a large institution that needs to have port 443 traffic enabled.  I am helping a friend of mine configure this server and, at the same time, writing a document for reproducing the installation procedure that will be published online.  The server has it's own subdomain and the system administrator generated encryption keys to be used for this server.  The administrator is talented, but seems to be inexperienced in open-source solutions, so outside help is needed.  As a courtesy to my friend, whom I'm helping set this up, I've anonymized the TLD from the filename, but the files are as follows:
 
_.example.com.p12
Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-primary.txt
SSL Certificate - .example.com.txt

I personally do not have easy access to these files, but I can request actions to be performed on them.  I had not previously been acquainted with P12 files until now.  I found a website that seems to be able to help me export data from the P12 file into a data format that apache can readily use:

http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+SSL+certificate+in+apache+ubuntu+server

After reading through this website, I proposed these steps:

sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out /vault/private.pem
sudo openssl rsa -in private.pem -out /vault/key.pem
sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -nokeys -out /vault/cert.pem
sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -out /vault/CAchain.pem

And then modify ./sites-available/site-443.conf with the lines:

SSLCertificateFile /vault/cert.pem
SSLCertificateKeyFile /vault/keys.pem
SSLCertificateChainFile /vault/CAchain.pem
SSLCACertificateFile /vault/Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-primary.txt


We tried some of the openssl commands in that document, but we don't have the password.  The file named "SSL Certificate - .example.com.txt" is unused, and that does concern me that I'm either neglecting a critical file or needlessly duplicating it.  Before asking the administrator for a password, we have questioned whether we are making this needlessly difficult and were curious if there is a solution where these files can be used directly by apache.

As you can guess, I'm no expert at encryption.  Getting keys, for the purpose of self-education is very expensive.  The extent of my experience is limited to creating self-signed certificates back in the good old days before the web-browser people decided that was to be forbidden practice, and more recently, letsencrypt.org, which operates in a magical smoke and mirrors method.  I would like to know if this would be the best practice for my friend encrypting his server's traffic.  I am very grateful for any feedback.

Thank you very much!

Rich


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to enable 443 on apache2 using provided key files

[ri...@hushmail.com]

It turns out the approach I described did in fact work.  The password was requested from the administrator and the site behaved well.

The only deviation I had to make was that the SSLCACertificateFile parameter interpreted a space in the filename as delimiting a second invalid parameter.  The file was renamed to eliminate all whitespace and the SSLCACertificateFile parameter was adjusted to the new filename.  Server appears to be running fine.

Thanks

On 2/2/2017 at 6:31 PM, rich.greder@hushmail.com wrote:
>
>On 2/2/2017 at 1:27 PM, "Erik Dob�k" <er...@gmail.com> wrote:
>>
>>well i am still unsure abut the full encryption. i don't like 
>>that. if
>>there is a problem the overheads grow to analyze the situation. 
>>what about
>>just signing the messages? i mean if you have messages for all 
>why 
>>do you
>>want to hide them?
>>
>
>Because the site has a user authentication portal.  The owner of 
>the server does not want user passwords being sent in plaintext.  
>Some portions of the site is not open to the public.  There is 
>computational overhead, but they have invested in hardware 
>sufficient for managing that.  The problem I am faced is a 
>software/compatibility/standards issue.
>
>I wholeheartedly believe in the open internet model though and my 
>own personal sites are available on our favorite port 80, as well 
>as port 443 (via letsencrypt.org) for the paranoid who think the 
>gov't can't see it.
>
>>E
>>
>>On 2 February 2017 at 17:54, <ri...@hushmail.com> wrote:
>>
>>> Hello,
>>>
>>> There is a freshly installed (from Ubuntu 16.04 package) apache 
>>server
>>> running in a large institution that needs to have port 443 
>>traffic
>>> enabled.  I am helping a friend of mine configure this server 
>>and, at the
>>> same time, writing a document for reproducing the installation 
>>procedure
>>> that will be published online.  The server has it's own 
>>subdomain and the
>>> system administrator generated encryption keys to be used for 
>>this server.
>>> The administrator is talented, but seems to be inexperienced in 
>>open-source
>>> solutions, so outside help is needed.  As a courtesy to my 
>>friend, whom I'm
>>> helping set this up, I've anonymized the TLD from the filename, 
>>but the
>>> files are as follows:
>>>
>>> _.example.com.p12
>>> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-
>>primary.txt
>>> SSL Certificate - .example.com.txt
>>>
>>> I personally do not have easy access to these files, but I can 
>>request
>>> actions to be performed on them.  I had not previously been 
>>acquainted with
>>> P12 files until now.  I found a website that seems to be able 
>to 
>>help me
>>> export data from the P12 file into a data format that apache 
>can 
>>readily
>>> use:
>>>
>>> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+
>>> SSL+certificate+in+apache+ubuntu+server
>>>
>>> After reading through this website, I proposed these steps:
>>>
>>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out
>>> /vault/private.pem
>>> sudo openssl rsa -in private.pem -out /vault/key.pem
>>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -
>>nokeys -out
>>> /vault/cert.pem
>>> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -
>>out
>>> /vault/CAchain.pem
>>>
>>> And then modify ./sites-available/site-443.conf with the lines:
>>>
>>> SSLCertificateFile /vault/cert.pem
>>> SSLCertificateKeyFile /vault/keys.pem
>>> SSLCertificateChainFile /vault/CAchain.pem
>>> SSLCACertificateFile /vault/Intermediate-GeoTrust-True
>>> BusinessID-RSA-SHA2-SHA1Root-primary.txt
>>>
>>>
>>> We tried some of the openssl commands in that document, but we 
>>don't have
>>> the password.  The file named "SSL Certificate - 
>>.example.com.txt" is
>>> unused, and that does concern me that I'm either neglecting a 
>>critical file
>>> or needlessly duplicating it.  Before asking the administrator 
>>for a
>>> password, we have questioned whether we are making this 
>>needlessly
>>> difficult and were curious if there is a solution where these 
>>files can be
>>> used directly by apache.
>>>
>>> As you can guess, I'm no expert at encryption.  Getting keys, 
>>for the
>>> purpose of self-education is very expensive.  The extent of my 
>>experience
>>> is limited to creating self-signed certificates back in the 
>good 
>>old days
>>> before the web-browser people decided that was to be forbidden 
>>practice,
>>> and more recently, letsencrypt.org, which operates in a magical 
>>smoke and
>>> mirrors method.  I would like to know if this would be the best 
>>practice
>>> for my friend encrypting his server's traffic.  I am very 
>>grateful for any
>>> feedback.
>>>
>>> Thank you very much!
>>>
>>> Rich
>>>
>>>
>>> ----------------------------------------------------------------
>-
>>----
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>
>
>-------------------------------------------------------------------
>--
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to enable 443 on apache2 using provided key files

[ri...@hushmail.com]

On 2/2/2017 at 1:27 PM, "Erik Dob�k" <er...@gmail.com> wrote:
>
>well i am still unsure abut the full encryption. i don't like 
>that. if
>there is a problem the overheads grow to analyze the situation. 
>what about
>just signing the messages? i mean if you have messages for all why 
>do you
>want to hide them?
>

Because the site has a user authentication portal.  The owner of the server does not want user passwords being sent in plaintext.  Some portions of the site is not open to the public.  There is computational overhead, but they have invested in hardware sufficient for managing that.  The problem I am faced is a software/compatibility/standards issue.

I wholeheartedly believe in the open internet model though and my own personal sites are available on our favorite port 80, as well as port 443 (via letsencrypt.org) for the paranoid who think the gov't can't see it.

>E
>
>On 2 February 2017 at 17:54, <ri...@hushmail.com> wrote:
>
>> Hello,
>>
>> There is a freshly installed (from Ubuntu 16.04 package) apache 
>server
>> running in a large institution that needs to have port 443 
>traffic
>> enabled.  I am helping a friend of mine configure this server 
>and, at the
>> same time, writing a document for reproducing the installation 
>procedure
>> that will be published online.  The server has it's own 
>subdomain and the
>> system administrator generated encryption keys to be used for 
>this server.
>> The administrator is talented, but seems to be inexperienced in 
>open-source
>> solutions, so outside help is needed.  As a courtesy to my 
>friend, whom I'm
>> helping set this up, I've anonymized the TLD from the filename, 
>but the
>> files are as follows:
>>
>> _.example.com.p12
>> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-
>primary.txt
>> SSL Certificate - .example.com.txt
>>
>> I personally do not have easy access to these files, but I can 
>request
>> actions to be performed on them.  I had not previously been 
>acquainted with
>> P12 files until now.  I found a website that seems to be able to 
>help me
>> export data from the P12 file into a data format that apache can 
>readily
>> use:
>>
>> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+
>> SSL+certificate+in+apache+ubuntu+server
>>
>> After reading through this website, I proposed these steps:
>>
>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out
>> /vault/private.pem
>> sudo openssl rsa -in private.pem -out /vault/key.pem
>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -
>nokeys -out
>> /vault/cert.pem
>> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -
>out
>> /vault/CAchain.pem
>>
>> And then modify ./sites-available/site-443.conf with the lines:
>>
>> SSLCertificateFile /vault/cert.pem
>> SSLCertificateKeyFile /vault/keys.pem
>> SSLCertificateChainFile /vault/CAchain.pem
>> SSLCACertificateFile /vault/Intermediate-GeoTrust-True
>> BusinessID-RSA-SHA2-SHA1Root-primary.txt
>>
>>
>> We tried some of the openssl commands in that document, but we 
>don't have
>> the password.  The file named "SSL Certificate - 
>.example.com.txt" is
>> unused, and that does concern me that I'm either neglecting a 
>critical file
>> or needlessly duplicating it.  Before asking the administrator 
>for a
>> password, we have questioned whether we are making this 
>needlessly
>> difficult and were curious if there is a solution where these 
>files can be
>> used directly by apache.
>>
>> As you can guess, I'm no expert at encryption.  Getting keys, 
>for the
>> purpose of self-education is very expensive.  The extent of my 
>experience
>> is limited to creating self-signed certificates back in the good 
>old days
>> before the web-browser people decided that was to be forbidden 
>practice,
>> and more recently, letsencrypt.org, which operates in a magical 
>smoke and
>> mirrors method.  I would like to know if this would be the best 
>practice
>> for my friend encrypting his server's traffic.  I am very 
>grateful for any
>> feedback.
>>
>> Thank you very much!
>>
>> Rich
>>
>>
>> -----------------------------------------------------------------
>----
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to enable 443 on apache2 using provided key files

[Erik Dobák <er...@gmail.com>]

well i am still unsure abut the full encryption. i don't like that. if
there is a problem the overheads grow to analyze the situation. what about
just signing the messages? i mean if you have messages for all why do you
want to hide them?

E

On 2 February 2017 at 17:54, <ri...@hushmail.com> wrote:

> Hello,
>
> There is a freshly installed (from Ubuntu 16.04 package) apache server
> running in a large institution that needs to have port 443 traffic
> enabled.  I am helping a friend of mine configure this server and, at the
> same time, writing a document for reproducing the installation procedure
> that will be published online.  The server has it's own subdomain and the
> system administrator generated encryption keys to be used for this server.
> The administrator is talented, but seems to be inexperienced in open-source
> solutions, so outside help is needed.  As a courtesy to my friend, whom I'm
> helping set this up, I've anonymized the TLD from the filename, but the
> files are as follows:
>
> _.example.com.p12
> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-primary.txt
> SSL Certificate - .example.com.txt
>
> I personally do not have easy access to these files, but I can request
> actions to be performed on them.  I had not previously been acquainted with
> P12 files until now.  I found a website that seems to be able to help me
> export data from the P12 file into a data format that apache can readily
> use:
>
> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+
> SSL+certificate+in+apache+ubuntu+server
>
> After reading through this website, I proposed these steps:
>
> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out
> /vault/private.pem
> sudo openssl rsa -in private.pem -out /vault/key.pem
> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -nokeys -out
> /vault/cert.pem
> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -out
> /vault/CAchain.pem
>
> And then modify ./sites-available/site-443.conf with the lines:
>
> SSLCertificateFile /vault/cert.pem
> SSLCertificateKeyFile /vault/keys.pem
> SSLCertificateChainFile /vault/CAchain.pem
> SSLCACertificateFile /vault/Intermediate-GeoTrust-True
> BusinessID-RSA-SHA2-SHA1Root-primary.txt
>
>
> We tried some of the openssl commands in that document, but we don't have
> the password.  The file named "SSL Certificate - .example.com.txt" is
> unused, and that does concern me that I'm either neglecting a critical file
> or needlessly duplicating it.  Before asking the administrator for a
> password, we have questioned whether we are making this needlessly
> difficult and were curious if there is a solution where these files can be
> used directly by apache.
>
> As you can guess, I'm no expert at encryption.  Getting keys, for the
> purpose of self-education is very expensive.  The extent of my experience
> is limited to creating self-signed certificates back in the good old days
> before the web-browser people decided that was to be forbidden practice,
> and more recently, letsencrypt.org, which operates in a magical smoke and
> mirrors method.  I would like to know if this would be the best practice
> for my friend encrypting his server's traffic.  I am very grateful for any
> feedback.
>
> Thank you very much!
>
> Rich
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>