Jump to: navigation, search

SRT210 Lab 7

3,029 bytes added, 22 March
= Objectives =
* Understand the basics of public key encryption from a practical point of view.* Set up a Certificate Authority.* Create certificate+key pairs for servers, signed by your own CA.* Set up Apache to serve pages over HTTPS.
# Acting as the '''CA''': sign the request.<br />[[File:TinyCASignCSR.png]]
# Again acting as the '''CA''': export the certificate and key (i.e. the public key and the private key) as .pem files. The extension .pem doesn't imply what the contents are, it's just a format that is typically used to store keys. You want to export the key without a passphrase, unless you want to type in a password every time your server reboots:<br />[[File:TinyCAExportCert.png]]<br /><br />[[File:TinyCAExportKey.png]]
# That key pair (private + public key) is what you'll need to use to set up your servers. These specific ones you generated here aren't particularly useful because they're for the server yourusername.ops, and you don't have a server with that hostname. But the process is identical for every keypair you'll need to generate in this lab.
# You don't normally need to configure your web browsers because they come with a collection of tusted CAs but since we created our own, we'll need to save the CA certificate also, so that later we can manually add it to Firefox:<br />[[File:TinyCAExportCACert.png]]
In one of the labs we've set up the Apache web server on lin1. In another lab we've set up simple authentication for our simple webpage, and we intercepted the username and password that was sent from a web browser to the web server.
In this lab we're going to upgrade the same web server to serve pages using encrypted HTTPS instead of the plain-text HTTP.
* Use the steps in the previous section to create a certificate and key for lin1.yourusername.ops.
* By default Apache on CentOS doesn't come with the SSL modules installed, so you'll have to install mod_ssl using yum.
* After installing that package you'll have a new configuration file on your system: <code>/etc/httpd/conf.d/ssl.conf</code>
* Edit that file and look for two lines: <code>SSLCertificateFile</code> and <code>SSLCertificateKeyFile</code>. Those are the two files that you generated. Make sure the filenames are correct.
* In the same file, uncomment the <code>ServerName</code> setting and set it to lin1.yourusername.ops
* Copy the two files to lin1 into the appropriate directories.
* Restart Apache and check in /var/log/httpd/ssl_error_log that there are no errors related to your changes.
* Use nmap on lin1 and on c7host to confirm that the port used for HTTPS is open.
* If all of the above worked, use Firefox on c7host to go to https://lin1.yourusername.ops. You should see a security warning. Do not click through it, we'll fix it in another way.
* Go to the Firefox Preferences, and add a root authority certificate, like so:
[[File:FirefoxAddCA.png ]]
* Now you should be able to go to https://lin1.yourusername.ops without any warnings. Furthermore, if you had more web servers: you could use your new CA to create keys for many of your own servers, and you could use those keys not just for web servers but for mail servers, LDAP servers, etc.
* Go through the exercise again of sniffing the traffic between <code>alice</code> and <code>lin1</code> using tcpdump while you log in to your webpage in Firefox.
* Open the resulting file in Wireshark and see if you can still find your password there.
= Lab completion =

Navigation menu