In the interest of better data security when sharing data from my home computer, I thought it would be a good idea to enable a secure HTTPS connection from my visitors. I looked for an easy-to-understand walkthrough which could get me up and running in a matter of minutes. Not finding one, I decided to create my own.
Requirements for this walk-thru:
STEP 1. CREATING A CERTIFICATE AUTHORITY
Open up Terminal and enter the following commands (don't type the $, that's the prompt):
$ cd ~/Documents
This changes to your Documents folder in your Home directory; next, enter:
$ mkdir certs
This create a new directory called certs; you can name to whatever makes sense to you, although non-spaced names are best.
$ /System/Library/OpenSSL/misc/CA.pl -newca
This runs the CA.pl script that is part of the system to create a new Certificate Authority in the certs directory. You will get the following output to the Terminal:
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++.................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: (enter a new secure password)
Verifying - Enter PEM pass phrase: (reenter the same password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
As prompted, enter the information prompted for; the more meaningful you make it, the easier it is for people visiting your site to know that they aren't getting a bad connection:
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: sslthis.dyndns.org
Email Address []
Once this step is completed, you will have a series of folders inside ~/Documents/certs that make up the necessary structure for a functioning Certificate Authority. Files/directories created so far are:
~/Documents/certs
~/Documents/certs/demoCA
~/Documents/certs/demoCA/cacert.pem
~/Documents/certs/demoCA/certs
~/Documents/certs/demoCA/crl
~/Documents/certs/demoCA/index.txt
~/Documents/certs/demoCA/newcerts
~/Documents/certs/demoCA/private
~/Documents/certs/demoCA/serial
STEP 2. GENERATE A PRIVATE KEY FOR THE WEBSERVER$ openssl genrsa -des3 -out webserver.key 1024
This will generate an encrypted, private key called webserver.key; use a meaningful name, no spaces. The output will be:
Generating RSA private key, 1024 bit long modulus
....................................++++++
.....................++++++
e is 65537 (0x10001)
Enter pass phrase for webserver.key: (enter a new secure password)
Verifying - Enter pass phrase for webserver.key: (reenter the same password)
Next, you will have generate a non-password protected copy of the key for Apache so that it can start up without errors.
$ openssl rsa -in webserver.key -out webserver.nopass.key
This will generate a non-password protected copy of the private key you just generated.
Enter pass phrase for webserver.key: (enter the secure password created in step 2)
writing RSA key
Files generated at this point:
~/Documents/certs/webserver.key
~/Documents/certs/webserver.nopass.key
3. GENERATE A CERTIFICATE REQUEST$ openssl req -config /System/Library/OpenSSL/openssl.cnf \
-new -key webserver.key -out newreq.pem -days 3650
This will tell the system to generate a new certificate request newreq.pem with the default openssl.conf configuration file and using webserver.key for a validity period of 10 years.
Enter pass phrase for webserver.key: (enter the secure password created in step 2)
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:sslthis.dyndns.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: leave blank
An optional company name []: leave blank
Files generated at this point
~/Documents/certs/newreq.pem
STEP 4. SIGNING THE CERTIFICATE REQUEST$ /System/Library/OpenSSL/misc/CA.pl -signreq
This will tell the system to sign the 'newreq.pem' file created in step three.
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: (enter the secure password created in step 1)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 29 04:00:05 2004 GMT
Not After : Nov 27 04:00:05 2014 GMT
Subject:
countryName = as entered
stateOrProvinceName = as entered
localityName = as entered
organizationName = as entered
commonName = sslthis.dyndns.org
emailAddress = as entered
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:C4:76:37:6F:8C:FA:8E:62:95:2C:A3:2E:E9:CC:5C:24:E2:5B:DB
X509v3 Authority Key Identifier:
keyid:DB:12:B4:DB:77:03:D1:64:DA:87:8A:61:79:AA:38:17:E4:7E:6B:ED
DirName:
emailAddress=
serial:00
Certificate is to be certified until Nov 27 04:00:05 2014 GMT (3650
days)
Sign the certificate? [y/n]: (type y to confirm)
1 out of 1 certificate requests certified, commit? [y/n] (type y to confirm)
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Files generated at this point:
~/Documents/certs/newcert.pem
After this is done, I moved all the files created (webserver.key, webserver.nopass.key, newreq.pem, newcert.pem) into a new subdirectory, sslthis.dyndns.org, for keeping things nice and neat.
$ ~/Documents/certs/sslthis.dyndns.org
STEP 5. BASIC SSL CONFIGURATION FILE$ sudo vi ssl.conf
Use any Terminal editor you want, if not vi and enter following (make corrections for the file paths as needed):
<IfModule mod_ssl.c>
Listen 80
Listen 443
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
SSLEngine on
ServerName sslthis.dyndns.org
ServerAdmin youremailaddress
ErrorLog /var/log/httpd/error_log
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/newcert.pem
SSLCertificateKeyFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/webserver.nopass.key
SSLCACertificateFile /Users/YOURNAME/Documents/certs/demoCA/cacert.pem
SSLCARevocationPath /Users/YOURNAME/Documents/certs/demoCA/crl
</VirtualHost>
</IfModule>
You will also have to edit /etc/httpd/httpd.conf (don't forget to make a backup) by typing:
$ sudo vi /etc/httpd/httpd.conf
and uncommenting the following lines:
LoadModule ssl_module libexec/httpd/libssl.so
AddModule mod_ssl.c
before restarting the webserver.
Once this is done, stop and start your webserver (from Terminal or System Preferences) and you should be good to go. Don't forget to enable port forwarding for 443 TCP through your router and your OS X firewall (if enabled) for incoming connections.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20041129143420344