E. Create CA, CSR, SSL certificate
- Install OpenSSL
- Configuring a Certificate Authority (CA)
- Configuring Apache HTTP Server to use SSL Certificates
User teacher must connect with ssh key.
(User's public key was provided)
$ useradd teacher
$ passwd teacher
$ mkdir /home/teacher/.ssh
$ mkdir ~/.ssh/
$ vi ~/.ssh/authorised_keys
Give read permission for user "teacher" everywhere in /home and /root (folders, subfolders, and files), and no write permissions in /home (folder, subfolders, and files).
$ cd ..
$ ls -l
$ chmod -R o+rx /home
$ chmod -R o+rx /root
$ ls -l
Install and configure all necessary services for the server to function as a web-server with Apache.
$ yum install httpd
$ systemctl start httpd
$ systemctl status httpd
$ systemctl status sshd
Add the necessary inbound rules to the CentOS FirewallD service, so that http and https are accessible from everywhere. Restrict access with ssh only through AUEB VPN.
$ firewall-cmd --permanent --add-service=http
$ firewall-cmd --permanent --add-service=https
$ firewall-cmd --reload
Note:
<ip_a> : Teacher's IP using AUEB VPN
<ip_b> : My IP using AUEB VPN
$ iptables -A INPUT -p tcp -s <ip_a>,<ip_b> --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Also added:
$ firewall-cmd --zone=internal --add-service=ssh --permanent
$ firewall-cmd --zone=internal --add-source=<ip_a> --permanent
$ firewall-cmd --zone=internal --add-source=<ip_b> --permanent
$ firewall-cmd --zone=public --remove-service=ssh --permanent
$ firewall-cmd --reload
$ vi /etc/ssh/sshd_config
PasswordAuthentication no
Match User root
PasswordAuthentication yes
$ systemctl restart sshd
Using OpenSSL generate a Certificate Authority (CA), CSR and an SSL certificate.
$ yum install -y openssl
$ yum install -y openssl
For implementing public encryption, first of all, we need a private key that is later used to generate a CA certificate:
$ cd /etc/pki/CA/private/
$ openssl genrsa -aes128 -out ourCA.key 2048
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/ourCA.key -out /etc/pki/CA/certs/ourCA.crt
Country Name (2 letter code) [XX]:GR
State or Province Name (full name) []:.
Locality Name (eg, city) [Default City]:Athens
Organization Name (eg, company) [Default Company Ltd]:Witch Certificate Authority
Organizational Unit Name (eg, section) []:<my_AM>
Common Name (eg, your name or your server's hostname) []:<server_hostname>
Email Address []:.
$ yum install -y mod_ssl
$ openssl genrsa -out /etc/pki/tls/private/<server_name>.key 1024
$ openssl req -new -key /etc/pki/tls/private/<server_name>.key -out /etc/pki/tls/<server_name>.csr
Country Name (2 letter code) [XX]:GR
State or Province Name (full name) []:.
Locality Name (eg, city) [Default City]:Athena
Organization Name (eg, company) [Default Company Ltd]:Strawberry Frog
Organizational Unit Name (eg, section) []:<my_AM>
Common Name (eg, your name or your server's hostname) []:<server_hostname>
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<chall_password>
An optional company name []:.
$ scp /etc/pki/tls/<server_name>.csr root@<server_name>:~/<server_name>.csr
$ openssl x509 -req -in <server_name>.csr -CA /etc/pki/CA/certs/ourCA.crt -CAkey /etc/pki/CA/private/ourCA.key -CAcreateserial -out <server_name>.crt -days 365
Our CSR has been digitally signed by our Certificate Authority (CA).
$ scp <server_name>.crt root@<server_name>:/etc/pki/tls/certs/<server_name>.crt
Connect using ssh as root user.
Now, we have a digitally signed SSL certificate.
$ vi /etc/httpd/conf.d/<server_hostname>.conf
<VirtualHost *:443>
ServerName <server_hostname>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/<server_name>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<server_name>.key
</VirtualHost>
$ systemctl restart httpd.service
Configure Apache to serve your certificate over https and redirect http to https. Make sure the entire SSL certificate chain is displayed correctly.
$ vi /etc/httpd/conf.d/non-ssl.conf
Inside, create a VirtualHost block to match requests on port 80. Inside, use the ServerName directive to again match your domain name or IP address. Then, use Redirect to match any requests and send them to the SSL VirtualHost. Make sure to include the trailing slash:
<VirtualHost *:80>
ServerName <server_hostname>
Redirect "/" "https://<server_hostname>/"
</VirtualHost>
$ apachectl configtest
$ systemctl restart httpd.service
Open your web browser and type https:// followed by your server’s domain name or IP into the address bar:
https://<server_hostname>
Create a simple website with just a text field with name=”username” and a submit button. If your AM is submitted it should display a success message, while in any other case a failure message (containing the words "success" and "fail" respectively)
You can use any technology.
As DocumentRoot use: /var/www/html
Note: AM is a student's registartion number.
$ vi /etc/httpd/conf/httpd.conf
DocumentRoot: /var/www/html
So /var/www/html will be the location of the pages.
(it was already set up this way)
$ cd /var/www/html
$ vi index.html
<html>
<head>
<meta charset="utf-8">
<title>Login page</title>
<script>
function checkSubmit() {
var username = document.forms["form"]["username"];
if (username.value) {
if (username.value == "<my_AM>") {
alert("Success! :D");
} else {
alert("Fail! :(");
}
}
return;
}
</script>
</head>
<body>
<form method="post" id="form">
<label for="username"><b>Username</b></label> <br>
<input type="text" placeholder="Enter Username" name="username" id="username" required>
<button type="submit" onclick="return checkSubmit();">Login</button>
</form>
</body>
</html>