CS469/569
Home
Course Info
Contact
Course materials
Lessons
Syllabus
In Class Code
Course Policy
Assignments
Homework
Quizzes and Tests
Resources
Links
logoISU  

CS469/569 - Linux and Unix Administration and Networking

Spring 2022

Displaying ./code/h10/Readme.txt 

CS469 HW #10	10+ Points

Time to create a certificate authority and sign some certificates:

Create a certificate authority setup, as was done in class.  Use your username
as your OU in the CA issuer information.  Using your newly created CA perform
the following:

1) (1pt) Copy /etc/ssl/openssl.cnf to your h10 directory and modify it for your
   certificate authority.  Make the directories and files for your CA as
   needed.  Make sure to create a serial file containing a random serial number
   (at least 2 digits in length).

2) (1pt) Create a 2048 bit rsa private key named: root-ca.key

3) (1pt) Create a self-signed root CA certificate for your CA named:
   root-ca.crt

4) (2pt) Sign the certificate request h10.csr against your CA, name the
   resulting certificate h10.crt

5) (2pts) Create your own certificate request and get someone else to sign it.
   Call the request: <username>.csr (where <username> is your CS469 account
   name) and the signed certificate <username>.crt.  Call your private key
   <username>.key.  Make sure that the CN is 
   u##.indstate.edu (the hostname of your VM) and the OU is your CS469
   username.

   Remember that your OU for both the CA and your certificate request should be
   your CS469 user-name.

   Note: you probably want to change the rules in openssl.cnf so that
   countryName is "supplied" rather than "match", and similarly with other
   fields that are "match" in the default file.  This allows you to sign
   requests for different organizations than your own.

   Note: you can check that your file is properly signed by running
     openssl verify -CAfile WHATEVER_CA_FILE_SIGNED_IT.crt cs469##.csr
   The person doing the signing and the person getting signed should both
   do this.

6) (3pts) Enable SSL on your web server.  Use the certificate that you had
   someone else sign (<username>.crt that they emailed you back, and your private
   .key file that went with it) and their public CA certificate (their root-ca.crt
   that they emailed you) for your web servers certificates. You will need to
   edit both /etc/httpd/httpd.conf and /etc/httpd/extra/httpd-ssl.conf

   Things to search for in httpd-ssl.conf to either comment or uncomment, or
   edit:
     SSLRandomSeed, Required modules (make sure they are loaded in httpd.conf),
     VirtualHost (update DocumentRoot, other fields), SSLCertificateFile,
     SSLCertificateKeyFile, SSLCertificateChainFile

   Once you have your .crt and .key files in place, have edited the .conf files,
   you need to restart httpd: /etc/rc.d/rc.httpd restart

   You can check if it is working by using FireFox and browsing to
     https://effie.indstate.edu:44311
   but put in your u## rather than 11. Try the above to see how it works though.
   + Note that we are using https and using port 443## rather than 469##.
     The settings on effie are set so that 443## properly routes to your
     u## machine's 443 port, as is set in your .conf file.
   + Note that FireFox will give you a warning of a potential
     security risk - this is because our certificates are not signed by an
     actual trusted certificate authority.  You have it load the page anyway by
     clicking Advanced and then Accept the Risk and Continue.
   + Note that in Chrome you don't get the option to accept the risk - it
     just blocks it.  I haven't tried in other browsers, but we can definitely
     do this in FireFox.
   

XC) Your CA is a license to print bonus points, one half bonus point will be
   awarded for each certificate request that you sign.  Small print: This does
   not apply to requests you make yourself and sign, limit one request per
   person who attends cs469. You must take all reasonable steps to verify the
   identity of the person whose request you are signing.