CS469 HW #10 10+ Points Time to create a certificate authority and sign some certificates: Create a certificate authority setup, as was done in class. Use your username as your OU in the CA issuer information. Using your newly created CA perform the following: 1) (1pt) Copy /etc/ssl/openssl.cnf to your h10 directory and modify it for your certificate authority. Make the directories and files for your CA as needed. Make sure to create a serial file containing a random serial number (at least 2 digits in length). 2) (1pt) Create a 2048 bit rsa private key named: root-ca.key 3) (1pt) Create a self-signed root CA certificate for your CA named: root-ca.crt 4) (2pt) Sign the certificate request h10.csr against your CA, name the resulting certificate h10.crt 5) (2pts) Create your own certificate request and get someone else to sign it. Call the request: .csr (where is your CS469 account name) and the signed certificate .crt. Call your private key .key. Make sure that the CN is u##.indstate.edu (the hostname of your VM) and the OU is your CS469 username. Remember that your OU for both the CA and your certificate request should be your CS469 user-name. Note: you probably want to change the rules in openssl.cnf so that countryName is "supplied" rather than "match", and similarly with other fields that are "match" in the default file. This allows you to sign requests for different organizations than your own. Note: you can check that your file is properly signed by running openssl verify -CAfile WHATEVER_CA_FILE_SIGNED_IT.crt cs469##.csr The person doing the signing and the person getting signed should both do this. 6) (3pts) Enable SSL on your web server. Use the certificate that you had someone else sign (.crt that they emailed you back, and your private .key file that went with it) and their public CA certificate (their root-ca.crt that they emailed you) for your web servers certificates. You will need to edit both /etc/httpd/httpd.conf and /etc/httpd/extra/httpd-ssl.conf Things to search for in httpd-ssl.conf to either comment or uncomment, or edit: SSLRandomSeed, Required modules (make sure they are loaded in httpd.conf), VirtualHost (update DocumentRoot, other fields), SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile Once you have your .crt and .key files in place, have edited the .conf files, you need to restart httpd: /etc/rc.d/rc.httpd restart You can check if it is working by using FireFox and browsing to https://effie.indstate.edu:44311 but put in your u## rather than 11. Try the above to see how it works though. + Note that we are using https and using port 443## rather than 469##. The settings on effie are set so that 443## properly routes to your u## machine's 443 port, as is set in your .conf file. + Note that FireFox will give you a warning of a potential security risk - this is because our certificates are not signed by an actual trusted certificate authority. You have it load the page anyway by clicking Advanced and then Accept the Risk and Continue. + Note that in Chrome you don't get the option to accept the risk - it just blocks it. I haven't tried in other browsers, but we can definitely do this in FireFox. XC) Your CA is a license to print bonus points, one half bonus point will be awarded for each certificate request that you sign. Small print: This does not apply to requests you make yourself and sign, limit one request per person who attends cs469. You must take all reasonable steps to verify the identity of the person whose request you are signing.