This procedure outlines how to customize SSL to LAMPP's default configuration.
It's very much inspired on http://www.vanemery.com/Linux/Apache/apache-SSL.html. Check out this site for steps 2 => 5, esp. with regards to all the chmod and chown suggested. They won't appear below
Here's my small contribution to this wonderful project (XAMPP) . Thanks again to this team.
By the way, I'm no security expert at all. This procedure just shows how I did it. It's not a recommendation or anything like that.
-------------------------
My goal is to secure all internet connections to my extranet at http://www.mysite.dyndns.org/secure, actually to force the users to go through "https".
However, this remains a small extranet, and I don't want to purchase any certificates. In this case, I'll be my own certificate authority, issuing my own "self-certified" certificates.
I used a Fedora4 server, with xampp-1.5.5a installed and working properly. All unix commands are preceded by "[root@mysite ssl.crt]> " , all comments by "#"
1/ [root@mysite ssl.crt]> vi /etc/hosts
*add the appropriate IP / DNS resolution details*: x.y.z.t www.mysite.dyndns.org # added by ME
2/ [root@mysite ssl.crt]> mkdir /tmp/CA # create a sandbox for all certificates
3/[root@mysite ssl.crt]> openssl genrsa -des3 -out my-ca.key 2048 # create Certificate Authority key - fill in the relevant information
4/[root@mysite ssl.crt]> openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt # create Certificate Authority certificate - fill in the relevant information * vanemery says you'll need to put in the real FQDN of your server when prompted for the "Common Name", in this case www.mysite.dyndns.org check step 1. I trust him
*
4/ [root@mysite ssl.crt]> openssl genrsa -des3 -out mysite-server.key 1024 # create a key for Mysite - fill in the relevant information
5/ [root@mysite ssl.crt]> openssl x509 -req -in mysite-server.csr -out mysite-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650 # create a 10-year certificate for Mysite, sign it with the Certificate Authority key - fill in the relevant information
6/ copy the certificates
[root@mysite ssl.crt]> cp /tmp/CA/mysite-server.crt /opt/lampp/etc/ssl.crt/ # Copy Mysite certificate to the appropriate location
[root@mysite ssl.crt]> cp /tmp/CA/mysite-server.key /opt/lampp/etc/ssl.key/ # Copy Mysite key to the appropriate location
[root@mysite ssl.crt]> cp /tmp/CA/my-ca.crt /opt/lampp/etc/ssl.crt/ # Copy the Certificate Authority key to the appropriate location
7/ When the LAMPP server starts, you'll maybe get this error:[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]. Thanks to http://ceylonlinux.com/pdf/apache_ssl.pdf for the hint on how to solve this problem: this error occurs because the server expects a passphrase authentication => convert mysite's key to RSA to prevent this.
[root@mysite ssl.key]> cp mysite-server.key mysite-server.key.new
[root@mysite ssl.key]> openssl rsa -in mysite-server.key.new -out mysite-server.key
8/ [root@mysite logs]> vi /opt/lampp/etc/extra/httpd-ssl.conf # this file is where all security is handled (check /opt/lampp/etc/httpd.conf)
ServerName www.mysite.dyndns.org:443
ServerAdmin admin@mysite.dyndns.org
Server Certificate:
#SSLCertificateFile /opt/lampp/etc/ssl.crt/server.crt
SSLCertificateFile /opt/lampp/etc/ssl.crt/mysite-server.crt
Server key:
#SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server.key
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/mysite-server.key
Certificate Authority
#SSLCACertificatePath /opt/lampp/etc/ssl.crt
#SSLCACertificateFile /opt/lampp/etc/ssl.crt/ca-bundle.crt
SSLCACertificatePath /opt/lampp/etc/ssl.crt
SSLCACertificateFile /opt/lampp/etc/ssl.crt/my-ca.crt
9/ I want all communication with https://www.mysite.dyndns.org/secure to be encrypted =>:
[root@mysite ssl.key]> vi /opt/lampp/htdocs/secure/.htaccess
# Force SSL connection
SSLRequireSSL
10/ Start LAMPP.
Check it out by trying NO security http://www.mysite.dyndns.org. you should get a "forbidden" error message
Check it out by trying WITH security https://www.mysite.dyndns.org . you should go through
11/ IMPORTANT NOTE: When each user will connect, he'll be prompted with the "not so professionnal" windows message telling the user he's being hacked
. That's because the Certificate Authority isn't publically known (=> that's because you just created it ).
One way to avoid this is to issue the ca certificate in a file and by asking the users to install it seperately, on the computer they'll be using most. This small procedure is one way to do it with IE7. You might need to adapt it
10a/ To generate the file: connect once to the site, then click in the certificate area and say "show certificate". check out the "certificate path". You'll have one root (the certificate authority) and one branch (the site certificate).
10b/ 2-click on the root certificate , click details then "copy to a file" select some handy destination like your desktop, and name the certificate mysite-ca.crt
10c/ make the file available to your users. Ask them to 2-click on mysite-ca.crt then "next-next-yes-finish".
10d/ The certificate is installed, try a https connection. Hopefully, you won't get the ugly navigator messages anymore.
Good luck