As opposed to Windows, Linux doesn't have crypto APIs that would be usable by user-mode applications. Linux does have Kernel level CryptoAPI (crypto.h) which is accessible to kernel mode processes. As such applications store certificates in application specific locations. That way we end up with multiple copies of the same certificate. One way to workaroud is to designate a directory for certificate storage and create symbolic links in required directories.
The Linux Kernel Cryptographic API overview: https://thesweeheng.files.wordpress.com/2007/11/6451.pdf
Generate CSR using a new key pair:
openssl req -nodes -newkey rsa:1024 -keyout serverName.key -out serverName.csr
Generate CSR using an existing key pair:
openssl req -new -key serverName.key -out serverName.csr
Once the request is signed, certs and keypair must be copied to relevant location. Most Linux applications require Base64 encoded certificate with .PEM extension. This however may vary. Apache for example requires Base64 encoded .CRT certificate.
Sample storage locations:
Cisco AnyConnect:
User certs:
~/.cisco/certificates/ca Root CA
~/.cisco/certificates/client User certificate
~/.cisco/certificates/client/private PrivateKeys
Computer certs:
/opt/.cisco/certificates/ca Root CA
/opt/.cisco/certificates/client Client certificates
/opt/.cisco/certificates/client/private PrivateKeys
Nessus:
/opt/nessus/com/nessus/CA/servercert.pem
/opt/nessus/var/nessus/CA/serverkey.pem
Apache:
Locations of cert and private key are specified in the config file (sample config below) per virtual host. Sample location:
/etc/httpd/conf/ssl.crt/serverName.crt
/etc/httpd/conf/ssl.key/serverName.key
Enabling SSL in Apache.
Enable mod_ssl:
# e2enmod ssl
Configure Virtual Host:
This is configured in an httpd.conf or apache2.conf (which by default includes httpd.conf)
DocumentRoot /var/www/
ServerName 10.0.0.20
SSLEngine on
SSLCertificateFile /etc/apache2/conf/ssl.crt/10.0.0.20.crt
SSLCertificateKeyFile /etc/apache2/conf/ssl.key/10.0.0.20.key
Restart service:
# service httpd restart
or
# apachectl -restart
Comments
Post a Comment