Configuring Web Server in HTTPS Mode
From ServersCheck Wiki
Contents |
About SSL & Requirements
By default the ServersCheck web server runs in HTTP mode and does not encrypt communications between browser and server. To enhance the security of data transfer between client and ServersCheck web server, the support of SSL is available. By using the SSL protocol, all communications between client and web server are encrypted. Passwords sent from the browser to the server are encrypted.
In order to run the web server from ServersCheck in HTTPS (SSL) mode, you need to have following items:
- ServersCheck Monitoring Software 7.5 or higher
- OpenSSL installed
The ServersCheck Monitoring Software comes with standard certification and server keys installed. For enhanced security, it is highly recommended to create your own keys.
Installing OpenSSL
The easiest way to obtain OpenSSL is to download the Windows GUI installer from Shining Light Productions. The download page is available here:
http://www.slproweb.com/products/Win32OpenSSL.html
The "Light" version is acceptable for our purposes. The direct link to download the installer is here:
http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8e.exe
You will need to update PATH environment variable for OpenSSL. Open a Windows command screen and type the following command:
set PATH=c:\OpenSSL\bin;%PATH%
Creating a Private Key
Go to the /certs subdirectory of the ServersCheck Monitoring Software and backup all files in there and then empty the directory. Type the following command to create a new server private key:
openssl genrsa -des3 -out server.key 4096
You will be prompted to enter a password for the key. Enter a strong password and press Enter, verify the password and then press Enter again. Do not forget this password.
Create a Certificate Signing Request (CSR)
The private key must be signed by a Certificate Authority (CA). We do not, however, want to reveal our private key to _anyone_ so we create a certificate signing request. This can then be used to create a certificate signed by a Certificate Authority who vouches you are who you claim to be.
openssl req -new -key server.key -out server.csr
You will first be prompted for the password you entered when you created the private key. This is required so OpenSSL can access your key to create the CSR. Type it in and hit enter.
You will then be prompted to enter information that will be incorporated into your certificate request. This is your certificate identity and cannot be changed later so if you make any typos, press CTRL-C and start over.
Example information. Replace with your data:
Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:Brabant Locality Name (eg, city) []:Leuven Organization Name (eg, company) [Internet Widgits Pty Ltd]:ServersCheck Organizational Unit Name (eg, section) []:Web Division Common Name (eg, YOUR name) []:serverscheck.mycompany.com Email Address []:email@mycompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
It is important that the Common Name exactly match the fully-qualified domain name for your website. If this does not match, visitors to your SSL-enabled website will receive a security warning and must click OK to accept the certificate.
Leave the challenge password and optional company name fields blank.
If you issue a dir/w command, you will see a new file named server.csr in the directory.
What Next?
At this point, you can either create your own Certificate Authority and then self-sign the Certificate Signing Request or you can send the CSR to a well-known Certificate Authority such as Verisign.
If you self-sign the certificate, visitors to your site will receive a warning indicating that the Certificate Authority is unknown. They can choose to reject the certificate, accept it for the current session, or accept it permanently.
Even with this warning message, it is good to know how to self-sign for testing or if you do not want to incur the expense of obtaining a "real" certificate. If you will be sending the certificate to an authority such as Verisign, you can skip the next 2 steps.
Create Your Own Certificate Authority
Generate a private key for your Certificate Authority (CA):
openssl genrsa -des3 -out ca.key 4096
You will be prompted to enter and verify a password for this private key.
Then create a certificate from that private key:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You will first be prompted to enter the password to access the private key. Then you will need to enter information that will be incorporated into the Certificate Authority signing certificate.
Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:Brabant Locality Name (eg, city) []:Leuven Organization Name (eg, company) [Internet Widgits Pty Ltd]:ServersCheck Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:ssl.mycompany.com Certficate Authority Email Address []:email@mycompany.com
This is all just like you did before for your website certificate but here the Common Name (CN) can be set to anything you want.
Self-sign the Certificate Signing Request
Now we will sign our website certificate with the self-created Certificate Authority we just created:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Note: above command should all be entered on one line
Obtaining a Signed Certificate from Verisign or Others
Please visit your desired Certificate Authority website to obtain more information. Verisign is one of the more expensive solutions. You can shop around as you might SSL certificates as low as $19.99 per year.
http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-ssl-certificates/index.html
IMPORTANT: Removing the password from the Server Key This step must be done when the ServersCheck web server runs as a service. Failing to do so will halt the web server from running!
Keep in mind that by doing this, if the private key can ever be accessed by a third-party, they can decrypt all of your encrypted communications. You should modify the permissions of this file to ensure that it cannot be downloaded or otherwise accessed by third- parties.
openssl rsa -in server.key -out server.key.insecure move server.key server.key.secure move server.key.insecure server.key
IMPORTANT: Install the ssl.conf File You will need to download and install the ssl.conf file to tell the webserver that it should run in SSL mode. You can download the file from following location:
http://files.serverscheck.net/conf/ssl.conf
The file should be installed in the /conf subdirectory of your main ServersCheck directory.
Verify your Configuration
Make sure that the ServersCheck Configuration service is not running. Go to the command prompt and type following command:
s-server
It will generate an output similar to the following:
C:\Program Files\ServersCheck_Monitoring>s-server
#
# ServersCheck Configuration Server
# STANDARD Edition
#
# Installed on
#
# Loading language file:
# version 7.5.0
#
#
# (c) Copyright 2003-2007 - ServersCheck BVBA
# www.serverscheck.com
#
#
#
# Sun Jul 1 12:38:19 2007 Reading conf file completed
# Env:C:\WINDOWS
# Enabling HTTPS (SSL) Server
# Configuration server ready, serving on port "1272"...
#
#
If you see the message "Enabling HTTPS (SSL) Server", then this indicates that SSL mode is active. You will now be able to connect to the web server via https (only!). The new url will be https://localhost:1272
