-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStep2a-Prep.html
126 lines (126 loc) · 9.04 KB
/
Step2a-Prep.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Fedora/RedHat Step2a - Creating and Securing the Apache Key/Certificate Store">
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Fedora, RedHat, SUSE, CentOS, Elliptical Curves, RSA, Encryption, Key, Certificate Authority, CA, Diffie-Helman, DH, Perfect Forward Secrecy, PFS">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step 2a - Create & Secure Apache Key/Cert Store (Fedora/Redhat)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheFedoraSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Fedora/CentOS/SUSE/RedHat</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 2a - Creating and Securing the Apache Key/Certificate Store</h3>
<h4 class="mt-3">Change to the Apache Directory</h4>
<pre>cd /etc/httpd/</pre>
<h4>Create the SSL Directory</h4>
<pre>mkdir ssl </pre>
<h4>Change permissions on the SSL Directory</h4>
<pre>chmod 644 ssl/</pre>
<h4>Copy the Keys to the SSL directory</h4>
<pre>cp /etc/pki/tls/private/*.key /etc/httpd/ssl</pre>
<h4>Change permissions on the Keys</h4>
<pre>chmod 640 ssl/*.key </pre>
<h4>Copy the Certificates to the SSL directory</h4>
<p class="card-text orange">Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate</p>
<pre>cp /etc/pki/tls/private/*.crt /etc/httpd/ssl</pre>
<h4>Change permissions on the Certificates</h4>
<pre>chmod 644 ssl/*.crt </pre>
<h4>Generating Diffie-Hellman (DH) and Elliptic Curve Parameters</h4>
<p>With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM). <br>
<br>
<span class="orange"><em>BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!</em></span></p>
<h4>Change to the Apache SSL directory</h4>
<pre>cd /etc/httpd/ssl</pre>
<h4>Generate the DH Params file<span class="red"> (Mandatory Step - Takes a long time to generate)</span></h4>
<p class="card-text orange">If you have time, we recommend using 8192 instead of 4096 bit in the command below.</p>
<pre>openssl dhparam -out dhparam.pem 4096</pre>
<h4>Set permissions on the DH PEM file<span class="red"> (Mandatory Step)</span></h4>
<pre>chmod 640 *.pem</pre>
<h4>Change to the OpenSSL Directory</h4>
<pre>cd /etc/pki/tls/certs</pre>
<h4>Generate the EC Params file<span class="green"> (Recommended - EC generation is quick)</span></h4>
<p>You can generate a file for each curve if you like or just the ones that are being used</p>
<pre>openssl ecparam -name prime256v1 -out prime256v1.pem</pre>
<h4>
Check the EC Param file
</h4>
<pre>openssl ecparam -in prime256v1.pem -check</pre>
<h4>Creating a private key w/ the EC Parameters file</h4>
<pre>openssl ecparam -in prime256v1.pem -genkey -noout -out prime256v1.key</pre>
<h4>Creating a private key w/o the EC Parameters file</h4>
<pre>openssl ecparam -name (prime256v1 or secp384r1 or secp521r1) -noout -out ec_key.pem -genkey</pre>
<h4>Set permissions of the EC Pem file</h4>
<pre>chmod 640 *.pem</pre>
<h4>To print out the EC Parameters to standard output</h4>
<pre>openssl ecparam -in prime256v1.pem -noout -text</pre>
<h4>List available EC Curves in OpenSSL</h4>
<pre>openssl ecparam -list_curves</pre>
<h4>Add the Params files to the SSL config </h4>
<p>You can append the DHparams you generated earlier to the end of your certificate file. The documentation for that is <a href="https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile" title="SSLCertificateFile Directive" class="link" target="_blank">here </a></p>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step2-Prep.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a> <a class="text-secondary float-right" href="Step2b-Prep.html"> NEXT <i class="fa fa-arrow-right fa-2x"></i></a> </div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>