Join Sean Colins for an in-depth discussion in this video Testing your secure website, part of Understanding Secure Sockets Layer.
- View Offline
- In the first part of this chapter, we configured your certificate authority and a certificate, we had that certificate signed. We've done all of that work. Now let's see it in action. To get started, I want to make sure that our computer is named the way we said it would be named whenever we created it originally inside of those certificates. So let's do that with scutil. We're going to use the set and the HostName parameter, and we're going to make it certs.groundswell.com. And if we type hostname, there we can see certs.groundswell.com.
So, fantastic, there we are. Again, that works because, in a sudo session, that's S U D O, base -s, in order to get to where you can do stuff like that. So that's been done now, and all we have to do now is configure the Apache files appropriately. So let's cd into etc/apache2/, and let's see what we have in there. So here in the Apache two directory, you can see we have our httpd.conf pile. We also have an extra folder. We're going to work with both of those, but, to begin, httpd.conf. So let's get there. I'm going to use nano.
And now that we're inside of nano, I just need to check on a couple of things. Ctrl + v in order to go down into our pages quickly. Not too much we need to worry about here. Remember, we're doing SSL. So you may be tempted to put Listen 443 in here. Don't; there's a reason. I'll show you in a moment. We want to make sure that LoadModule is loading the module for SSL, that's important. And we can see that ... we can see that right here. And if we can't find it right away, we can always just type SSL in here. And there's our LoadModule SSL.
If we keep hitting ctrl + w, you can see secure SSL and TLS connections right here. But the include statement's been commented out for the httpd-ssl.conf file. We need that to work, so we have to delete that comment. Very important. So we're going to hit ctrl + o, turn, writes that out. Ctrl + x exits. Next, we're going to cd into the extra directory, and, if we ls in there, you can see that's where all of those are. So now we're going to type nano again, and httpd-ssl.conf.
And that takes us into the httpd ssl configuration file. This is where we're going to say Listen on 443, that's why we didn't do it in the other file. And we're not going to mess around with a lot of this stuff. In fact, I highly recommend not changing anything unless you're absolutely certain that you know why you're changing it and what the effect will be. Otherwise, you're likely to kill something. Anyway, we're looking here for the SSL certificate file because this is the pathway to the certificate that we created, all right? So this is the certificate file, and then right below it, you can see the reference to the server's private key.
We'll need both of those in there. Now ours, right now, is located in the directory that we put it in, so I'm going to delete this pathway. And we're not using a ... well, I'm just going to type it in here. So it's System/Library/OpenSSL, and, unfortunately, tab autocomplete inside of a command line text editor doesn't work, so I've got to be absolutely certain that I've got this pathway correct. So I will go back and forth to the finder, just because I can.
Or I could always ... Here, let's do that. And I can just double-check my pathway there. Also, I could also do this. I could go into a different command line window. This is kind of nifty. I could cd into where I think it is, get my command tabbing, which, the tabbing through is really, really neat because it gives you the autocomplete feature. Saves you typing, but it also saves you from making typos, which is really my bigger thing because I make mistakes on typing all the time, and it really can bite you. So there's the OpenSSL portion, and groundswell portion, and, what are we doing here? Search, that's right.
So I'm going to type out that; terrific. So there's my cd. And if I do pwd, that's my working directory. I can just copy and paste this. This is really cool. So cmd + c here. And if I come back over here, I can just come right back and cmd + v, and there's the whole thing typed out. Much, much easier. And safer, really, when you really think about it. If I come in here and I type ls, oh, there's groundswell.pem. And that's what that is called, so that is what we're going to put in there, /groundswell.pem.
So now I have a high degree of certainty that that pathway and the name is going to be spelled and typed correctly. I really like that method for doing that, getting that accomplished. Going to do the same thing down here on the keyfile. We're going to cd, or actually, let's just ls, that's that, right? So we're going to cd .. in order to get back. ls again, there's that. If I cd into private, because that's where that is, and ls, there is my ca key and my groundswell key.
So here we are in our directory. If I just pwd again, I can copy and paste once again. This makes this just so much better. Slash there, and then I can just grab the name of the file that I need. It's your .key file that you're looking for. And paste it in. And even though it wraps, you see that's an awkward kind of wrap there, but that's fine. That's just the behavior of the command line text editor. It's there, it's fine. One of the reasons why the copy and paste functionality is so useful. So I just hit ctrl + o, that writes that out, turn, it tells you it wrote 255 lines.
Great, and we can exit. Okay; so now we've got http configured, both for functioning ... It knows where everything is supposed to be pointed, SSL is functioning properly, all we need to do now is start Apache. So we type apachectl start. Okay, I'm going to just type stop, and then start again. So we got a nice fresh start off of that. And we already have something in the web root. If I just show you here, we can go cd, and our web root is in the Library webserver documents folder.
And if we ls, you can see there's just some stuff that's thrown in here by the manufacturer, this stuff, a couple of gifts, and an index.html file, which should work. So let's just open up Safari and see if it does. I'm going to switch into here. Let's go to the applications folder and open up Safari. Here's Safari, just a pretty standard web browser. All I need to do here is go to local host, and okay, great. So that means that Apache's working. That's fantastic. But you don't see any locks, you don't see any evidence of SSL at all, until I type https:// and then I type localhost and SSL.
Oh, my goodness! It's working. But it's kind of not working, right, because it says, "Well, you've gone to this website "with the identity localhost. "Geez, this looks kind of invalid to us. "Let's show the certificate." This tells us a couple of things. First thing is, we have a certificate. Yay, team, right? Awesome. So let's say what we're going to do here. It's asking us if we want to always trust certs.groundswell.com ... that looks familiar ... when connecting to localhost, right? And if we pull this down even further, we can see the details of our certificate, which is all where it's supposed to be, and that's fantastic.
And we can see our trust is, you know, using the system defaults, which is, hey, if the names don't match, don't trust, right? So this is what I was telling you before. This looks like a failure, but technically, this is a success, because here's why: certs.groundswell.com is the host name of this computer. But I have to go to localhost because DNS is not configured on this network for this to be certs.groundswell.com, right? So if I were to go to certs.groundswell.com, this would not get this signature, or this name, mismatch error, which is so common.
And here you can see exactly that it's telling us exactly that. Host name mismatch; that's all that is. But the certificate is there, the certificate is functional, and if I say, "Trust that," and hit Continue, it asks me if I want to put that certificate into my Keychain, which means it's going to be installing the certificate now. And, by the way, this is a great way to install the certificate on a master system. If you're creating a master system and you need to install a self-signed certificate on that master system before creating an image of it, in order to push that image out, this is not a bad way to get that certificate installed, by going to your server, doesn't have to be on the same system; in fact, it's much, much better if it's on a separate system, and running this this way.
So if we just say Update Settings, there it goes. So, what do we have? We have an https with a little lock up here, which is exactly what we should be looking for. It is using an encrypted connection to localhost, we can show the certificate. Because we manually set that trust setting and you just saw me do it, we're now showing it as trusted. Here are the details of our certificate, just as we created it, with our RSA encryption and the whole nine yards. And that worked. So I'm very pleased to have been able to walk you through this, and I think that, if you follow all of these steps exactly, you'll have the same results on your systems in your environment.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.