Thursday, February 23, 2012

Using a certificate issued by an Active Directory Certificate Authority to secure Apache on Linux

Getting Linux servers to inter-operate with Microsoft's Active Directory can sometimes be challenging.  Finding documentation for getting those two operating systems to talk to each other can be equally challenging.  Sometimes the information that I've found has been out of date or the sources contained little typos which caused commands to fail on one system or another. 

Last weekend I was working on setting up a Linux virtual machine to serve up a Mediawiki site that will act as a knowledge base where I work.  I chose to install a Linux based Mediawiki server  because it does what I want and nothing more and it does it well.  In my case I decided to set up a CentOS 6.2 server to run Apache for me.  Secondly, by not installing another Windows server I've just saved the company I work for about $700 in licensing fees.  So why CentOS you ask?  Well I started out playing with Red Hat Linux when you could still choose "Red Neck" as your installation language and years later got my first IT job working for a local ISP that was running a mix of Red Hat and SunOS servers.  So I like to use CentOS because I know my way around it better than the other Linux distributions out there and it is maintained on an enterprise lifecycle like its upstream counterpart.  My Windows Active Directory environment is running on Windows Server 2008 R2 at the 2008 R2 forest and domain functional levels and my Certificate Authority is running on 2008 R2 as well.

Next you might ask, why do you need to use SSL for a server on your own LAN?  If you are asking people to enter a username and password on a website, then you should secure the communication between the browser and the server no matter how secure you think the network is.  It's just the right thing to do.

After putting together little bits and pieces of information from a variety of websites and a little bit of trial and error, I came up with the procedure detailed below.  While working on this, like my other projects, I kept notes on what worked and what didn't and I thought that I'd share this so that perhaps somebody else will have an easier time setting up something similar.  Let me also say that this is not the only way to accomplish this task.  There are other ways of generating your certificate request and there are other ways of generating the certificate, but these seemed the most straight forward provided that you have root access to your Linux server and Domain Administrator privileges on your Windows CA.

On the Linux server

First you need to use OpenSSL to create the keys that are used to secure traffic to your site. You will want to do this where you are going to store your private keys. On a Red Hat based system it will be '/etc/pki/tls/private'  Once you are working in that directory type:
openssl genrsa -out site.domain.local.key 2048
This will create a 2048 bit private key and put it in the file site.domain.local.key. This private key is not encrypted so be sure to keep it in a secure location. Keeping it in '/etc/pki/tls/private' should keep it secure. Next you will need to create a certificate request file to submit to the AD CA so that it can generate your certificate.  Generate the certificate request using:

openssl req -new -key site.domain.local.key -out site.domain.local.req
This command will prompt you for information that is used by the CA when it creates the certificate.  If you've ever requested an SSL certificate before this information will be familiar to you. The most important one is the common name (CN), which is the fully qualified domain name of your site. When that command has finished you need to copy your certificate request file to a location where you can access it from the Windows Certificate Authority.

On the Windows server 

The Windows CA will not take the request as it was generated by your Linux server. It will be expecting a special certificate attribute that tells it what certificate template to use when creating the certificate. In this case we want to use the "WebServer" template which the Windows CA will use to determine the "Key Usage" attributes that it writes to the certificate. Using that template it will write "Digital Signature" and "Key Encipherment (a0)", which is the intended use of this certificate.  If you haven't already, you will need to add "Web Server" to the list of certificate templates that your CA uses to issue certificates using the Certification Authority mmc. With the certificate request file available you will need to open an elevated command prompt to make the certificate request. At the command prompt type:

certreq -attrib "CertificateTemplate:WebServer" site.domain.local.req
When prompted, save the certificate as 'site.domain.local.crt'. You can now copy that certificate back to your Linux server and place it in '/etc/pki/tls/certs' or the appropriate location for your Linux distribution.

Now that you have your certificate, you can go back you your Linux server and configure Apache to use SSL and to authenticate your users using Active Directory but that is a subject for another post.


No comments:

Post a Comment