Pages

Thursday, 25 June 2015

LINUX (Ubuntu 14.04) Selfsign CA

This topic also do the same work as previous "MS Window CA". This topic would be tried on Linux:

I would like to setup my own internal Certification Authority (CA) on Ubuntu 14.04. Using certificates signed by my own CA, allows the Window IIS Web services using the certificates.

First, create the directories to hold the CA certificate and related files

mkdir /etc/ssl/CA
mkdir /etc/ssl/newcerts

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

sh -c "echo '01' > /etc/ssl/CA/serial"
touch /etc/ssl/CA/index.txt

Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:

Next, create the self-signed root certificate:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650



Now install (copy) the root certificate and key:

mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/


You are now ready to start signing certificates
To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt, first, create private key for using to generate CSR:

openssl genrsa -des3 -out pk.key 2048
openssl rsa -in pk.key -out pubk.key


With pk.key is private key secured with passphrase and pubk.key is private key un-secured.

Then create the CSR, run the following command at a terminal prompt:

openssl req -new -key pubk.key -out web.csr
Your CSR will be created and it will be stored in the web.csr file.

You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Please NOTE: The "Organization Name" would be the same to CA information, otherwise you might get in error when issue the below command.

Once you have a CSR, enter the following to generate a certificate signed by the CA:

openssl ca -in web.csr -config /etc/ssl/openssl.cnf
After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation. The example here


There should now be a new file automatically created /etc/ssl/newcerts/01.pem (and if we re-run the command for signing new CSR file, the new .pem files also automatically created in /etc/ssl/newcerts/ with the name sequence 02.pem, 03.pem, 04.pem...).
Open the /etc/ssl/newcerts/01.pem file then copy and paste everything beginning with the line:
-----BEGIN CERTIFICATE-----

and continuing through the line:

----END CERTIFICATE-----

to a new file named nhut.crt (for easy to remember). So, the nhut.crt would be

-----BEGIN CERTIFICATE----- 

<hash line>

----END CERTIFICATE----- 
Now, we have certificate nhut.crt, but our purpose is to use this certificate for applying Window IIS Website. The next step will be convert this certificate file to Window format, we need 3 kind of file to do this conversion:
=> The private key : pk.key
=> The certificate file need to be converted: nhut.crt
=> The certificate file of CA: /etc/ssl/certs/cacert.pem

openssl pkcs12 -export -out window_cert.pfx -inkey pk.key -in nhut.crt -certfile cacert.pem
Or we can copy /etc/ssl/certs/cacert.pem to cacert.crt for futher using.

(s.key in above picture is the same to pk.key, and cacert.crt ~ cacert.pem).

Enter password for export, copy this window_cert.pfx to window server, import to My computer.
Configure IIS for using this certificate:



The result showed (don't worry, the host name here might be www.nhut.com, or www.nhutnb.com depend on the "Common Name" we created before *.nhut.com or *.nhutnb.com... ):



Source: https://help.ubuntu.com/lts/serverguide/certificates-and-security.html

Friday, 19 June 2015

MS Window Selfsign CA

Step 1: Install Certificate CA on Server window. Assuming this taks is already done.



Step 2: Request Certificate for Web Server (5 picture below)

#Request a certificate
 #Advanced...
 #Create and submit a request to this CA
 #Fill the information. But NOTE:

The Name field: that should be put right name for domain or host address if you want your site is accessed without "mismatch URL" errors.

For example: your site would be access via www.nhutnb.com or web.nhutnb.com that using this certificate. Put *.nhutnb.com to the Name field.
 Type of Certificate Needed should be : Server Authentication...
Affter issued from CA administrator. You can download the certificate and install to the Web Server
Then check whether your installed certificate is in correct location




If the certificate is not correct location (Local Computer instead of User Account). Just do a copy and paste (or you can using export then import functionality).

If the location is correct, then copy *.nhutnb.com in Personal folder to Trusted Root Certification Authorities folder (just do copy and paste)

Now. Open your IIS and check Server Certificate

There it is.
Now, but do one more task to make sure the hostname in "binding" dialog be availabled for you to edit:
Reopen MMC console and navigate to the certificate => click Properties => then type to the "Friendly name" field as picture:
 If you already done this, you could change the "host name" when change the binding configure in IIS,
 Otherwise, you will get this:

Now, create the website:
Then check the result


If you are using the client browser that has not trusted this certificate, your browser might issue a warning, that because your certificate is using for local. If you don't want to get this warning, just install that certificate into your client computer (on both Personal and Trusted Root Certification Authorities folder).

Friday, 1 May 2015

VSFTP Basic Configuration - More Fast-Food coming-up

Summary task: Configure VSFTPD for virtual user

Install

sudo apt-get install vsftpd


Step 1: Basic Configuration


Edit your /etc/vsftpd.conf configuration file and change the parameter:

sudo vi /etc/vsftpd.conf

# No anonymous login
anonymous_enable=NO
# Let local users login 
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS 
local_enable=YES
# Write permissions 
write_enable=YES
chroot_local_user=YES
chroot_list_enable=NO   <== put YES here if you want to the ftp user declaired in /etc/vsftpd.chroot_lists can access everywhere in the server
# Useful to not write over hidden files:
force_dot_files=YES

# Hide the info about the owner (user and group) of the files.
hide_ids=YES

# Connection limit for each IP:
max_per_ip=2

# Maximum number of clients:
max_clients=20
Step 2: Create the virtual user database

Create directory /etc/vsftpd and user database file:

# cd /etc/vsftpd
# sudo vi user.txt

The file user.txt has this format:

Username
password
Username
password
....
Username
password

Create the actual database file (in below this command we are going to use db_load that may require the db_util package to be installed):

# cd /etc/vsftpd

# db_load -T -t hash -f user.txt vsftpd-virtual-user.db 
# chmod 600 vsftpd-virtual-user.db
# rm user.txt

Please be noted: we can use htpasswd for creating a password file then configure PAM to use password file with the "pwdfile" parameter in /etc/pam.d/vsftpd PAM file (of course, you have to install libpam-pwfile). This Post trying to use another way of user/password mechanism.

Edit /etc/vsftpd.conf then add more parameter for virtual user can be used

# Virtual users will use the same privileges as local users.
# It will grant write access to virtual users. Virtual users will use the
# same privileges as anonymous users, which tends to be more restrictive
# (especially in terms of write access).
virtual_use_local_privs=YES
write_enable=YES

# Set the name of the PAM service vsftpd will use
pam_service_name=vsftpd.virtual

# Activates virtual users
guest_enable=YES

# Automatically generate a home directory for each virtual user, based on a template.
# For example, if the home directory of the real user specified via guest_username is
# /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user vivek
# logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/vivek.
# This option also takes affect if local_root contains user_sub_token.
user_sub_token=$USER

# Usually this is mapped to Apache virtual hosting docroot, so that
# Users can upload files
local_root=/home/vftp/$USER

# Chroot user and lock down to their home dirs
chroot_local_user=YES

# Hide ids from user
hide_ids=YES

Add this line to allow user access to ftp

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users
allow_writeable_chroot=YES

Save and close the file.

Step 3: Create a PAM File Which Uses Your New Database

The following PAM is used to authenticate users using your new database. Create /etc/pam.d/vsftpd.virtual:

# sudo vi /etc/pam.d/vsftpd.virtual

And append the following

#%PAM-1.0
auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
session    required     pam_loginuid.so

Now create the user file and home directory also:

# mkdir -p /home/vftp/{nhutnb,nhutnhieu}
# chown -R ftp:ftp /home/vftp

Now create the /etc/vsftpd.allowed_users for user can access
# sudo vi /etc/vsftpd.allowed_users

And the content are:
nhutnb
nhutnhieu

Finish with this step, your ftp account can now login to the folder /home/vftp/<your username>, so if you want the account can login to other directory, run:

mount --bind /var/www/<webdir>/ /home/vftp/nhutnb/

So that, when login to ftp account, your home directory would be pointed to /var/www/<webdir> , and of course, change the pertinent permission of directory for using.

Source:
https://help.ubuntu.com/community/vsftpd