Configuring A HTTPS Connection Using OpenSSL

In this tutorial, I will discuss the creation of a certification authority and configuration of a HTTPS connection on a webserver using Openssl.

Table of Contents:

What is OpenSSL?

Prerequisites:

  1. I will use Virtual box on Windows 10 for running the kali Linux Virtual machine
  2. It is recommended to run the updated version of virtual box software to avoid any difficulties while following the tutorial. it can be downloaded from here.

A. Creating a Certificate Authority (CA):

Fig. 01: Location of “openssl.cnf” in ssl folder in our machine

2. “openssl.cnf” is copied into the home folder of my machine as shown in Fig. 02.

Fig. 02: Copied “openssl.cnf” file in the home directory of my machine

3. I ran the following command to generate the self-signed certificate for the CA:

$openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Fig. 03: Generating self-signed certificate and private key for my root CA.

4. Then I entered relevant information for the creation of root CA as shown in Fig. 04.

Fig. 04: Filling out information about my root CA

5. “ca.crt” is the public key certificate of the root CA and “ca.key” is the private key of the CA as shown in Fig. 05. They both were created in the previous step

Fig. 05: Certificate and private key for my CA is created named as “ca.crt” & “ca.key” respectively

B. Creating a certificate for a webserver

  1. I created a public-private key pair for my web server by executing the command given below, the key pair was stored in the “server.key” file.
$openssl genrsa -out server.key 2048”
Fig. 06: Generating key pair for my webserver stored in file “server.key”

Step 2: Generating a Certificate Signing Request (CSR):

  1. Now after creating the RSA key pair for my webserver I created a Certificate Signing Request on behalf of the webserver for the already created root CA by executing the following command:
$openssl req -new -key server.key -out server.csr -config openssl.cnf”

The credentials for the root CA requested in this step should match the credentials entered while creating the root CA or else the certificate for the webserver would not be generated. For Common Name I will give the name of my webserver which is ‘MZJserver.com’ in my case. A challenge password and an optional company name are also asked which are sent along with the CSR to the CA.

Fig. 07: Generating a Certificate Signing Request on behalf of my webserver

2. We can see that server.csr file is successfully created as shown in Fig. 08 as a result of executing the command mentioned in the previous step.

Fig. 08: “server.csr” is the generated CSR for my webserver

Step 3: Generating the certificate for the webserver

  1. To generate the certificate for the webserver from the already created root CA. I executed the given command given below:
$openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf”

It can be seen in Fig 09 that the certificate for my web server is created, it asks the CA to sign the certificate when the certificate is signed by the CA. Now it asks to commit changes upon saying yes to the commit request certificate database gets updated as shown in Fig. 09.

Fig. 09: Generating the certificate for my webserver from the already created root CA

2. Fig. 10 shows the ‘server.crt’ created by the root CA for my webserver.

Fig. 10: Successfully generated certificate for my webserver named as “server.crt”

C. Configuring HTTPS on the webserver

For configuring HTTPS on my webserver by using the generated certificate I will follow the following steps:

  1. I first entered my webserver i.e. “MZJserver.com” in the “hosts” file of my machine while hosting it on the localhost. I entered the following entry in ./etc/hosts file:
127.0.0.1 MZJserver.com”
Fig. 11: Adding my web server “MZJserver.com” to the hosts file of my machine

2. Next, I launched my webserver with its certificate generated in the previous step. I executed the following set of commands given below one by one. So that the webserver is launched via openssl s_server command as shown in Fig. 12.

$cp server.key server.pem$cat server.crt >> server.pem # Combine the secret key and certificate into one file$openssl s_server -cert server.pem -www # Launch the webserver using server.pem
Fig. 12: Launching my webserver through openssl s_server command

3. Now I opened the Firefox browser in my Kali Linux machine and entered my webserver’s address “https://MZJserver.com:4433/ “, I loaded it in my browser. I was shown an error as shown in Fig. 13 indicating that my certificate for the webserver is not from a trusted CA as its certificate is not present in browser’s list for certificates of trusted CAs.

Fig. 13: Opened my webserver through Firefox browser

4. Now I will add the certificate for my root CA in my browser’s list of accepted certificates.

5. I will go into Edit -> Preference -> Privacy & Security -> View Certificates of my Firefox browser as shown in Fig. 14 to Fig. 16.

Fig. 14: Selecting “Preferences” from the edit drop down menu
Fig. 15: Accessing Certificates section in Privacy & Security Menu in the Preferences tab

6. By clicking the “view certificates…” button shown in Fig. 15, a window “Certificate Manager” opens as shown in Fig. 16 having different options. I will use the “Import…” button to import the certificate of my root CA into the list of accepted certificates of my browser. While importing the certificate of my root CA, I checked the following option “Trust this CA to identify websites”.

Fig. 16: Clicking Import button in Certificate Manager Window after clicking View Certificates button
Fig. 17: Uploading “ca.crt” certificate of my root CA into my browser’s list of trusted certificates

7. After uploading the certificate of my CA into the Firefox browser, I viewed it via the “Certificate Manager” window as shown in Fig. 18. Organization name and common name for the root CA are shown in Fig. 18.

Fig. 18: Certificate of my root CA is present in Certificate Manager Window with CA’s Organization & common name

8. I clicked on the common name of my root CA i.e. “Zaeem” as shown in Fig. 18 to view the certificate. Details of the certificate can be seen from Fig. 19 to 20.

Fig. 19: Contents of certificate of my root CA shown in the Firefox browser
Fig. 20: Contents of certificate of my root CA shown in the Firefox browser

9. I reloaded the webserver https://MZJserver.com:4433/ “in my Firefox browser now a clear lock sign can be seen before the web address as shown in Fig. 21 indicating a trusted HTTPS connection. So now the certificate of my root CA is now trusted by the browser. It also mentions the organization of my root CA on clicking the lock sign placed before the address of my webserver as shown in Fig. 21.

Fig. 21: HTTPS connection details for my web server as shown in Firefox web browser

10. Now I can see the contents of my webserver as shown in Fig. 22 to 24, while I am connected to the webserver through a trusted HTTPS connection via my Firefox browser.

Fig. 22: Contents of my web server as shown in Firefox browser

Conclusion:

I am a Student of MS- IS (Information Security). I like to read books on life and I like writing technical documents.