Sunday, May 10, 2015

Configuring TLS/SSL on OpenBSD 5.7's httpd

This isn't so difficult - the relayd-based httpd server is not just a step in the right direction, it's a leap.  It contains 99% of the features you need with 1% of the bloat, and it "just works".  Here's a quick primer on how to get TLS/SSL operational with your own self-signed certificate.

Edit /etc/httpd.conf:

server "default" {
        listen on $ext_addr port 80
        listen on $ext_addr tls port 443
        root "/htdocs"
        tls {
                certificate "/etc/ssl/server.crt"
                key "/etc/ssl/private/server.key"

Then generate your own key and certificate...

# openssl genrsa -out /etc/ssl/private/server.key

Generating RSA private key, 2048 bit long modulus.......+++.........+++e is 65537 (0x10001)

# openssl req -new -x509 -key /etc/ssl/private/server.key -out /etc/ssl/server.crt -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:

Finally, reload httpd..

# /etc/rc.d/httpd -f restart

Naturally, your certificate won't be trusted because it was self-signed.  You can also generate a certificate signing request and send it off to your certificate authority, at which point (once you pay), they'll return a cert.  But, you get the idea!

No comments:

Post a Comment