Archive for the ‘Certificate Authority’ Category
System Security Expert Job Description Template
The following hiring guide is from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.
System Security professionals are experts on preventing and mitigating security breaches that may arise from vulnerabilities in computer systems. This field covers a range of areas of expertise, including information security, network security, and mobile security. System Security professionals must “think like a hacker” in order to anticipate the main vectors of likely attack by malicious outsiders. They should have a keen eye for the most minute details, plus a well-rounded and in-depth knowledge of computer systems and the the tools of the trade.
System Security professionals are experts on preventing and mitigating security breaches that may arise from vulnerabilities in computer systems. This field covers a range of areas of expertise, including information security, network security, and mobile security. System Security professionals must “think like a hacker” in order to anticipate the main vectors of likely attack by malicious outsiders. They should have a keen eye for the most minute details, plus a well-rounded and in-depth knowledge of computer systems and the the tools of the trade.
There is a shortage of formal training available to those who wish to go into the security field. While a formal education in computer systems is desirable, many of the best security experts are self-taught hobbyists when it comes to their familiarity with “hacking” and the techniques and vulnerabilities exploited by attackers. Since your security expert will be intimately aware of all of your system’s weakest points, it is critical that you can trust him or her.
This article provides a sample System Security Expert job description that will help you write the perfect job ad, and ensure that you find and hire the person that matches your specific criteria.
System Security Expert – Job Description and Ad Template
Company Introduction
{{Write a short and catchy paragraph about your company. Provide information about the company’s culture, perks, and benefits. Mention office hours, remote working possibilities, and anything else that makes your company interesting.}}
Job Description
We are looking for a Systems Security Expert with emphasis on {{WLAN/networks/web applications/penetration testing}}. You must be passionate about security and staying ahead of all possible threats to the system. You will be working with our development team to ensure that our network and technology stack is watertight. You will become thoroughly familiar with our architecture, helping to direct its development. You will provide regular reports of potential vulnerabilities and risk profiles. Good communication skills are critical to efficiently coordinate with our team and build a secure end product.
Responsibilities
- Actively look for security vulnerabilities in our application and network, reporting issues and describing possible solutions.
- Design and maintain our security infrastructure.
- Stay up to date with security news, keeping an eye out for the latest vulnerabilities and remedies emerging in the field.
- Actively liaise with the development team to ensure a secure architecture.
- Actively liaise with the development team to ensure thorough automated testing of all source code (e.g., via Test-Driven Development).
- Provide regular reports auditing our current services and latest changes, as well as our internal practices.
- Monitor our server traffic, ticketing and reporting unusual packets.
- {{Add other responsibilities here that are relevant.}}
Skills and Qualifications
- {{Relevant education in Computer Science or Computer Engineering.}}
- {{Relevant certification, such as CCNA or OWSE.}}
- Thorough understanding of potential attack vectors such as XSS, injection, hijacking, social engineering, and so on.
- Thorough understanding of cryptographic primitives and their underlying principles.
- Sound command of {{your application’s environment}} and the command line.
- Thorough understanding of networking protocols, such as TCP/IP.
- Thorough understanding of HTTP and HTTPS, as well as their underlying implementations.
- Thorough understanding of Content Delivery Networks and their integration into applications.
- Basic programming proficiency, sufficient to write and execute scripts from the command line.
- Active in the security community. Regularly attends meetups or conferences.
- Contributes to open source projects, or creates purpose built tools for security work.
- Working understanding of Agile Development processes.
- Excellent communication skills. Ability to translate complex ideas into simple solutions on paper.
- {{Include any framework, library, or any other technology related to your development stack.}}
Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)
This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from
BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:
- TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
- Installation phase
- Login to the server using Root account.
- Create a new account:
groupadd tomcat
useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat - Download the lastest JDK8 for Linux from:
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
- Upgrade to the latest build of Oracle JDK:
rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm
- Delete the JDK8 source files:
rm -rf /tmp/jdk-8u45-linux-x64.rpm
rm -rf /usr/java/jdk1.8.0_45/src.zip - Download the latest Tomcat 8 source files:
cd /opt
wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz - Extract Tomcat source files:
tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt
- Rename the Tomcat folder:
mv /opt/apache-tomcat-8.0.21 /opt/tomcat
- Remove default content:
rm -rf /opt/apache-tomcat-8.0.21.tar.gz
rm -rf /opt/tomcat/webapps/docs
rm -rf /opt/tomcat/webapps/examples
rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt
rm -rf /opt/tomcat/webapps/host-manager
rm -rf /opt/tomcat/webapps/manager
rm -rf /opt/tomcat/work/Catalina/localhost/docs
rm -rf /opt/tomcat/work/Catalina/localhost/examples
rm -rf /opt/tomcat/work/Catalina/localhost/host-manager
rm -rf /opt/tomcat/work/Catalina/localhost/manager - Change folder ownership and permissions:
chown -R tomcat.tomcat /opt/tomcat
chmod g-w,o-rwx /opt/tomcat
chmod g-w,o-rwx /opt/tomcat/conf
chmod o-rwx /opt/tomcat/logs
chmod o-rwx /opt/tomcat/temp
chmod g-w,o-rwx /opt/tomcat/bin
chmod g-w,o-rwx /opt/tomcat/webapps
chmod 770 /opt/tomcat/conf/catalina.policy
chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties
chmod g-w,o-rwx /opt/tomcat/conf/context.xml
chmod g-w,o-rwx /opt/tomcat/conf/logging.properties
chmod g-w,o-rwx /opt/tomcat/conf/server.xml
chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml
chmod g-w,o-rwx /opt/tomcat/conf/web.xml - Move to the folder /opt/tomcat/lib
cd /opt/tomcat/lib
- Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties
Replace the string below from:
server.infoerver.info=Apache Tomcat/8.0.21
To:
server.infoerver.info=Secure Web server
Replace the string below from:
server.number=8.0.21.0
To:
server.number=1.0.0.0
Replace the string below from:
server.built=Mar 23 2015 14:11:21 UTC
To:
server.built=Jan 01 2000 00:00:00 UTC
- Move to the folder /opt/tomcat/lib
cd /opt/tomcat/lib
- Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Remove the folder below:
rm -rf /opt/tomcat/lib/org
- Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes:
Replace the:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
To:
<Connector port="8080" protocol="HTTP/1.1"
Replace the:
connectionTimeout="20000"
xpoweredBy="false"
allowTrace="false"
redirectPort="8443" />
<Server port="8005" shutdown="SHUTDOWN">
To:
<Server port="-1" shutdown="SHUTDOWN">
Replace the:
autoDeploy="true"
To:
autoDeploy="false"
- Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content:
<html>
<head>
<title>404-Page Not Found</title>
</head>
<body> The requested URL was not found on this server. </body>
</html> - Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<error-page>
<error-code>400</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-page>
<error-code>403</error-code>
<location>/error.jsp</location>
</error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>410</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>411</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>412</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>413</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error.jsp </error-page><!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint> - Create using VI, the file /etc/init.d/tomcat, with the following content:
#!/bin/bash
Note: Update the “JAVA_HOME” path according to the install JDK build.
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.8.0_45
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/opt/tomcat/bin
case $1 in
start)
/bin/su tomcat $CATALINA_HOME/startup.sh
;;
stop)
/bin/su tomcat $CATALINA_HOME/shutdown.sh
;;
restart)
/bin/su tomcat $CATALINA_HOME/shutdown.sh
/bin/su tomcat $CATALINA_HOME/startup.sh
;;
esac
exit 0 - Change the permission on the tomcat script:
chmod 755 /etc/init.d/tomcat
- To start Tomcat service at server start-up, run the command:
chkconfig tomcat on
- To manually start the Tomcat service, use the command:
service tomcat start
- Configure IPTables:
service iptables stop
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
Note: Replace 10.0.0.0/8 with the internal segment and subnet mask. - Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name. - Save the IPTables settings:
service iptables save
- SSL Configuration Phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /opt/tomcat/ssl
chown -R tomcat:tomcat /opt/tomcat/ssl
chmod -R 755 /opt/tomcat/ssl - Run the command below to generate a key store:
/usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password.
Note 3: Replace “FQDN_Name” with the server DNS name. - Run the command below to generate a CSR (certificate request):
/usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password.
Note 3: Replace “FQDN_Name” with the server DNS name. - Send the file /tmp/tomcat.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /opt/tomcat/ssl
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
- Run the command below to import the trusted root CA public certificate:
/usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crt
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password.
Note 3: Replace “FQDN_Name” with the server DNS name. - Run the command below to import the signed public key into the key store:
/usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crt
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password. - Stop the Tomcat service:
service tomcat stop
- Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below:
<Connector port="8443"
Note 1: Replace ComplexPassword with your own complex password.
protocol="HTTP/1.1"
maxThreads="150"
xpoweredBy="false"
allowTrace="false"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="/opt/tomcat/ssl/server.key"
keystorePass="ComplexPassword"
keyAlias="FQDN_Name"
clientAuth="false"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
Note 2: Replace “FQDN_Name” with the server DNS name. - Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> - Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag:
usehttponly="true"
- Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name. - Save the IPTables settings:
service iptables save
- To manually start the Tomcat service, use the command:
service tomcat start
Windows 2012 R2 Certification Authority installation guide
This step-by-step guide explains how to install and configure public key infrastructure, based on:
- Windows 2012 R2 Server core – offline Root CA
- Windows 2012 R2 domain controller
- Windows 2012 R2 standard edition – Subordinate Enterprise CA server
Offline Root CA – OS installation phase
- Boot the server using Windows 2012 R2 bootable DVD.
- From the installation option, choose “Windows Server 2012 R2 Standard (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
- 20. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
powershell
- Run the commands bellow to enable remote management of the Root CA:
Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
Note: The above command should be written in single line.
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Offline Root CA – Certificate Authority server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
powershell
- Run the command below to create CA policy file:
notepad c:\windows\capolicy.inf
- Specify the following data inside the capolicy.inf file:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
[PolicyStatementExtension]
Policies=LegalPolicy
[LegalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://www/CertEnroll/cps.asp - Run the commands below to install Certification Authority using Powershell:
Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line. - Run the command below to install the Root CA:
Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName <CA_Server_Name> -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
Note 1: The above command should be written in single line.
Note 2: Replace “CA_Server_Name” with the Root CA NetBIOS name. - Run the command below to remove all default CRL Distribution Point (CDP):
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new CRL Distribution Point (CDP):
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line. - Run the command below to remove all default Authority Information Access (AIA):
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line. - Run the command below to configure new Authority Information Access (AIA):
Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crt
Note: The above command should be written in single line. - Run the commands below to configure the Root CA settings:
certutil.exe -setreg CA\CRLPeriodUnits 26
certutil.exe -setreg CA\CRLPeriod "Weeks"
certutil.exe -setreg CA\CRLDeltaPeriodUnits 0
certutil.exe -setreg CA\CRLDeltaPeriod "Days"
certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
certutil.exe -setreg CA\CRLOverlapPeriod "Hours"
certutil.exe -setreg CA\ValidityPeriodUnits 20
certutil.exe -setreg CA\ValidityPeriod "Years"
certutil.exe -setreg CA\KeySize 4096
certutil.exe -setreg CA\AuditFilter 127 - Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration, DC=mycompany,DC=com"
Note 1: The above command should be written in single line.
Note 2: Replace “DC=mycompany,DC=com” according to your domain name.
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
Note: Replace “DC=mycompany,DC=com” according to your domain name. - Run the command bellow to stop the CertSvc service:
Restart-Service certsvc
- Run the command below to publish new CRL’s:
certutil.exe -CRL
Enterprise Subordinate CA – OS installation phase
Pre-requirements:
- Active Directory (Forest functional level – Windows 2012 R2)
- Add “A” record for the Root CA to the Active Directory DNS.
- Boot the server using Windows 2012 R2 bootable DVD.
- From the installation option, choose “Windows Server 2012 R2 Standard (Server with a GUI)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the “Welcome to Server Manager”, click on “Configure this local server” -> replace the “Computer name” -> restart the server.
- From the “Welcome to Server Manager”, click on “Configure this local server” -> click on Ethernet -> right click on the network interface -> properties -> configure static IP address.
- Enable “Remote Desktop”
- From the command prompt window, run the command bellow:
powershell
- Run the commands bellow to enable remote management of the Root CA:
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:
- DNS CNAME record named “www” for the Enterprise Subordinate CA.
- Make sure the clocks of the Offline Root CA and the Subordinate CA are synched.
- To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
- Copy the files bellow from the Offline Root CA server to a temporary folder on the subordinate CA:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
C:\Windows\System32\CertSrv\CertEnroll\*.crl - Run the command below to publish the Root CA in the Active Directory:
certutil.exe -dspublish -f "<CACertFileName.crt>" RootCA
Note: Replace “CACertFileName” with the actual CRT file. - Run the commands below to add the Root CA certificate to the subordinate CA certificate store:
certutil.exe -addstore -f root "<CACertFileName.crt>"
Note: Replace “CACertFileName” with the actual CRT and CRL files.
certutil.exe -addstore -f root "<CACertFileName.crl>" - From the command prompt window, run the command bellow:
powershell
- Run the command below to create CA policy file:
notepad c:\windows\capolicy.inf
- Specify the following data inside the capolicy.inf file:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1 - Run the commands below to install Certification Authority using Powershell:
Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line.
Add-WindowsFeature Web-Mgmt-Console
Add-WindowsFeature Adcs-Web-Enrollment - Open Server Manager -> From the “Welcome to Server Manager”, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
- Specify credentials and click on Next.
- Select both “Certification Authority” and “Certification Authority Web Enrollment” roles and click on Next.
- Select “Enterprise CA” -> click on Next.
- Select “Subordinate CA” -> click on Next.
- Select “Create a new private key” -> click on Next.
- Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm: SHA256 - CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings - Select “Save a certificate request to file on the target machine” -> click Next
- Specify the database location and click Next.
- Click on Configure -> wait until the process completes and click on Close.
Note: If asked, choose not to configure additional role services. - Copy the request file (*.req) to the Offline Root CA.
- Login to the Offline Root CA using administrative account.
- Run the command below to approve the subordinate CA certificate request:
certreq -submit "<CACertFileName>.req"
Note: Replace “CACertFileName” with the actual request file. - Run the command below to approve the subordinate CA request:
certutil -resubmit 2
Note: Replace “2” with the request ID. - Run the command below to command to download the new certificate.
certreq -retrieve 2 "C:\<CACertFileName>.cer"
Note 1: Replace “CACertFileName” with the actual CER file.
Note 2: Replace “2” with the request ID. - Logoff the Root CA and power it off for up to 179 days (for CRL update).
- Return to the Subordinate CA.
- Copy the file “c:\<CACertFileName>.cer” from the Offline Root CA to the Subordinate CA.
Note: Replace “CACertFileName” with the actual CER file. - Run the commands below to complete the Subordinate CA installation process:
powershell
Note: Replace “CACertFileName” with the actual CER file.
Certutil -installcert "<CACertFileName>.cer" - Run the command below to restart the CA service:
start-service certsvc
- Run the command below to remove all default CRL Distribution Point (CDP):
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new CRL Distribution Point (CDP):
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri file://\\<SubordinateCA_DNS_Name>\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note 1: The above command should be written in single line.
Note 2: Replace “<SubordinateCA_DNS_Name>” with the actual Subordinate CA DNS name. - Run the command below to remove all default Authority Information Access (AIA):
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new Authority Information Access (AIA):
Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -Force
Note: The above command should be written in single line.
Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"
Note: The above command should be written in single line.
Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -Force
Note: The above command should be written in single line. - Run the commands below to configure the Root CA settings:
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127
certutil -setreg CA\EncryptionCSP\CNGEncryptionAlgorithm AES
certutil -setreg CA\EncryptionCSP\SymmetricKeySize 256
certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINEcertutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Note: The above command should be written in single line. - Run the command bellow to stop the CertSvc service:
Restart-Service certsvc
- Run the command below to public new CRL’s:
certutil.exe -CRL
- Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt - Create CPS (Certificate Practice Statement), save it as “cps.asp” inside the subordinate CA under the folder below:
C:\Windows\System32\CertSrv\CertEnroll
Note: For more information about Certificate Practice Statement, see:
http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx - Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Open Server Manager -> Tools -> Active Directory Users and Computers.
- From the left pane, expand the domain name -> choose an OU and create the following groups:
Group name: CA Admins
Group description/purpose: Manage CA server
Group name:CA Issuers
Group description/purpose: Issue certificates - Logoff the domain controller.
- Login to the Subordinate CA using administrative account, who is also member of the “CA Admins” group.
- Open Server Manager -> Tools -> Certification Authority.
- From the left pane, right click on the CA server name -> Properties -> Security tab -> Add -> add the “CA Admins” group -> grant the permissions “Issue and Manage Certificates” and “Manage CA” and remove all other permissions -> click on OK.
Note: As best practices, it is recommended to remove the default permissions of “Domain Admins” and “Enterprise Admins”. - From the left pane, expand the CA server name -> right click on Certificate Templates -> Manage -> from the main pane, right click on “User” certificate -> Duplicate Template -> General tab -> rename the template to “Custom User Certificate” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read”, “Enroll” and “Autoenroll” -> click on OK.
- From the main pane, right click on “Web Server” certificate -> Duplicate Template -> General tab -> rename the template to “Custom Web Server Certificate” -> Request Handling tab -> select “Allow private key to be exported” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> remove the permissions for the built-in Administrator account -> click on OK.
Note: All computer accounts requesting the “Custom Web Server Certificate” certificate must be member of the “CA Issuers” group. - From the main pane, right click on “OCSP Response Signing” certificate -> Duplicate Template -> General tab -> rename the template to “Custom OCSP Response Signing” -> Security tab -> add the subordinate CA computer account -> grant “Read”, “Enroll” and “Autoenroll” -> click OK.
- From the main pane, right click on “Web Server” certificate -> Properties -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> click OK
- Close the Certificate Templates Console.
- From the Certification Authority console left pane, right click on Certificate Templates -> New -> Certificate Template to issue -> select the following certificate templates:
“Web Server”
“Custom User Certificate”
“Custom Web Server Certificate”
“Custom OCSP Response Signing“ - Click OK.
- Close the Certification Authority console.
- Open Server Manager -> Manage -> Add Roles and Features -> click Next 3 times -> expand “Active Directory Certificate Services” -> select “Online Responder” -> click on Add Features -> click Next twice -> click on Install -> click on Close
- From the upper pane, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
- Specify credentials and click on Next.
- Select “Online Responder” -> click Next -> click on Configure -> click Close.
- From the left pane, right click on “Online Responder” -> Responder Properties -> Audit tab -> select “Changes to the Online Responder configuration”, “Changes to the Online Responder security settings” and “Requests submitted to the Online Responder” -> click OK -> close the “Online Responder Configuration” console.
- Open Server Manager -> Tools -> Local Security Policy -> from the left pane, expand “Advanced Audit Policies” -> expand “System Audit Policies – Local Group Policy Object” -> click on Object Access -> from the main pane, double click on “Audit Certification Services” -> select “Configure the following audit events” -> select both Success and Failure -> click OK -> close the Local Security policy console.
- Run from command line:
certutil -CRL
- Run from command line:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
Note: The above command should be written in single line. - Run the commands bellow to stop the CertSvc service:
powershell
Restart-Service certsvc - Open Server Manager -> Tools -> Online Responder Management
- From the left pane, right click on “Revocation Configuration” -> Add revocation configuration -> click Next -> on the name field, specify “Custom Revocation Configuration” -> click Next -> select “Select a certificate for an Existing enterprise CA” -> click Next -> click Browse -> select the subordinate CA -> click OK -> Automatically select a signing certificate -> click Next -> click Finish
- Close the Online Responder Management console
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the files bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
Note: Copy the newest files - Open Server Manager -> Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA server -> click Open -> click Next twice -> click Finish -> click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
- From the main pane, right click on the certificate name -> Properties -> OCSP tab -> inside the empty “Add URL” field, specify:
http://www/ocsp
Click on Add URL -> Click OK. - From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Certificate Enrollment Policy” -> Properties -> change the “Configuration Model” to “Enabled” and click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Auto-Enrollment” -> Properties -> change the “Configuration Model” to “Enabled” -> select “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” -> click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Administrative Templates” -> expand “Windows Components” -> expand “Internet Explorer” -> expand “Internet Control Panel” -> expand “Security Page” -> double click on “Site to zone assignment list” -> click on “Enabled” -> under Options, click on “Show” -> inside “Value name”, specify the Subordinate CA DNS name -> inside “Value”, specify 2 -> click OK twice.
- Close the “Group Policy Management”.
- Logoff the domain controller.
- Login to the Subordinate CA using administrative account.
- Open Server Manager -> Tools -> Internet Information Services (IIS) Manager.
- From the left pane, expand the server name -> expand Sites -> click on “Default Web Site” -> from the right pane, click on “Bindings” -> click on Add -> from the Type, select HTTPS -> under “SSL Certificate”, select the Subordinate CA certificate -> click OK -> click on Close.
- From the left pane, expand “Default Web Site” -> click on “CertSrv” -> from the main pane, double click on “Request Filtering” -> click Edit Feature Settings -> select “Allow Double Escaping” -> click OK
- From the main pane, double click on “SSL Settings” -> select “Require SSL” -> click on Apply.
- Close the Internet Information Services (IIS) Manager console.
- Run PKIVIEW.msc to make sure the entire PKI structure is fully functional.
- Logoff the Subordinate CA.
Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)
This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack
Some of the features explained in this document are supported by only some of the Internet browsers:
- X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
- TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
- Installation Phase
- Login to the server using Root account
- Install pre-requirement packages:
yum install policycoreutils-python-* -y
yum install setools-libs-* -y
yum install libcgroup-* -y
yum install audit-libs-python-* -y
yum install libsemanage-python-* -y
yum install setools-libs-python-* -y
yum install gcc* -y - Create a new account:
groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx - Upgrade the Openssl build:
rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
yum --enablerepo=axivo update openssl -y - Download Openssl source files:
cd /opt
wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz - Extract Openssl source files:
tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
- Remove Openssl source file:
rm -rf /opt/openssl-1.0.1e.tar.gz
- Download PCRE source file into /tmp, from:
http://sourceforge.net/projects/pcre/files/pcre/
- Compile PCRE from source file:
tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp
mv /tmp/pcre-8.34 /usr/local/pcre
cd /usr/local/pcre
./configure --prefix=/usr/local/pcre
make
make install - Remove PCRE package:
rm -rf /tmp/pcre-8.34.tar.gz
- Download Nginx 1.5.8:
cd /tmp
wget http://nginx.org/download/nginx-1.5.8.tar.gz - Extract the nginx-1.5.8.tar.gz file:
tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
- Move to the Nginx source folder:
cd /tmp/nginx-1.5.8
- Edit using VI, the file
/tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
static char ngx_http_server_string[] = "Server: nginx" CRLF;
To:
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF; - Run the commands bellow to compile the Nginx environment:
./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcre
Note: The command above should be written as one line.
make
make install - Remove the Nginx source files:
cd /
rm -rf /tmp/nginx-1.5.8
rm -f /tmp/nginx-1.5.8.tar.gz - Remove Default Content
rm -rf /usr/local/nginx/html
- Updating Ownership and Permissions on Nginx folders:
chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs - Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www - Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
From:
#user nobody;
To:
user nginx nginx;
From:
#error_log logs/error.log notice;
To:
error_log logs/error.log notice;
From:
server_name localhost;
To:
server_name Server_FQDN;
Note: Replace Server_FQDN with the actual server DNS name.From:
root html;
To:
root /www;
- Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
## turn off nginx version number ##
server_tokens off;
## Size Limits & Buffer Overflows ##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 2k;
## Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10; - Create using VI, the file /etc/init.d/nginx with the following content:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/subsys/nginx
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}restart() {
configtest || return $?
stop
sleep 1
start
}reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}force_reload() {
restart
}configtest() {
$nginx -t -c $NGINX_CONF_FILE
}rh_status() {
status $prog
}rh_status_q() {
rh_status >/dev/null 2>&1
}case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac - Change the permissions of the file /etc/init.d/nginx
chmod +x /etc/init.d/nginx
- To start Nginx service at server start-up, run the command:
chkconfig nginx on
- To manually start the Nginx service, use the command:
/etc/init.d/nginx start
- Configure IPTables:
service iptables stop
iptables -P INPUT DROPiptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
Note: Replace 10.0.0.0/8 with the internal segment and subnet mask. - Allow HTTP access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name. - Save the IPTables settings:
service iptables save
- SSL Configuration Phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl - Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048
Note: Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csr
Note: The command above should be written as one line. - Send the file /tmp/server.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
- Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
- Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line. - Remove the key store passphrase:
/usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.key
Note: The command above should be written as one line. - Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
rm -f /tmp/server.csr
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt - Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server
To:
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
Note: Replace Server_FQDN with the actual server DNS name.
#
server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
# HTTP Strict Transport Security #
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# X-Frame-Options header #
add_header X-Frame-Options SAMEORIGIN;
location / {
root /www;
index index.html index.htm;
}
} - Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Remove HTTP access from the Internet on the public interface (i.e. eth0)
iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Save the IPTables settings:
service iptables save
- Restart the nginx:
service nginx restart
Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)
- X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
- TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
-
This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:
-
Pre-Requirements
- policycoreutils-python-* package installed
- setools-libs-* package installed
- libcgroup-* package installed
- audit-libs-python-* package installed
- libsemanage-python-* package installed
- setools-libs-python-* package installed
- gcc* package installed
- gcc-c++* package installed
- autoconf* package installed
- automake* package installed
-
Installation Phase
- Login to the server using Root account
- Upgrade the Openssl build:
rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
yum --enablerepo=axivo update openssl -y
- Download Apache source file into /tmp, from:
http://httpd.apache.org/download.cgi - Download APR and APR-Util source files into /tmp, from:
https://apr.apache.org/download.cgi - Download PCRE source file into /tmp, from:
http://sourceforge.net/projects/pcre/files/pcre/ - Compile PCRE from source file:
tar zxvf /tmp/pcre-8.33.tar.gz -C /tmpmv /tmp/pcre-8.33 /usr/local/pcre
cd /usr/local/pcre
./configure --prefix=/usr/local/pcre
make
make install
- Extract Apache source files:
cd /tmp
tar zxvf httpd-2.4.6.tar.gz
cd httpd-2.4.6/srclib/
tar zxvf ../../apr-1.4.8.tar.gz
ln -s apr-1.4.8/ apr
tar zxvf ../../apr-util-1.5.2.tar.gz
ln -s apr-util-1.5.2/ apr-util
- Compile the Apache from source files:
cd /tmp/httpd-2.4.6
./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre
make
make install
- Remove the source files:
rm -rf /tmp/apr-1.4.8.tar.gz
rm -rf /tmp/apr-util-1.5.2.tar.gz
rm -rf /tmp/httpd-2.4.6.tar.gz
rm -rf /tmp/httpd-2.4.6
rm -rf /tmp/pcre-8.33.tar.gz
- Remove Default Content:
rm -rf /opt/httpd/cgi-bin
rm -rf /opt/httpd/htdocs
rm -rf /opt/httpd/icons
rm -rf /opt/httpd/man
rm -rf /opt/httpd/manual
rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf
rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in
rm -rf /opt/httpd/conf/extra/httpd-dav.conf
rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in
rm -rf /opt/httpd/conf/extra/httpd-default.conf
rm -rf /opt/httpd/conf/extra/httpd-default.conf.in
rm -rf /opt/httpd/conf/extra/httpd-info.conf
rm -rf /opt/httpd/conf/extra/httpd-info.conf.in
rm -rf /opt/httpd/conf/extra/httpd-languages.conf
rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in
rm -rf /opt/httpd/conf/extra/httpd-manual.conf
rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in
rm -rf /opt/httpd/conf/extra/httpd-mpm.conf
rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in
rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf
rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in
rm -rf /opt/httpd/conf/extra/httpd-userdir.conf
rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in
rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf
rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in
rm -rf /opt/httpd/conf/extra/proxy-html.conf
rm -rf /opt/httpd/conf/extra/proxy-html.conf.in
rm -rf /opt/httpd/conf/original
- Updating Ownership and Permissions on Apache folders:
chown root:root /opt/httpd/bin/apachectl
chown root:root /opt/httpd/bin/httpd
chmod 770 /opt/httpd/bin/apachectl
chmod 770 /opt/httpd/bin/httpd
chown -R root:root /opt/httpd
chmod -R go-r /opt/httpd
chown -R root:root /opt/httpd/logs
chmod -R 700 /opt/httpd/logs
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Fix the SELinux security context on the new web folder:
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
restorecon -F -R -v /www
- Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
From:
LogLevel warn
To:
LogLevel notice
From:
DocumentRoot "/opt/httpd/htdocs"
To:
DocumentRoot "/www"
From:
Listen 80
To:
Listen Server_FQDN:80
Note: Replace Server_FQDN with the actual DNS name.From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com
Note: Replace mycompany.com with the actual Company DNS name.From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN
Note: Replace Server_FQDN with the actual DNS name.From:
ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory />
Options None
AllowOverride None
Require all denied
Order deny,allow
deny from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory>From:
<Directory "/opt/httpd/htdocs">
To:
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<Directory "/www">
Options None
AllowOverride None
Require all granted
Order allow,deny
Allow from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory> - Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
ScriptAlias
IndexOptions
AddIconByEncoding
AddIconByType
AddIcon
DefaultIcon
ReadmeName
HeaderName
IndexIgnore
LanguagePriority
ForceLanguagePriority
- Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
LoadModule cgi_module modules/mod_cgi.so
LoadModule status_module modules/mod_status.so
LoadModule info_module modules/mod_info.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule include_module modules/mod_include.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule env_module modules/mod_env.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule actions_module modules/mod_actions.so
- Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
- Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
# Configure custom error message:
ErrorDocument 400 "The requested URL was not found on this server."
ErrorDocument 401 "The requested URL was not found on this server."
ErrorDocument 403 "The requested URL was not found on this server."
ErrorDocument 404 "The requested URL was not found on this server."
ErrorDocument 405 "The requested URL was not found on this server."
ErrorDocument 408 "The requested URL was not found on this server."
ErrorDocument 410 "The requested URL was not found on this server."
ErrorDocument 411 "The requested URL was not found on this server."
ErrorDocument 412 "The requested URL was not found on this server."
ErrorDocument 413 "The requested URL was not found on this server."
ErrorDocument 414 "The requested URL was not found on this server."
ErrorDocument 415 "The requested URL was not found on this server."
ErrorDocument 500 "The requested URL was not found on this server."
# Configure Server Tokens
ServerTokens Prod
# Disable Server Signature
ServerSignature Off
# Disable Tracing
TraceEnable Off
# Maximum size of the request body.
LimitRequestBody 25000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4000
# Maximum size of the request line.
LimitRequestLine 4000
MaxRequestsPerChild 10000
# Configure clickjacking protection
Header always append X-Frame-Options SAMEORIGIN - Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPROJECT "Apache HTTP Server"
To:
#define AP_SERVER_BASEPROJECT "Secure Web Server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Download the Apache boot script into /tmp from:
http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2 - Extract and install the Apache boot script:
cd /tmp/
tar xvjf blfs-bootscripts-20131023.tar.bz2
cd /tmp/blfs-bootscripts-20131023
make install-httpd
- Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
From:
/usr/sbin/apachectl
To:
/opt/httpd/bin/apachectl
From:
log_info_msg
To:
echo
From:
evaluate_retval
To:
#evaluate_retval
- Configure the Apache to start automatically:
chkconfig httpd on
- Configure IPTables:
service iptables stop
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
Note: Replace 10.0.0.0/8 with the internal segment and subnet mask - Allow HTTP access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Save the IPTables settings:
service iptables save
- Start the Apache daemon:
service httpd start
-
SSL Configuration Phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /opt/httpd/conf/ssl
chmod 600 /opt/httpd/conf/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
Note: Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line. - Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
- Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
From:
Listen Server_FQDN:80
To:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the actual DNS name.From:
ServerName Server_FQDN
To:
ServerName Server_FQDN:443
Note: Replace Server_FQDN with the actual DNS name.From:
#Include conf/extra/httpd-ssl.conf
To:
Include conf/extra/httpd-ssl.conf
From:
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
To:
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
- Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
From:
SSLCertificateFile "/opt/httpd/conf/server.crt"
To:
SSLCertificateFile /opt/httpd/conf/ssl/server.crt
From:
SSLCertificateKeyFile "/opt/httpd/conf/server.key"
To:
SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key
From:
#SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"
To:
SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt
From:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
To:
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
From:
#SSLHonorCipherOrder on
To:
SSLHonorCipherOrder On
From:
Listen @@SSLPort@@
To:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the actual DNS name.From:
DocumentRoot "/opt/httpd/htdocs"
To:
DocumentRoot "/www"
From:
ServerName www.example.com:@@SSLPort@@
To:
#ServerName www.example.com:@@SSLPort@@
From:
ServerAdmin [email protected]
To:
ServerAdmin webmaster@mycompany.com
Note: Replace mycompany.com with the actual Company DNS name.From:
<VirtualHost _default_:@@SSLPort@@>
To:
<VirtualHost _default_:443>
- Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
# Disable SSLv2
SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
# Disable SSL Compression
SSLCompression Off - Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
- Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Remove HTTP access from the Internet on the public interface (i.e. eth0)
iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Save the IPTables settings:
service iptables save
- Restart the Apache service:
service httpd restart
How to implement SSL on Resin 4.0.8
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4
- Login to the server using Root account.
- Change permissions on the keys folder:
chmod 640 /usr/local/resin/keys
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csr
Note: The command above should be written as one line. - Send the file /tmp/resin.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/resin/keys/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
- Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
To:< !-- SSL port configuration: -->
< http address="*" port="8443">
< jsse-ssl self-signed-certificate-name="resin@localhost"/>
< /http>
Note: Replace “my-password” with the password for the “server.key” file.< http address="Server_DNS_Name" port="443">
< openssl>
< certificate-key-file> /usr/local/resin/keys/server.key< /certificate-key-file>
< certificate-file> /usr/local/resin/keys/server.crt< /certificate-file>
< certificate-chain-file> /usr/local/resin/keys/ca-bundle.crt< /certificate-chain-file>
< password> my-password< /password>
< /openssl>
< /http>
- Restart the Resin services:
/etc/init.d/resin restart
- Backup the file
/usr/local/resin/keys/server.key
Windows 2008 R2 Certification Authority installation guide
This step-by-step guide explains how to install and configure public key infrastructure, based on:
- Windows 2008 R2 Server core – offline Root CA
- Windows 2008 R2 domain controller
- Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server
Offline Root CA – OS installation phase
- Boot the server using Windows 2008 R2 bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
Offline Root CA – Certificate Authority server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- Install Certificate services:
start /w ocsetup.exe CertificateServices /norestart /quiet
- To check that the installation completed, run the command:
oclist find /i "CertificateServices"
- Download the file “setupca.vbs” from:
http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
To:
C:\Windows\system32
- Run the command bellow to configure the Root CA:
Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn
< ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256 - In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
Install complete! Passed
- Run the command bellow to enable remote management of the Root CA:
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
- Run the command bellow to stop the CertSvc service:
Net stop CertSvc
- Run the command bellow to change new certificate validity period time:
reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\
Note: The command above should be written in one line.< rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /f - Run the command bellow to start the CertSvc service:
Net start CertSvc
Enterprise Subordinate CA – OS installation phase
Pre-requirements:
- Active Directory (Forest functional level – Windows 2008 R2)
- Add “A” record for the Root CA to the Active Directory DNS.
- Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full installation” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the “Initial Configuration Tasks” window, configure the following settings:
- Set time zone
- Configure networking – specify static IP address, netmask, gateway, DNS
- Provide computer name and domain – add the server to the domain
- Enable Remote Desktop
- In-order to be able to remotely manage the Root CA, run the command bellow:
cmdkey /add:
< RootCA_Hostname> /user:Administrator /pass:< RootCA_Admin_Password>
Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:
- DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.
- To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
- Start -> Administrative Tools -> Server Manager.
- From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
- Web Server
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- .NET Extensibility
- ASP
- ISAPI Extensions
- Health and Diagnostics
- HTTP Logging
- Logging Tools
- Tracing
- Request Monitor
- Security
- Windows Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- Request Filtering
- Performance
- Static Content Compression
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- Click Next -> click Install -> click Close.
- From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
- From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
- Certification Authority
- Certification Authority Web Enrollment
- Certificate Enrollment Policy Web Service
- Click Next.
- Configure the following settings:
- Specify Setup Type: Enterprise
- CA Type: Subordinate CA
- Private Key: Create a new private key
- Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm SHA256 - CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings - Certificate Request: Save a certificate to file and manually send it later
- Certificate Database: leave the default settings
- Authentication Type: Windows Integrated Authentication
- Server Authentication Certificate: Choose and assign a certificate for SSL later
- Click Next twice -> click Install -> click Close.
- Close the Server Manager.
- Start -> Administrative Tools -> Certification Authority
- From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
- Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
- Uncheck “Publish Delta CRLs to this location”.
- Mark the line begins with “LDAP”, and click remove.
- Mark the line begins with “HTTP”, and click remove.
- Mark the line begins with “file”, and click remove.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< RootCA_Server_Name> .crl - Click on the line begins with “HTTP”, and make sure the only option checked is: “Include in CDP extension of issued certificates”.
- Click on the line begins with “C:\Windows”, and make sure the only option checked is: “Publish CRLs to this location”
- Extensions tab -> extension type: Authority Information Access (AIA):
- Mark the line begins with “LDAP”, and click remove.
- Mark the line begins with “HTTP”, and click remove.
- Mark the line begins with “file”, and click remove.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< RootCA_Server_Name> .crt
- Click OK and allow the CA server to restart its services.
- From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
- CRL publication interval: 180 days
- Make sure “Publish Delta CRLs” is not checked
- Click OK
- Right click on the CA name -> All tasks -> Stop service
- Right click on the CA name -> All tasks -> Start service
- Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
Note: Replace “DC=mycompany,DC=com” according to your domain name.
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com" - From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
- Close the “Certification Authority” snap-in and logoff the subordinate CA server.
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
- Start -> Administrative Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
- Logoff the domain controller.
- Return to the subordinate enterprise CA server.
- Start -> Administrative Tools -> Certification Authority.
- From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
- Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
- Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
- From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name –
< subordinate_ca_server_name_signed_certificate> .p7b -> click Save. - Run the command bellow from command line to avoid offline CRL errors:
Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
- From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
- Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file
< Subordinate_CA_Server_Name_Signed_Certificate> .p7b -> click Open. - Right click on the subordinate CA server name -> All Tasks -> Start Service.
- Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
- Mark the line begins with “HTTP” -> click Remove -> click Yes.
- Mark the line begins with “file” -> click Remove -> click Yes.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< subordinate_CA_Server_Name> .crl - Click on the line begins with “HTTP”, and make sure the following options are checked: “Include in CRLs” and “Include in the CDP”.
- Extensions tab -> extension type: Authority Information Access (AIA):
- Mark the line begins with “HTTP” -> click Remove -> click Yes.
- Mark the line begins with “file” -> click Remove -> click Yes.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< SubordinateCA-FQDN_Subordinate_NetBIOS_Name> .crt - Click on the line begins with “HTTP”, and make sure the following option is checked: “Include in the AIA”.
Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt
- Click OK and allow the CA server to restart its services.
- From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
- Close the “Certification Authority” snap-in
- Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt - Logoff the subordinate CA server.
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file - Start -> Administrative Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
- Logoff the domain controller.
How to implement SSL on Nginx 0.7.65
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
- Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
- Send the file /tmp/nginx.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
- Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
- Remove the original server.crt and ca-bundle.crt files:
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt
- Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server
To:
#
#server {
# listen 443;
# server_name localhost;# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
# ssl_prefer_server_ciphers on;# location / {
# root html;
# index index.html index.htm;
# }
#}
server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /www;
index index.html index.htm;
}
}
- Restart the Nginx service:
/etc/init.d/nginx restart
How to implement SSL on Lighttpd 1.4.26
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
- Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
- Send the file /tmp/lighttpd.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
- Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem
Note: The command above should be written as one line. - Remove the original server.crt file:
rm -f /etc/lighttpd/ssl/server.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
- Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
$SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
} - Restart the Lighttpd service.
How to implement SSL on Apache 2.2.15
Pre-installation notes
The guide bellow is based on the previous guide
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl - Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
- Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- Restart the Apache services:
/usr/local/apache2/bin/apachectl restart
- Backup the file /usr/local/apache2/ssl/server.key