EFA Self Certification w/High Security
Mindwatering Incorporated
Tripp W Black on 10/21/2014 at 02:45 PM


Category: Linux
Configuration

Task:
Recertify the E.F.A anti-spam appliance's self-certification certificates and keys. In addition, update the SSL configuration to only allow stronger encryption ciphers.

Solution:
1. Copy the current keys:
# sudo su -
# cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.old
# cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old

2. Create the new self-certifying keys:
(Note: This is prompt you to enter the location information. Abbreviate US. Spell out the State and City. Use the FQDN when you get to the server's name. )
# openssl req -new -newkey rsa:2048 -sha256 -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt

If you want to create a signing request instead, you can generate a new key and generate request in one statement:
# openssl req -new -nodes -newkey rsa:2048 -sha256 -keyout myserver.mindwatering.com.key -out myserver.mindwatering.com.csr

3. Restart Apache (httpd) and confirm the new certificate is working:
# service httpd restart
(Open up Firefox / Chrome / Safari and view the certificate details of the browser lock icon.)

3. Update the SSL ssl.conf file's configuration for Apache / httpd with additional options:
# vi /etc/httpd/conf.d/ssl.conf

3a. Update the SSL Protocol Support lines:
(Add -SSLv3 and the cipher order line below it.)
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

3b. Update the SSL Cipher Suites supported:
(Comment out the old SSLCipherSuite entries and add a specific list like below.)
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

3c. Save the update file.
<esc> --> :wq

4. Restart Apache again and view the certificate details of which ciphers are being used in the various web browsers.
# service httpd restart




previous page