This document summarizes a presentation on TLS/SSL certificates validation with Apache httpd. It covers TLS basics, client and server certificates signed by a CA like Let's Encrypt, mod_md for automating certificate renewal, OCSP stapling for revocation checking, and demos of httpd configuration for certificates. It also discusses TLS 1.3 changes, Let's Encrypt, and upcoming support for ACME v2 in mod_md and httpd.
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Report
Share
1 of 22
Download to read offline
More Related Content
Apache httpd and TLS/SSL certificates validation
1. APACHECON North America Sept. 9-12, 2019
Apache httpd and TLS/SSLApache httpd and TLS/SSL
certificates validationcertificates validation
Jean-Frederic ClereJean-Frederic Clere
2. APACHECON North America
What I will coverWhat I will cover
●
TLS and certificates/keys (clients and servers)
●
Basics
●
Client certificates OCSP responder or CRL.
●
Servers certificates
●
Signed by CA, let’s encrypt for example
●
mod_md to automate renewal
●
mod_md2 and OCSP stapling
●
Demos
●
Questions?
2
3. APACHECON North America
Who I amWho I am
Jean-Frederic Clere
Red Hat
Years writing JAVA code and server software
Tomcat committer since 2001
Doing OpenSource since 1999
Cyclist/Runner etc
Lived 15 years in Spain (Barcelona)
Now in Neuchâtel (CH)
3
4. APACHECON North America
Key and CertificateKey and Certificate
– A pair:
●
You keep the key secret
●
You “publish” the certificate
●
You identify your self in the certificate
Certificate authority
Let’s encrypt
– How it works.
4
15. APACHECON North America
Let’s Encrypt!Let’s Encrypt!●
See Let's encrypt:
– Signed certificates valid for 90 days.
– Challenge to prove you own the host/domain.
●
HTTP/DNS/TLS-SNI/TLS-ALPN
– Renewal: certbot renew
– Renewal: mod_md
– OCSP stapling
15
16. APACHECON North America
Certbot configCertbot config
<VirtualHost _default_:443>
ServerName jfclere.noip.me:443
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/jfclere.noip.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jfclere.noip.me/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
16
17. APACHECON North America
mod_mdmod_md
<VirtualHost _default_:443>
ServerName jfclere.noip.me:443
SSLEngine on
</VirtualHost>
– Signed certificates valid for 90 days.
– Challenge to prove you own the host/domain.
●
HTTP/DNS/TLS-SNI/TLS-ALPN
– Renewal: certbot renew
– Renewal: mod_md
– OCSP stapling
17
18. APACHECON North America
mod_mdmod_md
<VirtualHost _default_:443>
ServerName jfclere.noip.me:443
SSLEngine on
</VirtualHost>
ServerAdmin jfclere@gmail.com
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain jfclere.noip.me
– Note you have to restart the server the first time:
The Managed Domain jfclere.noip.me has been setup and changes will be activated on next (graceful) server restart.
– SElinux: setsebool -P httpd_can_network_connect 1
18
19. APACHECON North America
staplingstapling
MDMustStaple (mod_md)
MDMustStaple On
SSLUseStapling (mod_ssl in ssl.conf)
SSLStaplingCache shmcb:/run/httpd/sslstapingcache(512000)
<VirtualHost _default_:443>
SSLUseStapling On
...
openssl s_client -connect jfclere.noip.me:443 -status
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Sep 3 14:28:00 2019 GMT
19
20. APACHECON North America
ACME V2ACME V2
Not backward compatible with V1
Requires mod_md 2.x mod_md v2.1.5 (beta)
let's encrypt V2 services [Test for V2 clients.]
Soon in httpd
V1 will be sunset “ at some point in the future”.
20
21. APACHECON North America
Questions?Questions?
Thank you!Thank you!
●
jfclere@gmail.com
●
users@httpd.apache.org
●
dev@httpd.apache.org
●
https://github.com/apache/httpd
●
https://github.com/jfclere/AC2014scripts/blob/master/httpdssl.txt
: commands for demos.
21