Contents
1.SSL certificate creation
1.1.1 Advance preparation for CA construction
①Pass PATH to SSL commands
It is useful to do this so that CA.sh can be used
|
1 |
# export PATH=/etc/pki/tls/misc:$PATH |
②Edit openssl.cnf
|
1 2 3 4 5 |
# vi /etc/pki/tls/openssl.cnf Find and uncomment the following # nsCertType = server → nsCertType = server # nsCertType = sslCA, emailCA → nsCertType = sslCA, emailCA |
①Create a self-signed CA certificate (cacert.pem) and a private key for the CA certificate (cakey.pem)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# /etc/pki/CA/certs/CA -newca CA certificate filename (or enter to create) <Enter> ・・・・・・・・・・・・・・・・・・・・・・ You will be asked for your CA password. Enter PEM pass phrase: ?????? Verifying - Enter PEM pass phrase: ?????? ・・・・・・・・・・・・・・・・・・・・・・ You will be asked for certificate information. Country Name(2 letter code) [XX]: JP State or Province Name(full name) []: Kanagawa (Optional) Locality Name(eg, city) [Default City]: yokohama (Optional) Organization Name(eg, company) [Default Company Ltd]: (Optional) Organizational Unit Name(eg, section) []: (Optional) Common Name(eg, your name or your server's hostname): (Optional) Email Address: (Optional) ・・・・・・・・・・・・・・・・・・・・・・ You will be asked for the PEM pass phrase again. Enter pass phrase for /etc/pki/CA/private/./cakey.pem:?????? When it finishes, the next file will be created. /etc/pki/CA/certs/cacert.pem : Self-signed CA certificate /etc/pki/CA/certs/private/cakey.pem : Private key for CA certificate |
②The private key (cakey.pem) must never be seen by anyone else.
|
1 2 |
# chmod 600 /etc/pki/CA/certs//private/cakey.pem # chmod 700 /etc/pki/CA/certs//private/ |
③Create a ca.der file to import the CA certificate into your browser
If you do not do this, you will get a warning every time you access the site. Use the following command to encode the file into a DER format that can be imported into the browser.
|
1 |
# openssl x509 -inform PEM -outform DER -in /etc/pki/CA/cacert.pem -out /etc/pki/CA/ca.der |
Use the self-certified CA you created to issue a certificate for the desired site itself.
1.2.1 Create a private key for the server (newkey.pem)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# /etc/pki/CA/certs/CA -newreq CA certificate filename (or enter to create) <Enter> ・・・・・・・・・・・・・・・・・・・・・・ You will be asked for the password for the server certificate. Enter PEM pass phrase: $$$$$ Verifying - Enter PEM pass phrase: $$$$$ ・・・・・・・・・・・・・・・・・・・・・・ You will be asked for certificate information. Country Name(2 letter code) [XX]: JP State or Province Name(full name) []: Kanagawa (Optional) Locality Name(eg, city) [Default City]: yokohama (Optional) Organization Name(eg, company) [Internet Widgits Pty Ltd]:(Optional) Organizational Unit Name(eg, section) []: (Optional) Common Name(eg, YOUR name) []: (Server IP address) Email Address: (Optional) ・・・・・・・・・・・・・・・・・・・・・・ When it finishes, the next file will be created. /etc/pki/CA/certs/newkey.pem |
1.2.2 Remove the password for the server private key
If you leave this password set, you will have to enter it every time you start SSL, which is a hassle, so remove it.
|
1 2 |
# openssl rsa -in /etc/pki/CA/certs/newkey.pem -out /etc/pki/CA/certs/newkey.pem Enter pass phrase for newkey.pem:$$$$$ |
1.2.3 Create a certificate for the server (newcert.pem/server.crt)
①Create newcert.pem
|
1 2 |
# /etc/pki/CA/certs/CA -sign Enter pass phrase for ./demoCA/private/cakey.pem:????? Password for CA |
②Create server.crt
|
1 |
# openssl x509 -in newcert.pem -out server.crt |
2.Install an FTP server.
We will try to install the traditional proftpd instead of the standard vsftpd on CentOS7.
2.1 Download proftpd
There are many download sites, but here are some examples
|
1 |
# wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.6.tar.gz |
2.2 Install proftpd
|
1 |
# tar zxvf proftpd-1.3.6.tar.gz |
|
1 2 3 4 5 6 |
proftpd-1.3.6]# ./configure \ --prefix=/usr/local/proftpd \ Installation directory (optional) --with-modules=mod_tls \ SSL,tls use --with-includes=/usr/include/openssl openSSL Usage Compilation and installation # make && make nstall |
2.3 Post-installation settings
①Create user groups
|
1 |
# groupadd nogroup |
②Edit the proFTPD configuration file (proftpd.conf)
The following is an example of a configuration file based on the CA settings on this page
<Limit SITE_CHMOD>
AllowAll
</Limit>
・・・・・・・・・・・
Make it impossible for Anonymous to log in.
Comment out all lines from "<Anonymous ~ftp>" to "</Anonymous>".
# <Anonymous ~ftp>
# User ftp
# Group ftp
#
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE>
# DenyAll
# </Limit>
#</Anonymous>
・・・・・・・・・・・・・・・・・・・・・・
FTP over SSL
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd.log
TLSProtocol SSLv23
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
TLSRequired off
TLSVerifyClient off
TLSRSACertificateFile /etc/pki/CA/certs/server.crt
TLSRSACertificateKeyFile /etc/pki/CA/certs/newkey.pem
TLSVerifyClient off
</IfModule>
