Table of Contents
For securing our Debian box, we are going to use a firewall and an intrusion detection system called OSSEC.
We are also going to create server certificates which we will later use to secure communication coming to and from our server (emails, passwords, ...).
First, we are goint to create a Private key.
root@atlantis:~#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus .............................................++++++ .............................................++++++ e is 65537 (0x10001) Enter pass phrase for server.key:
Now that we have a private key, we are going to create what is called a Certificate Signing Request.
root@atlantis:~#openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:
HRState or Province Name (full name) [Some-State]:
Grad ZagrebLocality Name (eg, city) :
ZagrebOrganization Name (eg, company) [Internet Widgits Pty Ltd]:
N/AOrganizational Unit Name (eg, section) : Common Name (eg, YOUR name) :
atlantis.example.comEmail Address :
email@example.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Make sure that the
Common name matches your fully
qualified domain name.
Now we need to remove the passphrase from the key. If we do not do this, the server will ask you for the passphrase every time you reboot the service (Apache, Postfix or Courier).
root@atlantis:~#cp server.key server.key.org
root@atlantis:~#openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: writing RSA key
server.key now does not contain a
Now, we are goint to create a self signed certificate. You can change the validity period from 365 days if you like.
root@atlantis:~#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok subject=/C=HR/ST=Grad Zagreb/L=Zagreb/O=N/A/CN=atlantis.example.com/emailAddressfirstname.lastname@example.org Getting Private key
server.crt is the name of the self signed
To create a
server.pem file you need to
cat server.crt server.key > server.pem
server.pem contain a private server key without a
passphrase you have to make sure regular users on your server can not
access these files.
You can store all of the files to
we will need them later.
root@atlantis:~#mv server.* /etc/ssl/self-signed/
root@atlantis:~#chown -R root:root /etc/ssl/self-signed/
root@atlantis:~#chmod -R 644 /etc/ssl/self-signed/
If you want to understand a little bit more about the whole process. Take a look here.
Since we moved the keys to the
/etc folder we
should commit the changes.
etckeeper commit "Added server keys"