Here we will see how to set up a X.509 certificate signed by CAcert on lighttpd web server

TLS/SSL

[[!wikipedia Transport_Layer_Security]] best known as TLS/SSL is a cryptographic protocol use on Internet to encrypt communications. It using both asymmetric encryption for key exchange and symmetric encryption for the rest of the communication. Therefore, one server private key and the corresponding server certificate are needed.

The confidentiality of the exchanges is mainly based on the certificate. To be sure that we get the server certificate from the correct server it is be signed by some [[!wikipedia Certificate_Authority]]. The [[!wikipedia Certificate_Authority]] is often a third party that is recognize by the two actors. The most known are [[!wikipedia VeriSign]], [[!wikipedia GoDaddy]] and [[!wikipedia Comodo]]. However, they are quite expensives.

Get a signed certificate by CAcert

CAcert is a community driven, Certificate Authority that issues certificates to the public for free. To get a signed certificate just register on the web site.

You will need to install the ssl-cert and ca-certificates to be able to generate the server private key and a certificate signing request (CSR). To generate CAcert provide a small shell script csr. After downloading it just run it and answer the questions:

$ csr.sh
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www): www
FQDN/CommonName (ie. www.example.com) : *.example.com
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:*.example.com
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
......+++
...............................................................+++
writing new private key to '/home/user/www_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like www_server.pem

-----BEGIN CERTIFICATE REQUEST-----
MIIBzTCCATYCAQAwgYwxCzAJBgNVBAYTAmdiMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEZMBcGA1UEChMQU3BhY2VTdXJmZXIgTHRkLjEZMBcGA1UE
AxMQd3d3LnNwYWNlcmVnLmNvbTElMCMGCSqGSIb3DQEJARYWd2VibWFzdGVyQHNw
YWNlcmVnLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAywfuXnd348ot
iAcZ4RHFc509ImCTagKaNkiQ4xyijbPYP7H0UQ5iXqvojSIcbUOVhExqwqyqjCPm
7ZpON3IXktIcKAwPFvoqKkHuqTa8KMnZTSY8P7QILYHFd2Sd1l1arCrWv8HWb+qM
RHVTlviBaLAHQxnz28qKkYN09K0fw5cCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AFMgp2KkHQXMC1JbZf3AkIz7mrl4X21cRusTfd8ec3RuMZexGy76jMGFyPWVM69R
Fvpfiic8h28HrHube7pEPFpdUSj2cR4OZCAg5uqzN/ESwc4CtLzej7pWoDPpc/kv
hiJ/eGOxINKd39kCuzIS6zrvb2ihJth7jcmokezmrwjQ
-----END CERTIFICATE REQUEST-----

The Certificate request is also available in /home/user/www_csr.pem
The Private Key is stored in /home/user/www_privatekey.pem

Submit your CSR to CAcert web site and save the resulting signed private key in a file in the /etc/ssl/private folder: server_certificate.pem

-----BEGIN CERTIFICATE-----
MIIErjCCApagAwIBAgIDC65yMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBdHA6Ly93d3cuY2FjZXgNVBAsTFWh0J0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnM5MMDUwMTEXDTEyMTAyODE5TcxOFoB4XDTEyMTcxOFowFjEU
MBIGA1UEAxQLKi50YmxlaW4uZXUwggEiMwAwggEKA0GCSqGSIb3DQEBAQUAA4IBD
Ip4P+pzo1lvNbCCorGUozI3Bh9f/hshftTb2P6Y0KAlja81jtK3fXz2am86NJ037
AoIBAQDDVCgRg/nWoZmE990WD5AxC0NvVQgOmCvuP84JSoDgzIgGbNiCspkNm3uB
gYw+B0JD7d0luyvrXu4nf5UG3lBeB0NUoYKNTfMYsBrwugNyukEegq7VMmzLo21t
FoDnUn/Dg6lEE08g5MXzTNqSQzL/60jrI7/A2mYdtOb3Pg20+GONN326kbeKK6EA
kaaN8R3tPVY1PNTG9HPAe8scIF3V3FXkqj6E2GuLcQZmfK9OmFdPzy9VvZ5RFGoA
abTFXA6xCT6Apfrpd04e0Fh18Dq+SvdmWS8Y6sBXUxL50GHTSBSMAggSgIDWujxi
OE2OdPEQjCUR9TOSVGBVT6JFzRkLXZ+8GJWELyQisUZDtcXN8Msy2wpdovSLf2QL
rTx0rBgl3DhoRmfPab4Vq8OZb+zlGf9armskX4JFWNejF9ZcIt65myv7P8yfucjT
tcbZRuw0DINpAxqDdK4B25RE6GF7AgMBAAGjgaEwgZ4wDAYDVR0TAQH/BAIwADA0
BgkqhkiG9w0BAQUFAAOCAgEAn3X9Xj4D+hNY0Gla5Q5fMtOOXhT253VtjubpdEcs
BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGC
NwoDAzALBgNVHQ8EBAMCBaAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdo
dHRwOi8vb2NzcC5jYWNlcnQub3JnLzAWBgNVHREEDzANggsqLnRibGVpbi5ldTAN
8ZBJBLxzNi5ipDDNRvJQKkd09tZ1JHqE+AdKLBpqi29exQp9AMEgZGw+ljibK3UD
ZV8oBRW1icLVNXunG2jY6hTWmP11baaAnTnELyknCtDYgH5t2KPDwpiLBQS5UNuc
+tFldPrs9kIUhCy/t//vKrlKiqg7JZuoEFhVgmjPpoQbHRwyHuiSW6IKqmwKWdA5
Kp0mVUUqfFDU+C+RjvKpeEtS3j7r3MDAo083KzJerI0YsOFxqJRZ3++mzOqY7Teu
uulk4GvV6re2GsuWWXKMPhK8Sz5jGEVYK7Wf7iGWTgwDJuicyRkjBHWFkfYlrL7V
/KZnak4lLEAOXYhwNnqHfrUiaDtvWhZXkYfrC4tRMSHRhKg9Kub1x3cGnhb/+Duq
GZI0M17BoQZZmPUGqpxm2NLyizwlH+hKyomKpBcX35kxeQLk3ilHuyb58zc4AWgg
NOI=
-----END CERTIFICATE-----

To check its validity run openssl command with the action verify on it:

$ openssl verify server_certificat.pem
server_certificat.pem: OK

You should get OK.

Inclusion of the certificate to be handle by lighttpd

To be able to encrypt data with lighttpd the server certificate, the server private key and the certificate authority certificate should be given to lighttpd. The private key and the server certificate should be combined in one file with a command like the following:

# cat /etc/ssl/private/server_privatekey.pem /etc/ssl/certs/server_certificate.pem \
   > /etc/ssl/private/lighttpd.pem

Then change the access right of this file to readable only by the owner and the group owner and writable by the owner. This very important to set it up like this since anybody who have access to this file will be able to decrypt all the encrypt traffic of the server.

# chgrp www-data /etc/ssl/private/lighttpd.pem
# chmod 640 /etc/ssl/private/lighttpd.pem

Then you need to configure lighttpd for example in /etc/lighttpd/conf-enabled/10-ssl.conf on Debian to take into account the certificate:

$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine = "enable"
    ssl.ca-file = "/usr/share/ca-certificates/cacert.org/cacert.org.crt"
    ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
    ssl.honor-cipher-order = "enable"
}

The ssl.ca-file entry specify the certificate authority certificate and ssl.pemfile the server privat key and certificate file.

You just need to restart lighttpd and your certificate should be available.

# /etc/init.d/lighttpd restart