 I'm going to demonstrate setting up the Apache web server inside some Linux machines on VirtualBox and including setting up HTTPS and the use of digital certificates. So currently I have running three Linux machines in VirtualBox, a client, a router and a server. I'm going to install Apache on the server and then use the client to test web browsing on that. There are many different instructions online. We're using Ubuntu 16.04, one set of instructions for setting up Apache on Ubuntu. The digital ocean has some basic instructions so you can browse through there to see the steps. They are quite simple to set up Apache. It's a little bit more complicated to set up the digital certificates. So let's go through it and I have my window for my server here, a basic Ubuntu install. The first thing we're going to do is install using apt Apache. It's actually Apache version 2, so sudo apt install apache and I have my password and ask me do I really want to continue. There's a bunch of software that's going to be installed and yes I'm going to continue and it will download and install Apache and set it up and in fact the web server will be up and running once this completes and I'll bring up my client and my client is connected to the server via router and for that we're going to use a text-based web browser so I'll actually just test install links. Links is a simple text-based web browser and it's useful for quick testing when we only have the command line. So we can run links and specify the URL and in this case we're going to use the IP address of the server and I'll run on a server and in my internal network the IP address is 192.1682.22 so that's the address I'll connect to and it brings me to the Apache 2 default or Ubuntu default page. This is the page served by Apache by default. If you want to set up a website you need to change this index.html file and set up all your files in the appropriate directory. So it's up and running that was simple. There's a couple of things we'll need to do to make it a little bit more convenient but before we do that there are many directories relevant to Apache for setting it up on the server. I will not explain them all now. The different documentation will explain them. For example if we scroll through we can see this explains the default web page which we saw but only the text version and in step 5 here it talks about the different directories which are relevant and files for configuration of the Apache server. For example VAR www.html stores the actual web content. A lot of the configuration of the server are under the ETC Apache 2 directory. I will not go through those now. We'll look at setting up a few other features in the server so we can test them. One thing of course what we did to access with a client is and I'll just quit out of links using Q. Yes I want to quit. We needed to supply the IP address which is not much fun sometimes we'd like to use a domain name. In my small internal network I don't have a DNS server but I can cheat a little bit by manually setting mappings of domain names to IP addresses in particular on the client. One way I can do that I'm on the client. I'll edit a file called BTC slash hosts and I can insert a mapping in here insert the IP address of the server and we'll say let's create a domain name for our server. So this says on my client if I ever try and access www.example.com it'll be redirected to 192.1682.22 which is my actual web server. So this is our local version with respect to the client of a DNS settings. We can add more in here to the same IP address or to other IP addresses if we have them on our internal network and this is only for the client so we can in effect use any domain name that we choose. I'll save that, escape, write and quit. What that means is we can now use links but we can specify a domain name and my local host file will map that to the actual IP address of the server and we get the same web page. So that's useful for testing when we want to test with domains that it's only in our internal network inside VirtualBox. Quit out of that. So that's it. We've installed the Apache web server and we can access that from a client. So now let's go back to our server and have a look in a bit more depth about the configuration and again the website here lists the different directories and files of relevance so we'll go through some of those, not all of them. This is on the server first. If we change in the VAR-WWHTML and LS we see this is where the web pages are stored and we can have sub directories, images and so on in here. So this is the web content in this directory and it's got a default template web page which says welcome to Apache on Ubuntu. The Apache 2 Ubuntu default page. So when we create a website we'll put our files inside here. The next directory of relevance and I'll just clear and go to the top is Apache 2 under the ETC directory and the main configuration of the web server is done via files within this directory and that primarily text files and there's multiple files usually configuration files in .conf and there's further files or modules in some of the sub directories. The first one or the main one is Apache 2.conf. We will not make any edits to it. You can browse through and read some of the comments, some of the how it works comments but the main idea is that the web server is configured by directives. For example, although this one's commented out, the server root is the parameter and the value given here is ETC Apache 2. If you want to change those values you can remove the hash at the start and modify them. This file initially we don't need to modify. The default parameters are sufficient but if you really want to optimize or specialise Apache you may go into here and change some parameters and it refers to other files including .conf and files available in the sub directories. There's links into those. One of them which is of relevance is in the sites available sub directory and it's the default configuration of Apache web server and it's named 00default.conf and we'll open that up and note it's read only. We'd need to use sudo to make changes to that. At this stage I'm just viewing the configuration file. Here is where you're more likely to make the first configuration changes to your web server. For example, server admin gives the email address of the administrator at default to an app local host but if you have a real domain you would put the real email address of the admin here and it specifies where the root of your web directory is and that can be changed of course. The location of error logs, access or custom logs and that's it in this case. This is in this virtual host set of directives. We can actually have on the same physical server multiple virtual hosts or multiple different websites for different domains. We'll see that there's another file in here this default ssl.conf. This is the configuration for setting up HTTPS which we'll go to shortly. We'll come back and we'll need to edit that file. Apache has extra features which are available in modules and the mods available list some of those modules currently installed and there are different ways to enable those modules. We will enable the ssl module at a later stage. The other directory is the initial interest is where the logs are stored and that's under vial log and there's a lot of operating system and software logs in here. The one of interest is Apache 2 subdirectly and there's normally an access.log and an error log and the access log is one of interest. It logs by default all accesses to the website and it logs in a standard format where it keeps a record of who accessed the website at what date and time, what page they or a path name they tried to get and the response the HTTP response code 200 the response size and some information about the the browser to access the website. We'll see over time as multiple people access the website this log can be quite useful for learning about how people access it. The error log is useful if there's things that go wrong in your web server. So that are the main locations where you get started with configuring Apache. We're now going to set up Apache to support HTTPS. So web browsers can connect to it in a secure manner using HTTPS and it's not too hard to enable that on Apache but the more complicated procedure is making sure Apache has a valid digital certificate. In the normal procedure in a real server what we would do is create a certificate for our server and then go to an external certificate authority to get that certificate signed. However when we're using our internal network in virtual box and we want to do everything inside virtual box we are not going to go out to an external authority. Instead what I'm going to do is I'm going to create my own authority on my server and get that to sign the certificate from my web server. So I'm going to go through the steps of creating a certificate for the authority, generating the authority and then we'll create a certificate for the server and get the authority to sign that. So the first step here is creating a certificate for the authority and I'm not going to explain the details of the algorithms like RSA and even that how certificates provide security that should be covered in a separate security unit. We're going to use common software for security operations called OpenSSL and it provides all the features we need to generate certificates, generate the authority and sign certificates. And the mode we're going to use is we want to generate a public key pair for our authority and we're going to use the algorithm which is common which is RSA and I'm going to choose two options for the RSA algorithm and public key op. First one is the RSA when we generate a key pair the length is important. Normally we can choose between 1,024 bits, 2,048 or 4,096 where the longer the more secure although the slower it is to do operations, cryptographic operations it is. Another option that I'm going to choose is in RSA it has a public exponent and I'm going to choose it to be this magic value 65537 and really you need to go and study that details of the RSA algorithm to understand the significance of the public exponent and what the bits 2,048 bits refer to. But this should generate our key pair and I'm going to output that key pair to a file and this is my key pair for the certificate authority. So I'll call the file CA key and the file format we use is .pen PEM and there it's generated a key pair and we could go away and have a look at the details of that. For now we'll leave it we'll see another example later. That's our certificate authority key pair. When you set up a server in the real case you would normally not need to do that. You would go to an external CA but we need to do it internally. Now my authority needs to sign their own certificate. Again not a normal step that we'd need on a web server it will be done by an external authority and what we do is we generate a request using standard X509 as an input key we're going to use our CA key dot PEM and we're going to output a file called CA certificate dot PEM and I'm going to say this certificate is going to be valid for three years, 1,095 days. This is actually the certificate authority is going to sign their own certificate and what have I done wrong? A typo here I forgot a dot CA key dot PEM. Note I see this error opening there's some error here so be careful if you do see an error you've probably got a typo like I did there and this is the preferred this is the success here. It now asks for information about my certificate authority country name or country code Australia state and choose the one that's relevant for you. C, CANS, organization name this is for the certificate authority and essentially for the demo you can choose whatever you like or use a university organizational unit it's optional I'll give the value certificate authority but you could just press enter to skip that part. This is important the common name especially in a later step normally it's a domain name so I'll make up one for ckeyuny dot edu and made up email address I say made up because again it's just internal to my virtual box network I'm not going to be using this on the real internet so it doesn't matter here and that should be done and I now have the key pair the RSA key pair for the certificate authority and a self-signed certificate for the authority which is going to be needed later. Now we're still setting up the authority the next thing we need to do is set up some directories so that this authority can sign the web server certificate and I'm going to quickly go and set up the directories I'm in my home directory just make sure CD home and the directory structure here is quite important if you get the directories wrong then you'll have problems later so the directory name comes from the configuration file you could change it but it's best just to follow these directory names I'm going to make a directory called democa and then I'm going to make a few directories under that called certs another one called CRL and new certs and these are needed all of them are needed for our certificate authority private and I need an empty file so I'm going to touch a file in that directory called index.txt and I need another file and it must contain the value 02 sounds like some magic values but it's all necessary so our certificate authority will have the necessary file set up to be able to sign and issue certificates for our web server and I'll echo that into the serial file and I'm going to move the cert file that we previously created into the democa directory and move the CA key file our key pair into the democa private directory you need to go through those steps to prepare our certificate authority and the last step to prepare is to make a small change to a configuration there's a file which we're going to edit as sudo using vi it's called user lib or usr lib SSL open SSL conf this is the configuration about open SSL and in there is some settings that we're just going to change we're looking for the settings which are to do with the CA policy and policy match so scroll through in fact this specifies the default settings for all those directories that we just created if you wanted to have different directories you'd have to change this first look through scroll down for the CA policy for the CA policy and policy match the first three lines are saying when the certificate authority signs of web server certificate they must match in terms of country name state and organization name well I'm going to be a little bit more free and allow the state and the organization name to be optional that's what I want to change to optional here saying that my certificate authority will only sign certificates which come from the same country but they can come from a different state and a different organization so it's changed those two to optional the rest should be okay and I'll save that now our certificate authority should be ready and we have the demo CA directory setup don't touch that when we sign certificates there'll be that'll be automatically updated by open SSL so that was setting up the certificate authority which would normally be done externally you wouldn't need to do that the next steps are for the web server creating a key pair for the web server and a certificate request for the web server giving that certificate request to the authority and the authority will issue us a certificate and these are the steps that you would need normally need to do for your web server again for the web server now we need to create a key pair for the server generate the public key pair same algorithm RSA same options in fact PK option RSA sorry RSA key gen bits we'll use the same length 2048 it doesn't have to be the same length as the CA and we'll use the same let's get the syntax right PK opt same option for the public key exponent to be this magic 65537 this public key exponent by the name public everyone can know this so it doesn't matter if we if other people know it's this value 65537 everyone can use the same value it doesn't create any security issues and we're going to output that to a file and I'll call it my private key and I'm going to set up the server and give it a domain www.example.com so that's what I'll name the file so I remember this is the private key for www.example.com if I wanted to host multiple servers or multiple websites on this one server I could generate multiple private keys for different domains and that's generated the private key now what we do is we generate a certificate signing request open SSL a request for a new and the key that we're going to pass in is the one we just created and we're going to output a certificate request for that same domain and call that extension dot CSR for certificate signing request this takes part of the private key in particular the the public key and takes the public key from the key pair and puts it into a format that we can deliver to the certificate authority which will then issue us our certificate and ask for the similar information as the when we did it for the certificate authority remember we set up the authority so that we need the same country name but not necessarily to the same state and I'm going to call my example company and I don't want a unit but this is important the common name must be your domain name you're going to use for your website I'm using www.example.com in your demo you're going to use another one but importantly when you set up your web server and Apache you must use the same one and that's not important here it's asking do you want to have some extra protection on this no we don't just press enter we don't want to challenge password and I don't want an optional company name that generates this certificate request what we do now is we send that to the certificate authority they will do some validation check that it's actually us and then issue a certificate if all is okay in real life that would be say sent to an external CA or uploaded to the website of a CA and some checks would take place in our internal virtual network the CA is on our server so we don't actually have to send it we can directly access it when we become the certificate authority so that's what the web server needed to do now I'm going to switch hats and imagine I'm now the certificate authority what I do I take that certificate signing request and again using open SSL as a certificate authority I take that as an input and I output a certificate I issue the certificate so this is the role of the certificate authority which we need just inside our virtual network do we want to sign the certificate we should check that values and make sure it's valid yes I do you want to commit this to your database which updates the demo CA directory yes I do database updated that's good and the thing that we need here is this certificate file that's the one which is issued to our web server when I set up the web server and a bit more depth soon I'm going to also need the certificate authorities certificate which we actually before put inside demo CA so I'm going to copy that and I'm going to get a copy I'm going to rename it so I'm clear it's a certificate for our CA that is the CA or certificate authority that signed our server certificate a little bit different it's the same it's a dot PEM file but I'm going to refer to it a dot CRT file just to distinguish it when we set up Apache we'll see where and that's it in terms of generating these certificates the next steps will be to set up Apache to use these certificates just before we proceed to make sure that everything's gone okay we'll use open SSL to verify as this using the certificate of our certificate authority to verify the certificate of our website and this should present that the certificate is okay good if you get okay everything's can you can continue if you don't get okay then probably one of the steps you've done is is had a mistake prior to this just to summarize we were going to need in the next steps our certificate of our website and the certificate of our certificate authority and we'll use them when we set up Apache to support HTTPS so now let's configure Apache to support these and use these certificates so we need to put these certificates first the web service certificate in directories which Apache are going to read by default and in fact I need to do this is pseudo because the directory is under EDC which is only writeable by administrator and the sub directory is SSL and under that there's a directory called search for certificates so this is if you have multiple websites this is where you put the certificates of your web sites similar we need to also put the certificate of the CA our CA in that same directory and finally the private key of our web server under the EDC SSL private directory so those are the three files the certificate of our web server the certificate of our CA put them into the search sub directory and the private key of our web server into the private sub directory they are all needed by Apache that private directory should be protected because a private key as the name suggests must be kept private even from other people on this computer and if we look in yes EDC SSL the search directory is readable by all the private directory is not readable by all okay so that there's some protection it's executable by this special group called SSL cert you may want to change that those permissions for the file you just put in there to be more protected but at this stage it's sufficient for what we need in our demo okay so we put the files so they'll be available to Apache now we need to configure Apache to use HTTPS we'll go into configuration directory just clear that and we'll go into sites available and recall there are two configuration files one is for normal HTTP this default comf and another one if we want to use SSL or HTTPS on our web server and it's this second one we need to configure or we need to modify so open that up with my editor it has a default configuration we just need to change a few settings in there the first thing we'll do is we'll insert a server name and ours I'm going to put my domain name and the port number which is used by HTTPS 443 so insert your server name if you've got a different domain name set up appropriately there the other settings are normally okay as default except we scroll down and note the difference between this and the normal default comf this one has a lot of SSL directives the SSL engine which is used in HTTPS is turned on and a lot of settings for SSL and these two are the ones really we want to change or just scroll down by default this configuration file refers to these template or fake snake oil certificates let's comment that these out did the wrong thing then comment them out by inserting a hash at the start you don't want them we're going to add our own three and again it's important to get these correct SSL certificate file is the first one and we're going to refer to our three files that we put into the ETC SSL directory ETC SSL first one certs and the web server certificate cert dash www.example.com.pm double check okay SSL certificate file there's no typos or spelling mistakes and it refers to that exact file if you have a mistake here most likely when you reload the Apache to support HTTPS it will not work this is the most likely place that you make mistakes that's where I make them next one certificate key file this refers to our private key and private key www.example.com.pm and the third one refers to our certificate authorities certificate CA certificate file ETC SSL certs our CA dot CRT which is just the the CRT and the PM exactly the same format here it's just tradition that the server will refer to a dot CRT file so really there we add the server name in this configuration file document route other logs are all the same the default values are sufficient comment out the two snake oil directives and add in three directives directives the certificate file certificate key file and CA certificate file referring to our web server certificate our web server private key and our CA certificate and that's all the changes we need in this file escape and save and now what we do if we go back a directory remember there are mods modules available we need to enable one of those mods modules and Apache has a command to do that and as a pseudo Apache to enable module and it's called SSL gives us some output saying we should restart Apache for this to take effect but we'll do that in a moment there's a couple of other things first we need to enable that site default SSL site if we look inside sites enable there's one site enabled the normal default.conf plain HTTP we want to as pseudo Apache to enable site default dash SSL since to reload the configuration but if we look inside sites enabled now it lists both of those sites if you wanted to add another website for a different domain then you could have a third configuration file or multiple configuration files and you would enable them as well now we want to reload this configuration Apache when we make changes the configuration they don't take effect until we reload them you can either restart the whole server or simply reload and we can use system control to do that reload Apache 2 if you want to restart the web server it simply restart Apache 2 in this case it wouldn't matter it's preferable to reload because you don't interrupt existing connections or existing people accessing the server and hopefully that prints nothing as an output if it prints some error messages or some output most likely you've got some syntax errors in your default SSL configuration file now we want to test Apache should be up and running and I'll switch to my client let's just check I can access normal HTTP website yes I can get there cue to quit yes now I'll change the URL to say HTTPS and try and access using HTTPS let's see what happens leaks reports an error SSL error the certificate is not trusted and it doesn't show me all the messages do you really want to continue and suggesting no well yeah I trust the certificate I'm what could be happening here is a man in the middle attack and we'll see how to overcome this in the moment and what the problem is I'm gonna press yes to continue and now I have access to the web page and I'm using HTTPS you could confirm in other ways so HTTPS is working the web server is set up it's all okay but we do have this problem with our web browser when we try to access our www.example.com the web browser reports an error saying I've received a certificate but I can't validate that certificate I can't verify it and that's because the browser is not configured to be aware of our certificate authority normally browsers are configured by default to be aware of common certificate authorities in a real network I would get my web server certificate issued by a common certificate authority and we wouldn't have this error we get this error because I created my own certificate authority so next we'll go through the steps for overcoming this error just to be clear the error is with the client it's not any problem with the server set up we need to make the client the web browser in particular aware that our CA can be trusted and to do that we need to get the certificate from the CA onto the client and the certificate is on the server the file we want is this one sir our CA dot CRT we need that on the client and set up in a special way so back to the client what I'm going to do is copy that certificate from the server to my client and on the command line I can use SCP secure copy where I specify the IP address of the server 192 1682 22 followed by the exact path where my certificate is stored and the name of that certificate be careful in your case your username is probably different so make sure you give yours as the correct path so that's whatever the value this is on the server so we're saying securely copy from 192 1682 222 the file slash home slash Steven slash out CA dot Seattle CRT and don't forget copy it to this directory on my client don't forget the dot there is needed ask me for the password for Steven at the server I type it in and it copies it and now I have this the CA certificate on my client computer now I need to set up my browser or more more generally in my operating system so it's aware of that certificate and what we'll do we'll make a directory on the client this is specific to Ubuntu Linux other systems would do this in a different manner create this directory under user share CA certificates called extra for some extra certificates copy our CA certificate into that directory and now reconfigure this CA certificates this this listing of all the CA certificates to read into the new one and to do that pseudo d package reconfigure CA certificates which is the the software package that keeps track of certificates of CA's we're adding a new one to that and yes we would like to trust some new certificates and it tries and finds some a lot already selected the ones which are currently trusted by Ubuntu which come when Ubuntu is installed there's one at the top which is this extra one which is the one we want and I'll press space bar to mark this that one tab to okay so that that one will be added to the trusted list that's updating and when your web browser including link starts it actually looks at that list so again we'll run links access our web server using hdps and it immediately goes to the web page there's no error saying we don't trust the certificate so that's the the behavior we want and we're complete we've set up a patchy web server on our 192.1682.22 we've created a certificate for an authority and set up the authority we created a certificate for our web server and that was signed by the authority then we set up the configuration for a patchy to refer to those certificates and the last step for the client was to get our operating system on the client to be aware of the certificate authority certificate so that there were no warnings or errors we now have HTTPS working in our internal network to finish off one more thing testing we can use links here to test open SSL is a quite powerful piece of software it has a way to test SS or HTTPS connections so if you want to test I'll just make that bigger there's the option of this S client connect to example.com port 443 so this is saying use open SSL to connect to some server and this gives details of that connection that secure connection and if we scroll up a bit we'll see that it shows us all the details about the certificate that was exchanged that is it was a certificate of www.example.com and it was issued by some certificate authority CQ university so we can see the details of the security exchange happening there the details of the certificate and the use of SSL or more accurately TLS in there so that's if you want to understand the protocol interactions with HTTPS then I control C to quit that we've done a quick setup of a patchy we haven't tried to explain too much about how certificates and RSA provide security that is probably too much you're outside of the scope of what we're trying to do of just setting it up but it's really beneficial if you can learn about RSA certificates and their security value to really understand what we've done in each of those steps