6/17/2011

Mobile Web

how to develop standards-compliant and usable mobile web applications

http://learnthemobileweb.com/

6/02/2011

SSL : View Cert

View The Contents of A Certificate Signing Request (CSR)

#openssl req -text -noout -in host.csr

View x509 certificate details

#openssl x509 -in filename.crt -noout -text

Howto Secure Apache

1. Use the latest and most current version. Right now the latest is the Apache 2.2 series
2. Make sure you’ve installed all the latest security patches
3. Hide the Apache Version number, and other sensitive information
4. Make sure apache is running under its own user account and group
5. Ensure that files outside the web root are not served
6. Turn off directory browsing (mod_autoindex)
7. Turn off server side includes (SSI)
8. Turn off CGI execution
9. Don’t allow apache to use symbolic links
10. Turning off multiple Options
11. Turn off support for .htaccess files
12. Use the Apache mod_security
13. Disable all unnecessary modules
14. Make sure only root has read access to apache’s config and binaries
15. Lower the Timeout value
16. Limiting large requests
17. Limiting Concurrency
18. Restricting Access by IP
19. Adjusting KeepAlive settings
20. Run Apache in a Chroot environment

Generation of SSL certificates bought by Godaddy quick and easy

# /usr/bin/openssl req -new -key /home/dirtowww/www.domain.com.key -out /home/dirtowww/www.domain.com.csr

or

#openssl req -new -newkey rsa:1024 -keyout server.key -out server.csr

http://www.jquery.in.th/generate-ssl-certificate/

http://www.redkestrel.co.uk/Articles/CSR.html

http://www.pc-freak.net/blog/generation-of-ssl-certificates-bought-by-godaddy-quick-and-easy/

http://help.godaddy.com/article/5349?locale=en

http://www.spacereg.com/help_csr_modssl.html

wizard

https://www.digicert.com/easy-csr/openssl.htm

SSL: Verifying that a Certificate matches a Private Key

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers.
Normally it requires some manual number matching to match a given private key with a given certificate, however with this command you are able to do a comparison automatic:

$ (openssl x509 -noout -modulus -in server.pem openssl md5 ;
openssl rsa -noout -modulus -in server.key openssl md5) uniq

(If more than one hash is displayed, they don’t match)

CSR : Certificate Signing Request

How to Generate CSR use OpenSSL

1. Create a RSA private key for your Apache server, PEM-formatted:

#openssl genrsa -out domain.com.key 1024

2. Create a Certificate Signing Request using the RSA private key created above (output will be PEM format):

#openssl req -new -key domain.com.key -out domain.com.csr

Note that the Common Name field is the field where the domain name should be stated.

How to setup CSR

1. Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
2. Open the Apache ssl.conf file and add the following directives: *

SSLCertificateFile /path to certificate file/your issued certificate *
SSLCertificateKeyFile /path to key file/your key file *
SSLCertificateChainFile /path to intermediate certificate/gd_intermediate_bundle.crt

Save your ssl.conf file and restart Apache.

CSR : Generate a Certificate Signing Request (CSR) for Apache + Mod SSL + OpenSSL

1. Install OpenSSL

2. Create a RSA key for your Apache server:
cd /apacheserverroot/conf/ssl.key (ssl.key is the default key directory.)

NOTE: If you have a different path, cd to your server’s private key directory...

3. Type the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your web server.

Warning: If you lose or forget the pass phrase, you must purchase another certificate.

#openssl genrsa -des3 -out domainname.key 2048
You could also create a private key without file encryption if you do not want to enter the pass phrase when starting your web server:

#openssl genrsa -out domainname.key 2048
Note: We recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key

4. Type the following command to create a CSR with the RSA private key (output will be PEM format):


#openssl req -new -key domainname.key -out domainname.csr


* Note: You will be prompted for your PEM pass phrase if you included the "-des3" switch in step 3.

5. When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

Common Name : The fully qualified domain name for your web server. This must be an exact match.

Organization : The exact legal name of your organization. Do not abbreviate your organization name.

Organization Unit : Section of the organization

City or Locality : The city where your organization is legally located.

State or Province : The state or province where your organization is legally located. Can not be abbreviated.

Country : The two-letter ISO abbreviation for your country.

6. Do not enter extra attributes at the prompt. Warning: Leave the challenge password blank (press enter) Note: If you would like to verify the contents of the CSR, use the following command:


#openssl req -noout -text -in domainname.csr

7. Submit the CSR during a enrollment by opening the CSR in a text editor such as Notepad or Vi and copying and pasting the text into the Enter CSR box.

8. We recommend that you create a backup of your private key

To do this make a copy of the private key file (domainname.key) generated in step 3 and store it in a safe place. If you lose this file, you must purchase a new certificate.
* The private key file should begin with (when using a text editor)

-----BEGIN RSA PRIVATE KEY

----- and end with -

----END RSA PRIVATE KEY-----.


To view the contents of the private key, use the following command:
openssl rsa -noout -text -in domainname.key


from : https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO13985