1
00:00:00,000 --> 00:00:17,920
Hey everyone and welcome back. In the previous nugget we had discussed some of the core concepts

2
00:00:17,920 --> 00:00:24,440
behind asymmetric cryptography as well as the idea of creating a certificate that can

3
00:00:24,440 --> 00:00:31,440
either be verified by a certificate authority or have a self signed certificate. Now in this

4
00:00:31,440 --> 00:00:35,439
nugget right here what we're actually going to do is we're going to be able to configure

5
00:00:35,439 --> 00:00:42,760
our server to use SSL but in our case it's going to be a self signed certificate. So we can

6
00:00:42,760 --> 00:00:49,480
actually deliver our services in that encrypted forum but anyone who was using our service would

7
00:00:49,479 --> 00:00:56,199
not actually have a way to verify that indeed that we are who we say we are. Now for production

8
00:00:56,199 --> 00:01:00,879
grades encryption whereby you're deploying to real clients you certainly want to go through the

9
00:01:00,879 --> 00:01:06,640
process of having a signed certificate by some type of authority but for the purposes of our

10
00:01:06,640 --> 00:01:13,400
little demo and for understanding the objectives of the examination creating a self signed certificate

11
00:01:13,400 --> 00:01:19,239
is going to be absolutely okay for us. So with that said let's dive in and get to it then shall

12
00:01:19,319 --> 00:01:25,159
we. So what I'm going to do here is I first want to show you the certificate configuration file

13
00:01:25,159 --> 00:01:32,439
okay. So if I do cd and I go into my exe directory and I go into Apache 2 and I do an ls I can go

14
00:01:32,439 --> 00:01:38,439
into my sites available folder okay. Now if I do an ls you will notice we actually have this default

15
00:01:38,439 --> 00:01:46,159
ssl.conf file so if we have a peak within this file right here and I'll type in my passwords okay so

16
00:01:46,239 --> 00:01:52,879
in here we actually have some key configurations. Now one that we absolutely want to be aware of is

17
00:01:52,879 --> 00:01:59,840
this one right here the ssl engine keyword this is going to allow us to either toggle on or toggle off

18
00:01:59,840 --> 00:02:08,560
our ssl configuration. So by saying ssl engine on we are enabling ssl i.e encryption for this

19
00:02:08,560 --> 00:02:14,639
particular service. Now if we scroll on down we're going to see these two different keywords here

20
00:02:14,639 --> 00:02:19,279
now right now they actually happen to be populated with some values but we're going to remove them

21
00:02:19,279 --> 00:02:25,439
and regenerate our own certificate and private key but ultimately this is where we're going to

22
00:02:25,439 --> 00:02:33,119
put this. Now this key right here or rather this keyword should I say ssl certificate file this is

23
00:02:33,119 --> 00:02:38,719
going to point to our certificate that we're going to generate now again this certificate is not going

24
00:02:38,800 --> 00:02:45,039
to be signed by a certificate authority but nonetheless this is where we're going to point to

25
00:02:45,039 --> 00:02:51,199
so we'll generate our certificate and we'll place that value right in here or that path should I say

26
00:02:51,199 --> 00:02:57,919
right in here. Now this one right here the ssl certificate key file this is going to point to

27
00:02:57,919 --> 00:03:05,520
our private key now as always I really must stress when you have a private key you absolutely do not

28
00:03:05,520 --> 00:03:10,320
share it with anyone you don't share it with a certificate authority you don't share it with a

29
00:03:10,320 --> 00:03:16,879
friend or or anyone just don't share your private key for encryption okay that's supposed to be

30
00:03:16,879 --> 00:03:22,240
private to you. Now when you happen to be dealing with certificate authorities you can also use this

31
00:03:22,240 --> 00:03:28,000
ssl certificate chain file but for now we're not going to concern ourselves too much with that

32
00:03:28,000 --> 00:03:33,840
right now what we're going to do is we're going to generate our public certificate as well as our

33
00:03:33,840 --> 00:03:40,480
private key and we can do this using a tool known as open ssl so if I go back to my command

34
00:03:40,480 --> 00:03:45,199
line right here what I'm going to do is I'm going to issued a particular command now this command

35
00:03:45,199 --> 00:03:50,000
is certainly not something you're going to have to memorize just understand that using the tool

36
00:03:50,000 --> 00:03:54,800
open ssl is how we can generate this and I'll walk you through what exactly it is I'm doing so I'm

37
00:03:54,800 --> 00:04:02,719
going to say sudo open ssl which is the tool and then I'm going to say req for a request and then

38
00:04:02,719 --> 00:04:10,560
I'm going to say dash x5 o9 now x5 o9 this is ultimately specifying that we want to have a

39
00:04:10,560 --> 00:04:17,360
self signed certificate as opposed to one that would have a signing request we're just going to sign

40
00:04:17,360 --> 00:04:24,160
it ourselves I'm going to say dash notes I'm then going to say days and this is how many days we want

41
00:04:24,160 --> 00:04:28,959
our certificate to be valid for so I could just maybe say like a hundred days and after a hundred

42
00:04:28,959 --> 00:04:35,759
days the certificate will expire it will no longer be valid now I will say new key this means that I'm

43
00:04:35,759 --> 00:04:41,759
going to create a certificate as well as a new key and what I want to do is to specify the type of

44
00:04:41,759 --> 00:04:48,319
key I want so I'm going to say RSA which is a type of encryption for public key cryptography this is

45
00:04:48,319 --> 00:04:55,120
the revest shamir and aethelman cryptographic system and then I want to specify how large I want my

46
00:04:55,199 --> 00:05:00,480
key to be so the larger the number you make the more secure the key happens to be I would just say

47
00:05:00,480 --> 00:05:08,240
2048 bits and then going to say key out which is whereabouts do I want my key to reside i.e.

48
00:05:08,240 --> 00:05:14,879
where will the key actually be generated I'll just put it in it's a Apache 2 and I'll call this my

49
00:05:14,879 --> 00:05:22,079
private key dot key and then I will say dash out to specify whereabouts I want to create my

50
00:05:22,079 --> 00:05:26,719
certificate again I'll just put it in the same location it's the Apache 2 and I'll just call

51
00:05:26,719 --> 00:05:34,879
this my cert dot crt and once I hit enter it's going to ask me a bunch of questions so what is the

52
00:05:34,879 --> 00:05:40,240
country name give it a code this could be us or uk I'll just see uk state of the province I'll just

53
00:05:40,240 --> 00:05:46,560
hit enter city I'll just say I don't know Glasgow whatever organization name I'll just say CBTN

54
00:05:46,639 --> 00:05:52,160
unit number I'll just hit enter the common name this is one we actually do want to be

55
00:05:52,160 --> 00:05:56,560
remembering this is actually an important one this is where we're going to specify

56
00:05:56,560 --> 00:06:02,079
the value of our server IE the domain name or the IP address of the server so I'm just going to type

57
00:06:02,079 --> 00:06:09,199
in the server's IP address which is 192 1680.44 and I'll say the email address I'll just maybe say

58
00:06:09,199 --> 00:06:16,240
John at ipv0.com if it may be I'm just making this up and there we go so the information I really

59
00:06:16,240 --> 00:06:22,639
want to be remembering here is this part right here the common name as well as my email address here

60
00:06:22,639 --> 00:06:29,759
and of course the locations of these particular files my private key as well as my cert so what I

61
00:06:29,759 --> 00:06:37,040
now need to do is to tell Apache to use these SSL configurations so if I do an LS and I go back

62
00:06:37,040 --> 00:06:46,400
into default SSL.conf so I'll say the server admin this is going to be John at ipv0.com doesn't

63
00:06:46,400 --> 00:06:52,720
matter that this address doesn't actually exist in real life and our SSL engine is on as we can see

64
00:06:52,720 --> 00:06:59,040
right here now what I'm going to add here is I'm actually going to add server name and I'll type in

65
00:06:59,040 --> 00:07:07,680
the IP address of my server so 192 1680.44 now the SSL certificate file remember this is where

66
00:07:07,680 --> 00:07:16,480
our certificate is going to be so I will say etse apache 2 and I think it was my cert.crt I believe

67
00:07:16,480 --> 00:07:22,240
and the key file will be the private key this will be etse apache 2 if I just mashed the keypad

68
00:07:22,879 --> 00:07:29,840
apache 2 and that should be my private key I believe .key okay so I'll save this and I'll go back out

69
00:07:29,840 --> 00:07:36,160
so now what I want to do is I want to enable my headers modules as well as SSL so the command

70
00:07:36,160 --> 00:07:42,879
that I'm going to use I'm going to say sudo and I'll say a2enmod SSL and we can see here we are

71
00:07:42,879 --> 00:07:51,600
enabling module SSL I'm now going to say sudo a2enmod headers and we are enabling our module headers

72
00:07:51,600 --> 00:08:01,120
clear the screen I'm now going to say sudo a2encite default hyphen SSL to enable my SSL virtual host

73
00:08:01,120 --> 00:08:07,600
so now what I want to do is I want to restart my server so I'll say sudo system ctl and I will

74
00:08:07,600 --> 00:08:13,280
restart apache 2 okay okay so what I will do now is I will actually go to my browser then

75
00:08:13,280 --> 00:08:19,760
okay so let's log in right here type in my passwords let's go to my browser up here so if I just try

76
00:08:19,759 --> 00:08:25,599
to reach over regular HTTP the unencrypted and I type in my web address we can see here we're

77
00:08:25,599 --> 00:08:31,519
actually receiving the content of that web address hey there welcome to ipv0 site however if I click

78
00:08:31,519 --> 00:08:37,039
on this little lock here it says the connection is not secure this is unencrypted so anyone watching

79
00:08:37,039 --> 00:08:42,080
this connection could actually see what I was actually reading on this website all of this

80
00:08:42,080 --> 00:08:46,879
stuff right here would be able to become visible to that attacker so this is obviously a problem

81
00:08:46,879 --> 00:08:51,439
let's say I was doing banking transfers for example I don't want that to be readable so I'll try to

82
00:08:51,439 --> 00:08:59,439
reach this over HTTPS if I do that add to enter notice here it's saying we have a potential security

83
00:08:59,439 --> 00:09:07,279
risk ahead now this is because our browser cannot verify our certificate via a certificate authority

84
00:09:07,279 --> 00:09:13,919
because like I say we happen to be using a self-signed certificate but because we happen to know this

85
00:09:13,919 --> 00:09:18,799
is a self-signed certificate we did it ourselves we can just say go to advanced now we can actually

86
00:09:18,799 --> 00:09:24,479
see here it says this certificate isn't trusted because it is self-signed now we can actually view

87
00:09:24,479 --> 00:09:28,959
the certificate if we so wish and we can see here the information relating to the certificate the

88
00:09:28,959 --> 00:09:35,199
country this is the information we actually filled in all the stuff here we can see the key the algorithm

89
00:09:35,199 --> 00:09:41,120
is rsa the key size is 2048 and you know we created this certificate we know this is the one we are

90
00:09:41,120 --> 00:09:46,480
expecting so what we'll do is we'll actually go back and we'll say accept the risk and continue

91
00:09:46,480 --> 00:09:53,120
so now we're actually receiving the same information on this website and whilst its validity is not

92
00:09:53,120 --> 00:09:58,240
absolutely secure due to the fact that this is a self-signed certificate the reality is that this

93
00:09:58,240 --> 00:10:04,960
information is being served over to us using encryption it is using SSL so anyone who happens

94
00:10:04,960 --> 00:10:10,000
to be eavesdropping on this communication could actually see that I was visiting this website

95
00:10:10,000 --> 00:10:16,159
they could see the actual metadata so to speak but they couldn't actually see what it is I was

96
00:10:16,159 --> 00:10:20,559
doing on this website they couldn't actually see say for example this message here hey there welcome

97
00:10:20,559 --> 00:10:25,919
to ipv0 site that would be fully encrypted same way if I was sending bank details or whatever it may

98
00:10:25,919 --> 00:10:32,480
be all of that data is going to be now encrypted okay so that is us for our basics of SSL configuration

99
00:10:32,480 --> 00:10:36,879
on Apache I hope this has been informative for you and I'd like to thank you for viewing