Information Systems Security Essentials - ISS611S

Lab - Cryptography

Student Name and Number: Tashinga Ryan Manunure

222002905

Lab Group Number: 3

Date of submission: 18/03/23

Lab Lecturer: Ms Wesley Kambrude

Lab Duration: 120 Minutes

Objectives
To understand the concept of digital certificates

Tools:
1. Debian 11 Virtual Machine
2. Apache HTTP Server
3. Putty (Optional, but recommended)
4. Downloads/Installations should be done while on NUST network

Summary

The purpose of this lab is to allow students to generate a key and use the key to create a certificate for a
website running on Apache. The website should then be running with SSL on port 443 after successful
configuration.

Deliverables
1. Detailed report of the steps you took to achieve the objective of the lab.
NB: All steps should be explained (Their purposes).

2. Proof that all data communication is now encrypted.

Configuring your Debian

1. Make sure that you Debian system can ping the local repository.
Hint: Make sure the VM’s network card is in NAT mode and can communicate with the outside
network.
(Insert screenshot)

2. Enter the following entry in the Debian virtual Machine’s sources list located in /etc/apt/ directory.
a. Source list is in the directory mentioned below. Use your Linux expertise to navigate to that
directory.
(Insert screenshot)
 b. Use a text editing tool (nano) to open the file: sources.list
(Insert screenshot)

NB: Verify that the following lines are in the sources.list file, alternatively add them to the file and save:
deb http://deb.debian.org/debian/ bullseye main
deb-src http://deb.debian.org/debian/ bullseye main
deb http://security.debian.org/debian-security bullseye-security main
deb-src http://security.debian.org/debian-security bullseye-security main
deb http://deb.debian.org/debian/ bullseye-updates main
deb-src http://deb.debian.org/debian/ bullseye-updates main

3. Run the following command:

# apt-get update

4. Check if openssl and apache2 are installed, if not install them.

(Insert screenshot and explain commands used)
1.openssl version
The command <version> checks the version of a service and as well useful to check if a service is installed
or not.
2. apache2 -v
This command checks the version of apache2 and as well useful to check if apache2 is installed or not.

5. Edit the index file of the new apache web server and write: “Welcome to Lab1”. Restart the apache2
service after that.
(Insert screenshots and explain commands used)
 1. Echo “Welcome to Lab 1” > /var/www/html/index.html
The command <echo> is used to edit the index file of apache web server. It will pass on the text or
string in double quotes next to it into the index of the file.
2. systemctl restart apache2
Restarts apache2 service
3. hostname -I
This command reveals only the ip address of the Debian machine.

Enter the IP Address of your apache web server from another computer to see that the server is indeed
running. If it’s running, notice that it is running on http. Not secures, right??? Let’s the SSL module to
secure our website.
6. Enable apache ssl module with the following commands, then restart apache2 service.

(Insert screenshot and explain commands used)

1. sudo a2enmod ssl
This command enables SSL mode
2. systemctl restart apache2
This command restarts the apache2 service hence allowing the activation of new configurations.
3. Sudo a2ensite default-ssl
This command enables ssl for all pages so that they can be viewed using https.
4. Systemctl reload apache2
This command reloads the apache configuration file, without restarting the entire HTTP Process

7. Create a directory under the apache2 directory to store the certificate and key.
(Insert screenshot)

8. Generate key and create certificate

# cd /etc/apache2/ssl
# openssl genrsa -aes128 -out server.key 2048
# openssl rsa -in server.key -out server.key
 # openssl req -new -days 3650 -key server.key -out server.csr
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

(Insert screenshot and explain commands used)

1. cd /etc/apache2/ssl
This command changes directory to the ssl directory
2. openssl genrsa -aes128 -out server.key 2048
This command generates an RSA private key of 2048-bit length for the certificate.
3. openssl rsa -in server.key -out server.key
This command loads an unprotected private key of the certificate.
4. openssl req -new -days 3650 -key server.key -out server.csr
This command sets the validity period of the certificate.
5. openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
This command issues a request for X.509 standard defining the format of public key certificates.

Enter the necessary information for the key and certificate.

 Country Name: AU
State: Victoria
Locality Name: Melbourne
Organization Name: GeneSyS
Organizational Unit: Software
Devs
Common Name: ISS
Email Address:

Make sure that the key and certificate have been created, then change permissions for all files in the ssl
directory.
# ls -l /etc/apache2/ssl/
-This command displays the contents of the ssl directory in a list of lines
# chmod 600 /etc/apache2/ssl/*
- This command gives the owner full read and write access to the file and no other user can access
the file.

9. Finally, configure apache to use the newly created certificate. To do this, open and edit the
default-ssl.conf file with the following configurations.

(Insert screenshot and explain commands used)

nano /etc/apache2/sites-enabled/default-ssl.conf
- This command is used to open default-ssl.conf file hence allowing user to edit the file as well.
ServerAdmin webmaster@localhost
ServerName 192.168.202.128:443

443: is explicitly for HTTPS services, so all secured

transactions are made using port 443 (it is a
standard port for all HTTPS (encrypted)
traffic

NB: The IP address that should be entered here is the IP address of your Debian virtual machine.
This will configure the apache web server to use port 443 for http requests.

-Look for “sslcertificatefile”, and enter the location and name of the certificate you created at point 8.
- Also, “sslcertificatekeyfile”, and enter the location and name of the certificate you created at point 8.

SSLCertificateFile
SSLCertificateKeyFile

10. Reload apache2 service

(Insert screenshot and explain commands used)
1. systemctl reload apache2
- This command reloads the apache configuration file, without restarting the entire HTTP Process

11. Run the netstat command to see that port 443 is indeed listening (on the debian apache web server)
# netstat -ant | grep 443

12. Use another PC, insert the url:

https://<yourIPAddress>
(Insert screenshot)

If all configurations have been done properly, proceed through the security warning to access your https
website.

13. View the certificate from the web browser, study the certificate and write a summary of
what information you are able to get from the certificate.
(Insert screenshot)

You can also use the command below to view the certificate information.

# openssl s_client -connect 192.168.202.128:443

14. Repeat this task, this time with details of your own. Take a screen shot of your newly created
certificate and send it with the summary to your practical lecturer.
(Insert screenshot)
SUMMARY OF INFORMATION OBTAINED FROM THE CERTIFICATE
1. UNDER GENERAL INFORMATION THERE IS:
- Common Name
- Organization name
- Organizational Unit for Issued for and Issued by, validity period and fingerprints
2. UNDER DETAILS
- Certificate Hierarchy
Shows the sever name-ISS
- Certificate Fields shows:
Version
Serial Number
Certificate Signature Algorithm
Issuer details and validity
- Subject
 - Subject Public Key Info
- Certificate Signature Value
- Fingerprints

NOTE: The purpose is to learn. Have fun. If you need assistance, just ask and it will be offered.