WordPress: Administration Over SSL #1

   As I wrote before, my WordPress Login, I can only do via my home LAN because of my access control. But, honestly, it’s inconvenient very much (-_-;). So, I want I can log in my WordPress by my mobile PC. However, to transmit an unencrypted password goes against my policy.

   So, I decide to support SSL on my server (WindowsXP SP3 (x86)) again. Actually, as Apache 2.4 win32 binaries is built with apr-1.4.6 apr-util-1.4.1 apr-iconv-1.2.1 openssl-1.0.1e zlib-1.2.7 pcre-8.32 libxml2-2.9.0 lua-5.1.5 expat-2.1.0, it includes openssl.exe, openssl.cnf and other openssl files. The user is only me and the feature I need is only to log in my WordPress. Therefore, I need a private CA instead of the provider CA, like as VeriSign‘s.

   First, I make cakey.pem and cacert.pem. Usually, we use CA.pl on windows. But, Apache 2.4 win32 binaries doesn’t have CA.pl, so I use openssl.exe directly as command line tool. You can find HOW TO on the document page.

1. Make a directory myCA somewhere in the server. Under the myCA, make directories private and newcerts, an empty text file index.txt. Actually, I made the myCA directory on a removable media. Because it’s convenient for moving my_ca.crt and clientcert.p12 to my client PC and secure if I remove it from my server when not using.
2. The file openssl.cnf exists in the Apache conf directory. On WindowsXP, you see openssl.cnf as openssl, a file type “SpeedDial”. Open the file and modify. This modification is absolutely necessary on WindowsXP. If not, you will have an error like the below. MS new cmd.exe can use both “/” and “” as directory separators. But old cmd.exe can’t use “/”. Besides, to escape character is required in the file. So, you need “”.
   

   Error opening CA private key ./myCA/private/cakey.pem
   3464:error:02001003:system library:fopen:No such process:.cryptobiobss_file.c:398:fopen(‘./myCA/private/cakey.pem’,’rb’)
   3464:error:20074002:BIO routines:FILE_CTRL:system lib:.cryptobiobss_file.c:400:
   unable to load CA private key

   Modification of openssl.cnf:

   　　　　　RANDFILE = $ENV::HOME/.rnd　—>　RANDFILE = $ENV::HOME.rnd
   　　　　　#oid_file = $ENV::HOME/.oid　—>　#oid_file = $ENV::HOME.oid

   　　　　　dir = ./demoCA　—>　dir = (drive xx):myCA　　　(Exact path required)
   　　　　　certs = $dir/certs　—>　certs = $dircerts
   　　　　　crl_dir = $dir/crl　—>　crl_dir = $dircrl
   　　　　　database = $dir/index.txt　—>　database = $dirindex.txt

   　　　　　new_certs_dir = $dir/newcerts　—>　new_certs_dir = $dirnewcerts

   　　　　　certificate = $dir/cacert.pem　—>　certificate = $dircacert.pem
   　　　　　serial = $dir/serial　—>　serial = $dirserial
   　　　　　crlnumber = $dir/crlnumber　—>　crlnumber = $dircrlnumber

   　　　　　crl = $dir/crl.pem　—>　crl = $dircrl.pem
   　　　　　private_key = $dir/private/cakey.pem　—>　private_key = $dirprivatecakey.pem
   　　　　　RANDFILE = $dir/private/.rand　—>　RANDFILE = $dirprivate.rand

   If you use TSA (Time Stamping Authority), you have to make the same modifications for the TSA area.

   As I use 2048 bits as default, I also modify the next.
   　　　　　default_bits = 1024　—>　default_bits = 2048

   By the way, I don’t add (drive x):(Apache bin dir) to the path environment variable. If you feel better to do that, please do so though I don’t like it.

3. Run cmd.exe
   >cd (drive xx):myCA
   >copy index.txt+　　　(as a replacement for UNIX touch command)
   >echo 01 > serial　　　(a serial file contains a valid serial number is required)
   >(drive x):(Apache bin dir)openssl req -new -keyout privatecakey.pem -out careq.pem -config (drive x):(Apache conf dir)openssl.cnf

   　　　　　Enter PEM pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for cakey.pem)
   　　　　　Verifying – Enter PEM pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for cakey.pem)

   　　　　　Country Name:JP
   　　　　　State or Province Name:FUKUOKA
   　　　　　Locality Name:FUKUOKA
   　　　　　Organization Name:o6asan’s Web Site
   　　　　　Organizational Unit Name:myCA
   　　　　　Common Name:o6asan.com
   　　　　　Email Address:My mail address

   　　　　　A challenge password: blank
   　　　　　An optional company name: blank

4. Selfsign a certificate request, using CA extensions:
   >(drive x):(Apache bin dir)openssl ca -config (drive x):(Apache conf dir)openssl.cnf -selfsign -in careq.pem -extensions v3_ca -out cacert.pem

   　　　　　Enter pass phrase for (drive xx):myCAprivatecakey.pem: xxxxxxxxxxxxxxxx　　　(pass phrase for cakey.pem)

   　　　　　Sign the certificate? [y/n]: y
   　　　　　1 out of 1 certificate requests certified, commit? [y/n] y

   　　　　　>copy cacert.pem (drive x):(Apache conf dir)　　　(cacert.pem for Server use)
   　　　　　>copy cacert.pem my_ca.crt　　　(my_ca.crt for Client use)

   Second, I make server.key and server.crt.

1. >(drive x):(Apache bin dir)openssl req -new -keyout server.key -out server.csr -config (drive x):(Apache conf dir)openssl.cnf

   　　　　　Enter PEM pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for server.key)
   　　　　　Verifying – Enter PEM pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for server.key)

   　　　　　Country Name:JP
   　　　　　State or Province Name:FUKUOKA
   　　　　　Locality Name:FUKUOKA
   　　　　　Organization Name:o6asan’s Web Site
   　　　　　Organizational Unit Name:WordPress
   　　　　　Common Name:o6asan.com
   　　　　　Email Address:My mail address

   　　　　　A challenge password: blank
   　　　　　An optional company name: blank

2. Sign a certificate request:
   >(drive x):(Apache bin dir)openssl ca -in server.csr -out server.crt -config (drive x):(Apache conf dir)openssl.cnf

   　　　　　Enter pass phrase for (drive xx):myCAprivatecakey.pem: xxxxxxxxxxxxxxxx　　　(pass phrase for cakey.pem)

   　　　　　Sign the certificate? [y/n]: y
   　　　　　1 out of 1 certificate requests certified, commit? [y/n] y

   　　　　　>copy server.crt (drive x):(Apache conf dir)

3. As Win32 doesn’t support SSLPassPhraseDialog builtin, I need to remove the encryption from my server.key because of getting rid of an error at Apache startup time (PDF version).

   　　　　　>copy server.key cp_server.key
   　　　　　>(drive x):(Apache bin dir)openssl rsa <cp_server.key> (drive x):(Apache conf dir)server.key

   　　　　　Enter pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for server.key)

   Third, I make clientcert.p12.

1. >(drive x):(Apache bin dir)openssl req -new -keyout client.key -out client.csr -config (drive x):(Apache conf dir)openssl.cnf

   　　　　　Enter PEM pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for client.key)
   　　　　　Verifying – Enter PEM pass phrase: xxxxxxxxxxxxxxxx　　　(pass phrase for client.key)

   　　　　　Country Name:JP
   　　　　　State or Province Name:FUKUOKA
   　　　　　Locality Name:FUKUOKA
   　　　　　Organization Name:o6asan’s Web Site
   　　　　　Organizational Unit Name:Administration
   　　　　　Common Name:o6asan
   　　　　　Email Address:My mail address

   　　　　　A challenge password: blank
   　　　　　An optional company name: blank

2. >(drive x):(Apache bin dir)openssl ca -in client.csr -out client.crt -config (drive x):(Apache conf dir)openssl.cnf

   　　　　　Enter pass phrase for (drive xx):myCAprivatecakey.pem: xxxxxxxxxxxxxxxx　　　(pass phrase for cakey.pem)

   　　　　　Sign the certificate? [y/n]: y
   　　　　　1 out of 1 certificate requests certified, commit? [y/n] y

3. Make pkcs12 format client file.
   >(drive x):(Apache bin dir)openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12

   　　　　　Enter pass phrase for client.key: xxxxxxxxxxxxxxxx　　　(pass phrase for client.key)
   　　　　　Enter Export Password: xxxxxxxxxxxxxxxx　　　(password for client PC use)
   　　　　　Verifying – Enter Export Password: xxxxxxxxxxxxxxxx　　　(password for client PC use)

   Close cmd.exe

   Now, I have cacert.pem, server.crt, server.key in my Apache conf directory, and, my_ca.crt and clientcert.p12 for my client PC on the removable media. These five files I only need to support SSL on my server.

   I uncomment the following lines in my current httpd.conf.

• LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
• LoadModule ssl_module modules/mod_ssl.so
• Include conf/extra/httpd-ssl.conf

   I modify the file httpd-ssl.conf which exists in the Apache extra conf directory.
　　　　　Listen 443　—>　Listen xxxxx　　　(If you leave the default, it’s no problem.)

　　　　　<VirtualHost _default_:443>　—>　<VirtualHost _default_:xxxxx>
　　　　　DocumentRoot “c:/Apache24/htdocs”　—>　DocumentRoot “my document root”
　　　　　ServerName www.example.com:443　—>　ServerName o6asan.com:xxxxx
　　　　　ServerAdmin admin@example.com　—>　ServerAdmin My mail address
　　　　　ErrorLog “c:/Apache24/logs/error.log”
　　　　　—>　ErrorLog “|bin/rotatelogs.exe -l -f logs/error.%Y.%m.%d 86400″　(my ErrorLog format)
　　　　　TransferLog “c:/Apache24/logs/access.log”
　　　　　—>　TransferLog “|bin/rotatelogs.exe -l -f logs/access.%Y.%m.%d 86400″　(my CustomLog format)

　　　　　#SSLCACertificateFile “c:/Apache24/conf/ssl.crt/ca-bundle.crt”
　　　　　—>　SSLCACertificateFile “C:/Apache24/conf/cacert.pem”

　　　　　#SSLVerifyClient require　—>　SSLVerifyClient require
　　　　　#SSLVerifyDepth 10　—>　SSLVerifyDepth 10　SSLVerifyDepth 1

　　　　　<Directory “c:/Apache24/cgi-bin”>　—>　<Directory “my cgi-bin directory”>

   Restart My Apache.
   Install my_ca.crt and clientcert.p12 to my client PC Web browser.

   The remaining is the settings for my WordPress. Whew!

Edit(Jun.19):
   When I first logged in my WordPress over SSL, I had the message “Multisite only works without the port number in the URL”. I had no choice, then I replaced port xxxxx with the default. (^^;)