Ftps with apache keys

FTPS (ftp with SSL) is different from Sftp, in that the later is a mostly part of ssh service. All permissions that a user has through SSH, like viewing files under other directories like /etc, will also be available through sftp. Using sftp one can download a copy of the /etc/passwd file. To safeguard this you have to enable chroot for sftp users and they will be restricted to their home directory. I found the configuration of chrooted sftp difficult. Since i had a ftp server running in the same box, with chrooted users, it made lot of sense to me to use ftps. I just had to add certificates' location and rest of the configuration was there after all.

In my other post i wrote about using Apache-tomcat SSL keys in Apache-httpd server. This post explains how to use apache-httpd SSL keys in vsftpd.

I assume that you have a working copy of vsftpd. If not please install and configure vsftpd as per your requirement. Here is what you have to do to enable ftps (ftp through SSL).

Store all your apache SSL keys in a location accessible to vsftpd.  I kept them under /root/vsftpd_keys/. There will be minimum two files (private and public key). In my case i had 3 private key (exported.key), public key (mydomain.com.crt) and two intermediate keys (cross_intermediate.crt, gd_intermediate.crt).

First we have to combine public and intermediate keys into one file:
# cd /root/vsftpd_keys/
# cat mydomain.com.crt cross_intermediate.crt intermediate.crt > vsftpd_domain_inter_comb3.crt

Note: 1. You have to concatenate the files in the same order specified above.
          2. It is fine to join just the domain & intermediate certs if your certificate chain doesn't need/have cross_intermediate.

Edit the vsftpd.conf file (Usually /etc/vsftpd/vsftpd.conf) and add the following to the end of the file:

userlist_enable=YES
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/root/vsftpd_keys/vsftpd_domain_inter_comb3.crt
rsa_private_key_file=/root/vsftpd_keys/exported.key
pasv_enable=YES
pasv_address= <your ip here> (Note: When the system is behind NAT firewall you have to give the firewall's NATed IP here).
pasv_min_port=1500
pasv_max_port=1505

The above configuration requires incoming ports 1500 to 1505 to be open in the firewall, if you have one.

Exporting tomcat keys to Apache httpd

Apache Tomcat SSL keys created with keytool are, by default, in der format. These keys cannot be used in Apache httpd since httpd, be default, expects the keys in pem(X509) format. Using the below steps you can export the tomcat's keys to apache httpd format and use it for apache.

I assume that you already have a working copy of tomcat with SSL. You need a copy of the tomcat's keystore file and the keystore password.

Let us start....

First copy the existing tomcat's keystore file to a new directory so that we don't break anything that is working.

# mkdir /root/SSL_export/
# cp <path/to/tomcat/keystore/file> /root/SSL_export/tomcat.keystore
# cd /root/SSL_export/
# keytool -list -keystore tomcat.keystore
Enter keystore password: 

The above command will print all the keys in the keystore.

Now we will export the key in DER format
# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
Enter keystore password: 
Output will be: Certificate stored in file

The certificate will be stored in exported-der.crt

Verify the certificate with this command:
# openssl x509 -noout -text -in exported-der.crt -inform der
Output will be: The whole certificate saying - who issued it  and other info like your company name etc.

Now Convert the key to PEM format so that apache can understand it:
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

The exported key will be in the file exported-pem.crt.

We have exported the public key and now are going to export the private key.

Download these files:
# wget  http://richfreedman.googlepages.com/ExportPrivateKey.java
# wget http://www.source-code.biz/snippets/java/Base64Coder.java.txt
# mv Base64Coder.java.txt Base64Coder.java
# javac ExportPrivateKey.java Base64Coder.java

Below command will save the exported private key in the file it is redirected to.
# java ExportPrivateKey tomcat.keystore tomcat G10BalPass > exported-pkcs8.key

We have to change it to RSA format so that apache can recognise it.
# openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

Private key is now exported to the file exported.key.
Download the intermediate certificate from your certificate authority and keep it in the same location.

Now we should configure apache accordingly:
# cd /etc/httpd/conf.d/
# cp ssl.conf ssl.conf.orig
# vi ssl.conf (Change the following line only after commenting the old lines):
SSLCertificateFile /root/SSL_export/exported-pem.crt
SSLCertificateKeyFile /root/SSL_export/exported.key
SSLCertificateChainFile /root/SSL_export/<intermediate.crt>

Restart apache. You must be able to browse https://yourdomain.com/