SSL Howto: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
= The easy way = | |||
Use https://wiki.edgarbv.com/index.php/Installing_a_new_webserver#Lets_Encrypt Let's Encrypt! | |||
= Depreciated = | |||
The Debian way /usr/share/doc/apache2.2-common/README.Debian | The Debian way /usr/share/doc/apache2.2-common/README.Debian | ||
<pre> | <pre> | ||
Line 142: | Line 147: | ||
SSLSessionCacheTimeout 15 | SSLSessionCacheTimeout 15 | ||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL | ||
SSLCACertificateFile /etc/ssl/certs/ | SSLCACertificateFile /etc/ssl/certs/hostnameca.crt | ||
CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" | CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" | ||
Latest revision as of 10:21, 27 November 2017
The easy way
Use https://wiki.edgarbv.com/index.php/Installing_a_new_webserver#Lets_Encrypt Let's Encrypt!
Depreciated
The Debian way /usr/share/doc/apache2.2-common/README.Debian
Creating self-signed certificates --------------------------------- If you install the ssl-cert package, a self-signed certificate will be automatically created using the hostname currently configured on your computer. You can recreate that certificate (e.g. after you have changed /etc/hosts or DNS to give the correct hostname) as user root with: make-ssl-cert generate-default-snakeoil --force-overwrite To create more certificates with different host names, you can use make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt This will ask you for the hostname and place both SSL key and certificate in the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile directive in the Apache config (you don't need the SSLCertificateKeyFile in this case as it also contains the key). The file /path/to/cert-file.crt should only be readable by root. A good directory to use for the additional certificates/keys is /etc/ssl/private .
Put key files in /etc/ssl/private
put crt and pem files in /etc/ssl/certs
This is set up in three parts, each of which does about the same. The first is the only method to create a .pem file.
============================================== 1. This part is general - for configuration. See parts 2 and beyond for apache configuration ============================================== HowTo make your own Self-Signed SSL Certificate server setup: combined private key and cert ================================================================================== ### Create server key openssl genrsa -out ./server.key 1024 ### Create certificate request openssl req -new -key server.key -out server.csr FQDN: Common Name: foo.example.com or Wildcard: Common Name: *.example.con ### self sign key (increment the serial number "N" for each new cert) openssl x509 -req -days 365 -set_serial N -in server.csr -signkey server.key -out server.crt ### combine the key and cert in one PEM file for simplicity cat server.key server.crt > combined.pem ### view the details of the cert you just made openssl x509 -in combined.pem -noout -text ### copy cert into place cp combined.pem /etc/ssl/certs/ apache specific: -------------------------------------------------- edit httpd.conf and/or ssl.conf SSLCertificateFile /etc/ssl/certs/combined.pem bin/apachectl startssl ============================================ 2. Create a CA setup to sign client certs with ============================================ CA set up... for client certs not server cert... donno who ================================================================================== ### create CA key openssl genrsa -out ./ca.key 1024 ### create CA request openssl req -new -key ca.key -out ca.csr ### self-sign CA request - > CA cert openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert ### install it in apache cp ca.crt /usr/local/apache/conf/ssl.crt/ca.crt ### edit httpd.conf SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt ======================================== 3. Setup clients for each site ======================================= client setup ================================================================================== ### create client key openssl genrsa -des3 -out client.key 1024 ### request client cert openssl req -new -key client.key -out client.csr ##Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/ #### sign client cert with CA key! openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt ### covert to opera/sn/ie format (key and cert in 1 file) openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 ### test it openssl s_client -host example.com -port 443 -key client.key -cert client.crt ### print out cert contents openssl x509 -noout -text -in client.crt ### print out key contents (useless?) openssl rsa -noout -text -in client.key If you want to unencrypt the server key (which it needs to start up apache - and you don't want it with a password) then in /opt/httpd/conf/ssl.keys/ do mv server.key server.key.pass openssl rsa < server.key.pass > server.key another source: http://www.pseudonym.org/ssl/ssl_ca.html ================================== 4. Apache2.2 general configurarion options - put them in a seperate file (eg. httpd-ssl.conf) and include them in apache2.conf ================================= SSLMutex default SSLSessionCache none SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache shmcb:/var/log/apache2/ssl_scache(512000) SSLSessionCacheTimeout 15 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL SSLCACertificateFile /etc/ssl/certs/hostnameca.crt CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" ===================================== 5. Apache 2.2 client ===================================== Add the following lines to the virtualhost file in /etc/apache2/ssl-sites-enabled/client.conf SSLEngine On SSLCertificateFile /etc/ssl/certs/client.crt SSLCertificateKeyFile /etc/ssl/private/client.key ======================================== 6. Weird errors ======================================== Make sure every virtualhost configuration file has the lines NameVirtualHost 123.123.123.123:80 or NameVirtualHost 123.123.123.123:443 (if SSL) VirtualHost <123.123.123.123:80> or VirtualHost <123.123.123.123:443> in them These are no longer global server directives! You can of course also set up two default 'catch all' sites with NameVirtualHost *:80 or NameVirtualHost *:443 (if SSL) VirtualHost <*:80> or VirtualHost <*:443> in the configuration files. Otherwise you'll get errors like [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) or [error] VirtualHost 82.94.91.76:80 mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
testing
to read the contents of the .pem file
openssl x509 -text -in cert.pem
Simple test for a certificate
openssl s_server -cert mycert.pem -key mykey.key
If the server starts it'll work.
Verify a key
openssl verify cert.pem