SSL Howto: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 142: | Line 142: | ||
SSLSessionCacheTimeout 15 | SSLSessionCacheTimeout 15 | ||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL | ||
SSLCACertificateFile /etc/ssl/certs/ | SSLCACertificateFile /etc/ssl/certs/hostnameca.crt | ||
CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" | CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" | ||
Revision as of 20:12, 18 January 2017
The Debian way /usr/share/doc/apache2.2-common/README.Debian
Creating self-signed certificates
---------------------------------
If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts or
DNS to give the correct hostname) as user root with:
make-ssl-cert generate-default-snakeoil --force-overwrite
To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the Apache config (you don't need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .
Put key files in /etc/ssl/private
put crt and pem files in /etc/ssl/certs
This is set up in three parts, each of which does about the same. The first is the only method to create a .pem file.
==============================================
1. This part is general - for configuration. See parts 2 and beyond for apache configuration
==============================================
HowTo make your own Self-Signed SSL Certificate
server setup: combined private key and cert
==================================================================================
### Create server key
openssl genrsa -out ./server.key 1024
### Create certificate request
openssl req -new -key server.key -out server.csr
FQDN: Common Name: foo.example.com
or Wildcard: Common Name: *.example.con
### self sign key (increment the serial number "N" for each new cert)
openssl x509 -req -days 365 -set_serial N -in server.csr -signkey server.key -out server.crt
### combine the key and cert in one PEM file for simplicity
cat server.key server.crt > combined.pem
### view the details of the cert you just made
openssl x509 -in combined.pem -noout -text
### copy cert into place
cp combined.pem /etc/ssl/certs/
apache specific:
--------------------------------------------------
edit httpd.conf and/or ssl.conf
SSLCertificateFile /etc/ssl/certs/combined.pem
bin/apachectl startssl
============================================
2. Create a CA setup to sign client certs with
============================================
CA set up... for client certs not server cert... donno who
==================================================================================
### create CA key
openssl genrsa -out ./ca.key 1024
### create CA request
openssl req -new -key ca.key -out ca.csr
### self-sign CA request - > CA cert
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert
### install it in apache
cp ca.crt /usr/local/apache/conf/ssl.crt/ca.crt
### edit httpd.conf
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt
========================================
3. Setup clients for each site
=======================================
client setup
==================================================================================
### create client key
openssl genrsa -des3 -out client.key 1024
### request client cert
openssl req -new -key client.key -out client.csr
##Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a
website which will be later accessed via https://www.foo.dom/
#### sign client cert with CA key!
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key
-CAcreateserial -in client.csr -out client.crt
### covert to opera/sn/ie format (key and cert in 1 file)
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
### test it
openssl s_client -host example.com -port 443 -key client.key -cert client.crt
### print out cert contents
openssl x509 -noout -text -in client.crt
### print out key contents (useless?)
openssl rsa -noout -text -in client.key
If you want to unencrypt the server key (which it needs to start up apache - and you don't want it with a password) then in /opt/httpd/conf/ssl.keys/ do
mv server.key server.key.pass
openssl rsa < server.key.pass > server.key
another source:
http://www.pseudonym.org/ssl/ssl_ca.html
==================================
4. Apache2.2 general configurarion options - put them in a seperate file (eg. httpd-ssl.conf) and include them in apache2.conf
=================================
SSLMutex default
SSLSessionCache none
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/var/log/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 15
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL
SSLCACertificateFile /etc/ssl/certs/hostnameca.crt
CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c"
=====================================
5. Apache 2.2 client
=====================================
Add the following lines to the virtualhost file in /etc/apache2/ssl-sites-enabled/client.conf
SSLEngine On
SSLCertificateFile /etc/ssl/certs/client.crt
SSLCertificateKeyFile /etc/ssl/private/client.key
========================================
6. Weird errors
========================================
Make sure every virtualhost configuration file has the lines
NameVirtualHost 123.123.123.123:80 or NameVirtualHost 123.123.123.123:443 (if SSL)
VirtualHost <123.123.123.123:80> or VirtualHost <123.123.123.123:443>
in them
These are no longer global server directives!
You can of course also set up two default 'catch all' sites with
NameVirtualHost *:80 or NameVirtualHost *:443 (if SSL)
VirtualHost <*:80> or VirtualHost <*:443>
in the configuration files.
Otherwise you'll get errors like
[error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)
or
[error] VirtualHost 82.94.91.76:80 mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
testing
to read the contents of the .pem file
openssl x509 -text -in cert.pem
Simple test for a certificate
openssl s_server -cert mycert.pem -key mykey.key
If the server starts it'll work.
Verify a key
openssl verify cert.pem