SSL Howto

From Edgar BV Wiki
Revision as of 14:01, 2 March 2007 by Red (talk | contribs) (New page: <pre> ============================================== 1. This part is general - for configuration. See parts 2 and beyond for apache configuration ==========================================...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
==============================================
1. This part is general - for configuration. See parts 2 and beyond for apache configuration
==============================================

              HowTo make your own Self-Signed SSL Certificate

server setup: combined private key and cert
==================================================================================

### Create server key
 openssl genrsa -out ./server.key 1024

### Create certificate request
 openssl req -new -key server.key -out server.csr
     FQDN:        Common Name: foo.example.com
     or Wildcard: Common Name: *.example.con

### self sign key (increment the serial number "N" for each new cert)

 openssl x509 -req -days 365 -set_serial N -in server.csr -signkey server.key -out server.crt

### combine the key and cert in one PEM file for simplicity
 cat server.key server.crt > combined.pem

### view the details of the cert you just made
 openssl x509 -in combined.pem -noout -text

### copy cert into place
 cp combined.pem /etc/ssl/certs/

apache specific:
--------------------------------------------------
edit httpd.conf and/or ssl.conf
SSLCertificateFile /etc/ssl/certs/combined.pem

bin/apachectl startssl

============================================
2. Create a CA setup to sign client certs with
============================================


CA set up... for client certs not server cert... donno who
==================================================================================

### create CA key
openssl genrsa -out ./ca.key 1024
### create CA request
openssl req -new -key ca.key -out ca.csr
### self-sign CA request - > CA cert
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert
### install it in apache
cp ca.crt /usr/local/apache/conf/ssl.crt/ca.crt
### edit httpd.conf
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt


========================================
3. Setup clients for each site
=======================================
client setup
==================================================================================

### create client key
openssl genrsa -des3 -out client.key 1024

### request client cert
openssl req -new -key client.key -out client.csr

##Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a
 website which will be later accessed via https://www.foo.dom/

#### sign client cert with CA key!
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key
 -CAcreateserial -in client.csr -out client.crt

### covert to opera/sn/ie format (key and cert in 1 file)
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

### test it
openssl s_client -host example.com -port 443 -key client.key -cert client.crt

### print out cert contents
openssl x509 -noout -text -in client.crt

### print out key contents (useless?)
openssl rsa -noout -text -in client.key


If you want to unencrypt the server key (which it needs to start up apache - and you don't want it with a password) then in /opt/httpd/conf/ssl.keys/ do

mv server.key server.key.pass
openssl rsa < server.key.pass > server.key


another source:

http://www.pseudonym.org/ssl/ssl_ca.html

==================================
4. Apache2.2 general configurarion options - put them in a seperate file (eg. httpd-ssl.conf) and include them in apache2.conf
=================================

SSLMutex default
SSLSessionCache none
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache        shmcb:/var/log/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 15
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL
SSLCACertificateFile /etc/ssl/certs/tripsoapca.crt
CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c"

=====================================
5. Apache 2.2 client
=====================================

Add the following lines to the virtualhost file in /etc/apache2/ssl-sites-enabled/client.conf

SSLEngine On
SSLCertificateFile /etc/ssl/certs/client.crt
SSLCertificateKeyFile /etc/ssl/private/client.key

========================================
6. Weird errors
========================================

Make sure every virtualhost configuration file has the lines

NameVirtualHost 123.123.123.123:80 or NameVirtualHost 123.123.123.123:443 (if SSL)
VirtualHost <123.123.123.123:80> or VirtualHost <123.123.123.123:443>

in them

These are no longer global server directives!
You can of course also set up two default 'catch all' sites with

NameVirtualHost *:80 or NameVirtualHost *:443 (if SSL)
VirtualHost <*:80> or VirtualHost <*:443>

in the configuration files.

Otherwise you'll get errors like

[error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)

or

[error] VirtualHost 82.94.91.76:80 mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results