| Deletions are marked like this. | Additions are marked like this. |
| Line 23: | Line 23: |
|
OpenSSL should be installed. Use port security/openssl if CA.pl is not found. |
|
| Line 143: | Line 145: |
|
{{{ openssl rsa < newreq.pem > newkey.pem mv newcert.pem server_cert.pem mv newreq.pem server_req.pem mv newkey.pem server_key.pem |
Use averywhere "apache22" instead of "apache2" if appropriate. {{{ openssl rsa < newkey.pem > server_key.pem cp newcert.pem server_cert.pem |
Apache HTTPS Configuration
Contents
Description of HTTPS configuration on honir.softxs.ch
Setup New DNS Name
On idun and fs1 as root:
cd /etc/namedb vi softxs.ch # Add the following line: secure IN CNAME honir ; For https access :x
Restart named
Setup Certificates
OpenSSL should be installed. Use port security/openssl if CA.pl is not found.
locate CA.pl ... /usr/src/crypto/openssl/apps/CA.pl ... cd /root mkdir -p work/certificates cd work/certificates cp /usr/src/crypto/openssl/apps/CA.pl . vi CA.pl # Change the following $DAYS="-days 365"; # to $DAYS="-days 1825"; :x
perl CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .........++++++ ...................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH State or Province Name (full name) [Some-State]:Zug Locality Name (eg, city) []:Zug Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:secure.softxs.ch # Use *.softxs.ch on virtual hosts to match all servers (only 1 certificate is allowed!!!) Email Address []:alan@softxs.ch
perl CA.pl -newreq Generating a 1024 bit RSA private key ........++++++ .............................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH State or Province Name (full name) [Some-State]:Zug Locality Name (eg, city) []:Zug Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:secure.softxs.ch Email Address []:alan@softxs.ch Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
perl CA.pl -sign Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 8f:db:ea:5b:29:35:12:0b Validity Not Before: Jul 31 10:46:16 2008 GMT Not After : Jul 31 10:46:16 2009 GMT Subject: countryName = CH stateOrProvinceName = Zug localityName = Zug organizationName = SoftXS GmbH commonName = secure.softxs.ch emailAddress = alan@softxs.ch X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 47:27:08:DB:DC:CA:53:36:53:DF:E7:EA:8A:8D:53:49:2E:1B:C6:98 X509v3 Authority Key Identifier: keyid:04:3F:E8:2C:28:CF:28:8A:EE:CF:95:F6:15:41:61:6E:DC:C2:4E:77 DirName:/C=CH/ST=Zug/L=Zug/O=SoftXS GmbH/CN=secure.softxs.ch/emailAddress=alan@softxs.ch serial:8F:DB:EA:5B:29:35:12:0A Certificate is to be certified until Jul 31 10:46:16 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Use averywhere "apache22" instead of "apache2" if appropriate.
openssl rsa < newkey.pem > server_key.pem cp newcert.pem server_cert.pem cd /usr/local/etc/apache2 mkdir ssl.crt ssl.key cd /root/work/certificates cp server_cert.pem /usr/local/etc/apache2/ssl.crt/server.crt cp server_key.pem /usr/local/etc/apache2/ssl.key/server.key cp ./demoCA/cacert.pem /usr/local/etc/apache2/ssl.crt/ca.crt cd /usr/local/etc/apache2 cp httpd.conf httpd.conf-20080731 cp ssl.conf ssl.conf-20080731
Update /etc/rc.conf
vi /etc/rc.conf # add the following line: apache2ssl_enable="YES" :x
Update /usr/local/etc/apache2/httpd.conf
honir# diff httpd.conf-20080731 httpd.conf 333c333 < #ServerName www.example.com:80 --- > ServerName honir.softxs.ch:80 1201a1202,1230 > > # -- secure.softxs.ch > > <Directory "/home/www/shtml"> > Options Indexes > AllowOverride None > Order allow,deny > Allow from all > </Directory> > > <VirtualHost secure.softxs.ch:443> > DocumentRoot /home/www/shtml > ServerName secure.softxs.ch > ServerAlias honir.softxs.ch > > Options -Indexes > > SSLEngine on > SSLProtocol all > SSLCipherSuite HIGH:MEDIUM > > SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt > SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key > > SSLVerifyClient none > > SSLCACertificatePath /usr/local/etc/apache2/ssl.crt > SSLCACertificateFile /usr/local/etc/apache2/ssl.crt/ca.crt > </VirtualHost>
Update /usr/local/etc/apache/ssl.conf
honir# diff ssl.conf-20080731 ssl.conf 87,88c87,88 < ServerName www.example.com:443 < ServerAdmin you@example.com --- > ServerName secure.softxs.ch:443 > ServerAdmin webmaster@softxs.ch 126c126 < #SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/ca.crt --- > SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/ca.crt