Apache: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
Line 13: Line 13:
===Zertifikat ausstellen===
===Zertifikat ausstellen===
<source lang=bash>
<source lang=bash>
# openssl req -new -x509 -sha256 -key server.de.ec-key -out server.de-wildcard.pem -days 1825 -node
# openssl req -new -x509 -sha256 -key server.de.ec-key -out server.de-wildcard.pem -days 1825 -nodes


You are about to be asked to enter information that will be incorporated
You are about to be asked to enter information that will be incorporated

Revision as of 11:28, 16 April 2015

Zertifikat generieren

Defaultwerte vernünftig anpassen

Country & Co auf für einen selbst passende Werte anpassen:

# vi /etc/ssl/openssl.cnf

Schlüssel generieren

# openssl ecparam -genkey -name secp256r1 | openssl ec -aes256 -out server.de.ec-key

Zertifikat ausstellen

# openssl req -new -x509 -sha256 -key server.de.ec-key -out server.de-wildcard.pem -days 1825 -nodes

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hamburg]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [My Site]:
Organizational Unit Name (eg, section) [Sub]:
Common Name (e.g. server FQDN or YOUR name) []:*.server.de
Email Address [ssl@server.de]:

Zertifikat ansehen

# openssl x509 -text -noout -in server.de-wildcard.pem Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ... (0x...)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=My Site, OU=Sub, CN=*.server.de/emailAddress=ssl@server.de
        Validity
            Not Before: Apr 16 09:35:02 2015 GMT
            Not After : Apr 14 09:35:02 2020 GMT
        Subject: C=DE, ST=Hamburg, L=Hamburg, O=My Site, OU=Sub, CN=*.server.de/emailAddress=ssl@server.de
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    ...
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                ...
            X509v3 Authority Key Identifier: 
                keyid:...

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA256
         ...

Apache konfigurieren

<VirtualHost ssl.server.de:443>
  ...  
  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLCompression off
  SSLHonorCipherOrder On
  SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES
  SSLCertificateFile    /etc/apache2/ssl/server.de-wildcard.pem
  SSLCertificateKeyFile /etc/apache2/ssl/server.de.ec-key
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
</VirtualHost>