Apache: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
(Die Seite wurde neu angelegt: „ == Zertifikat generieren == ===Defaultwerte vernünftig anpassen=== Country & Co auf für einen selbst passende Werte anpassen: <source lang=bash> # vi /etc/s…“)
 
No edit summary
Line 1: Line 1:
== Zertifikat generieren ==
== Zertifikat generieren ==
===Defaultwerte vernünftig anpassen===
===Defaultwerte vernünftig anpassen===
Line 9: Line 8:
===Schlüssel generieren===
===Schlüssel generieren===
<source lang=bash>
<source lang=bash>
# openssl ecparam -genkey -name secp256r1 | openssl ec -out timmann.de.ec-key
# openssl ecparam -genkey -name secp256r1 | openssl ec -out server.de.ec-key
</source>
</source>


===Zertifikat ausstellen===
===Zertifikat ausstellen===
<source lang=bash>
<source lang=bash>
# openssl req -new -x509 -sha256 -key timmann.de.ec-key -out timmann.de-wildcard.pem -days 1825 -node
# openssl req -new -x509 -sha256 -key server.de.ec-key -out server.de-wildcard.pem -days 1825 -node
 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hamburg]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [My Site]:
Organizational Unit Name (eg, section) [Sub]:
Common Name (e.g. server FQDN or YOUR name) []:*.server.de
Email Address [ssl@server.de]:
</source>
 
==Apache konfigurieren==
<source lang=apache>
<VirtualHost ssl.server.de:443>
  ... 
  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLCompression off
  SSLHonorCipherOrder On
  SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES
  SSLCertificateFile    /etc/apache2/ssl/server.de-wildcard.pem
  SSLCertificateKeyFile /etc/apache2/ssl/server.de.ec-key
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  ServerSignature On
</VirtualHost>
</source>
</source>

Revision as of 10:20, 16 April 2015

Zertifikat generieren

Defaultwerte vernünftig anpassen

Country & Co auf für einen selbst passende Werte anpassen:

# vi /etc/ssl/openssl.cnf

Schlüssel generieren

# openssl ecparam -genkey -name secp256r1 | openssl ec -out server.de.ec-key

Zertifikat ausstellen

# openssl req -new -x509 -sha256 -key server.de.ec-key -out server.de-wildcard.pem -days 1825 -node

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hamburg]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [My Site]:
Organizational Unit Name (eg, section) [Sub]:
Common Name (e.g. server FQDN or YOUR name) []:*.server.de
Email Address [ssl@server.de]:

Apache konfigurieren

<VirtualHost ssl.server.de:443>
  ...  
  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLCompression off
  SSLHonorCipherOrder On
  SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES
  SSLCertificateFile    /etc/apache2/ssl/server.de-wildcard.pem
  SSLCertificateKeyFile /etc/apache2/ssl/server.de.ec-key
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  ServerSignature On
</VirtualHost>