Generate a self-signed certificate
If you do not wish to go through the CSR process, and do not wish to have separate private keys for your CA cert and server certopenssl genrsa -out server.key 4096 openssl req -new -x509 -key server.key -out server.crt -days 360 -set_serial 200711
The longer version - First, generate a CA certificate
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Then generate a server certificate and a CSR. Do not use the same common name as your CA.
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr
Sign your CSR with your CA certificate
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Remove the passphrase from your server private key
openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key
Examine your certificates and keys
openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr openssl rsa -noout -text -in ca.key openssl x509 -noout -text -in ca.crt
Add virtual host configuration
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>
ServerAdmin secure@x.com
DocumentRoot "/home/sites/secure.x.com/web"
ServerName secure.x
ErrorLog /home/sites/logs/secure.x.com.err
CustomLog /home/sites/logs/secure.x.com.log combined
DirectoryIndex index.html index.jsp
<Directory "/home/sites/secure.x.com/web">
Order allow,deny
Allow from all
</Directory>
# SSL Config
SSLEngine On
SSLProtocol all -ALL +SSLv3 +TLSv1
# SSLCipherSuite HIGH:!MEDIUM:!LOW:!EXP:!NULL
SSLCipherSuite HIGH:!MEDIUM:!LOW:!EXP:!NULL:!aNULL
SSLCertificateChainFile /home/sites/secure.x.com/ca.crt
SSLCertificateFile /home/sites/secure.x.com/snakeoil.crt
SSLCertificateKeyFile /home/sites/secure.x.com/snakeoil.key.pem
</VirtualHost>
# One may need this
<VirtualHost 1.2.3.4:80>
ServerName xxx
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerAdmin secure@x.com
DocumentRoot "/home/sites/secure.x.com/web"
ServerName secure.x
ErrorLog /home/sites/logs/secure.x.com.err
CustomLog /home/sites/logs/secure.x.com.log combined
DirectoryIndex index.html index.jsp
<Directory "/home/sites/secure.x.com/web">
Order allow,deny
Allow from all
</Directory>
# SSL Config
SSLEngine On
SSLProtocol all -ALL +SSLv3 +TLSv1
# SSLCipherSuite HIGH:!MEDIUM:!LOW:!EXP:!NULL
SSLCipherSuite HIGH:!MEDIUM:!LOW:!EXP:!NULL:!aNULL
SSLCertificateChainFile /home/sites/secure.x.com/ca.crt
SSLCertificateFile /home/sites/secure.x.com/snakeoil.crt
SSLCertificateKeyFile /home/sites/secure.x.com/snakeoil.key.pem
</VirtualHost>
# One may need this
<VirtualHost 1.2.3.4:80>
ServerName xxx
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
Openssl as a client
openssl s_client -connect www.domain.com:443
Testing apache for low version SSL or weak cipher
openssl s_client -ssl2 -connect 1.2.3.4:443 openssl s_client -connect 1.2.3.4:443 -cipher LOW:EXP
mod_gnutls
http://www.outoforder.cc/projects/apache/mod_gnutls/Install gnutls from source, export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig, then build mod_gnutls
NameVirtualHost 1.2.3.4:443 <VirtualHost 1.2.3.4:443> ServerName secure.domain.tld DocumentRoot /var/www/admin GnuTLSEnable On GnuTLSX509KeyFile conf/ssl/test.key GnuTLSX509CertificateFile conf/ssl/test.crt GnuTLSPriorities NORMAL ... </VirtualHost
There are no comments on this page. [Add comment]