Mediawiki/Force SSL
From r00tedvw.com wiki
(Difference between revisions)
| Line 21: | Line 21: | ||
Remove Listen line from /etc/httpd/conf/httpd.conf. This is not needed because with mod_ssl installed it is not in /etc/httpd/conf.d/ssl.conf | Remove Listen line from /etc/httpd/conf/httpd.conf. This is not needed because with mod_ssl installed it is not in /etc/httpd/conf.d/ssl.conf | ||
#Listen 443 | #Listen 443 | ||
| + | |||
| + | ==create key,csr, and self-signed crt== | ||
| + | http://www.akadia.com/services/ssh_test_certificate.html<br> | ||
| + | =====create directories===== | ||
| + | since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is: | ||
| + | /etc/ssl/certs/ | ||
| + | =====create key===== | ||
| + | ~$ openssl genrsa -des3 -out server.key 2048 | ||
| + | =====generate csr===== | ||
| + | ~$ openssl req -new -key server.key -out server.csr | ||
| + | Country Name (2 letter code) [GB]:CH | ||
| + | State or Province Name (full name) [Berkshire]:Bern | ||
| + | Locality Name (eg, city) [Newbury]:Oberdiessbach | ||
| + | Organization Name (eg, company) [My Company Ltd]:Akadia AG | ||
| + | Organizational Unit Name (eg, section) []:Information Technology | ||
| + | Common Name (eg, your name or your server's hostname) []:public.akadia.com | ||
| + | Email Address []:martin dot zahn at akadia dot ch | ||
| + | Please enter the following 'extra' attributes | ||
| + | to be sent with your certificate request | ||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | =====backup & remove passphrase from key===== | ||
| + | unless the passphrase is removed, apache will ask for the passphrase whenever it is started.<br> | ||
| + | ~$ cp server.key server.key.org | ||
| + | ~$ openssl rsa -in server.key.org -out server.key | ||
| + | =====generate self-signed cert===== | ||
| + | ~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | ||
| + | Signature ok | ||
| + | subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information | ||
| + | Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch | ||
| + | Getting Private key | ||
| + | =====add ssl to virtual host===== | ||
| + | add the following to your virtual host config | ||
| + | SSLEngine on | ||
| + | SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt | ||
| + | SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key | ||
Revision as of 10:47, 29 April 2014
Contents |
Overview
All instructions done on Oracle Linux 6.5
http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache
install mod ssl
~$ sudo yum install mod_ssl
If you cannot find the package, update your cache and search
~$ sudo yum check-update ~$ sudo yum search ssl ... =============================== N/S Matched: ssl =============================== ... mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
apache config
comment NameVirtualHost *:443 from /etc/httpd/conf/httpd.conf
#NameVirtualHost *:443
Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf
#SNI config - tells apache to use named virtual hosts on the secure port NameVirtualHost *:443
Remove Listen line from /etc/httpd/conf/httpd.conf. This is not needed because with mod_ssl installed it is not in /etc/httpd/conf.d/ssl.conf
#Listen 443
create key,csr, and self-signed crt
http://www.akadia.com/services/ssh_test_certificate.html
create directories
since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is:
/etc/ssl/certs/
create key
~$ openssl genrsa -des3 -out server.key 2048
generate csr
~$ openssl req -new -key server.key -out server.csr Country Name (2 letter code) [GB]:CH State or Province Name (full name) [Berkshire]:Bern Locality Name (eg, city) [Newbury]:Oberdiessbach Organization Name (eg, company) [My Company Ltd]:Akadia AG Organizational Unit Name (eg, section) []:Information Technology Common Name (eg, your name or your server's hostname) []:public.akadia.com Email Address []:martin dot zahn at akadia dot ch Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
backup & remove passphrase from key
unless the passphrase is removed, apache will ask for the passphrase whenever it is started.
~$ cp server.key server.key.org ~$ openssl rsa -in server.key.org -out server.key
generate self-signed cert
~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch Getting Private key
add ssl to virtual host
add the following to your virtual host config
SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
