Habe schon lange Apache2 mit SSL nicht zum Laufen gebracht, - mit selbstsigniertem Testzertifikat - das Buch von Mohammed J. Kabir und einiges Probieren aber hat geholfen - M=F6ge das folgende n=FCtzlich sein / Found long time no way to run Apache2 with SSL, with self-signed test cert, but found help by the book from M.J.Kabir and some trials hope that the following is useful: =3D=3D 1. Schl=FCssel erzeugen / Generate key =3D=3D david@debian:~/ssl.ca-0.1$ openssl genrsa -des3 -out ca.key 2048 -rand /dev/urandom Generating RSA private key, 2048 bit long modulus =2E......+++ =2E......................................................................= =2E.+++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: =3D=3D 2. Nach Download von ssl.ca-0.1.tar.gz von http://www.openssl.contrib und Auspacken / download and extract =3D=3D =3D=3D=3D 1. Schl=FCssel signieren / sign key =3D=3D=3D david@debian:~/ssl.ca-0.1$ ./new-root-ca.sh =2E/new-root-ca.sh Self-sign the root CA... Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a D= N. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [MY]:de de State or Province Name (full name) [Perak]:. =2E Locality Name (eg, city) [Sitiawan]:. =2E Organization Name (eg, company) [My Directory Sdn Bhd]:. =2E Organizational Unit Name (eg, section) [Certification Services Division]:= =2E =2E Common Name (eg, MD Root CA) []: Email Address []:david_moerike@arcor.de david_moerike@arcor.de =3D=3D=3D 2. Server (Test!!!) Zertifikat erzeugen =3D=3D=3D david@debian:~/ssl.ca-0.1$ ./new-server-cert.sh server =2E/new-server-cert.sh server No server.key round. Generating one Generating RSA private key, 1024 bit long modulus =2E...++++++ =2E...................++++++ e is 65537 (0x10001) Fill in certificate data You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a D= N. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [MY]:de de State or Province Name (full name) [Perak]:. =2E Locality Name (eg, city) [Sitiawan]:. =2E Organization Name (eg, company) [My Directory Sdn Bhd]:. =2E Organizational Unit Name (eg, section) [Secure Web Server]:. =2E Common Name (eg, www.domain.com) []:localhost localhost Email Address []:david_moerike@arcor.de david_moerike@arcor.de You may now run ./sign-server-cert.sh to get it signed =3D=3D=3D 3. Self-Sign self-made certificate =3D=3D=3D david@debian:~/ssl.ca-0.1$ ./sign-server-cert.sh server =2E/sign-server-cert.sh server CA signing: server.csr -> server.crt: Using configuration from ca.config Enter pass phrase for ./ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'de' commonName :PRINTABLE:'localhost' emailAddress :IA5STRING:'david_moerike@arcor.de' Certificate is to be certified until Jun 15 19:22:48 2009 GMT (365 days) Sign the certificate? [y/n]:y y 1 out of 1 certificate requests certified, commit? [y/n]y y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK david@debian:~/ssl.ca-0.1$ =3D=3D It follows my /etc/apache2/conf.d/ssl =3D=3D =3D=3D Anmerkung: in Kabir's Buch ist einiges unter <IfDefine SSL> und einiges in <IfModule mod_ssl.c> und es funktioniert nicht - einfach unbesorgt alles in <IfModule mod_ssl.c> schreiben! / Note - while in Kabir's book some things are in <IfDefine SSL>, and some in <IfModule mod_ssl.c> this does not work - don't worry and put all in <IfModule mod_ssl.c> =3D=3D <IfModule mod_ssl.c> SSLMutex file:/var/log/apache2/ssl_mutex <VirtualHost localhost:443> DocumentRoot "/var/www/secure" ServerName "localhost" SSLCertificateFile "conf/ssl.crt/server.crt" SSLCertificateKeyFile "conf/ssl.key/server.key" SSLEngine on LogLevel debug </VirtualHost> </IfModule> =3D=3D _default_:443 doesn't work!! =3D=3D =3D=3D Offene Frage / Open Question: SSLMutex when and for what necessary? =3D=3D cp server.key /etc/apache2/conf/ssl.key cp server.crt /etc/apache2/conf/ssl.crt cd /etc/apache2/conf chmod 400 ssl.key/server.key chmod 500 ssl.key =3D=3D note: conf and not conf.d everything in conf.d is interpreted as httpd.conf syntax and therefore gives errors / conf und nicht conf.d - alles in conf.d wird als httpd.conf Syntax interpretiert und ergibt Fehler! =3D=3D =3D=3D and to cause mod_ssl loaded =3D=3D cd /etc/apache2/conf.d/mods-enabled ln -s ../mods-available/ssl.load ln -s ../mods-available/ssl.conf =3D=3D written file / Datei geschrieben : /var/www/secure/index.html =3D=3D =3D=3D and restart apache2 No building from source is neccessary / keinerlei Bauen (Kompilieren) erforderlich! =3D=3D David
Attachment:
signature.asc
Description: OpenPGP digital signature