Re: guidance on SSL certs and Apache2

To: debian-user@lists.debian.org
Cc: Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: Re: guidance on SSL certs and Apache2
From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
Date: Mon, 19 Sep 2005 07:05:23 -0400
Message-id: <[🔎] 20050919110523.GC9104@miami.familiasanchez.net>
Mail-followup-to: "Roberto C. Sanchez" <roberto@familiasanchez.net>, debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
In-reply-to: <[🔎] 20050919050526.GA3505@wheat.boylan.org>
References: <[🔎] 20050919050526.GA3505@wheat.boylan.org>

On Sun, Sep 18, 2005 at 10:05:26PM -0700, Ross Boylan wrote:
> I'm trying to set up apache2 to use ssl.  I see numerous bugs about
> this, including the fact that the setup is neither automated nor documented
> (267477 -- which includes some recipes and references to help) and
> that a tool, ssl-cert, used at one point by apache2 for debconf, has
> problems (230485).  The changelog says that ssl-cert was dropped for
> the setup.
> 
> There seem to be at least 3 ways to setup certificates:
> openssl
> ssl-cert
> apache2-ssl-certificate
> 
> There is a configuration file /etc/ssl/openssl.cnf, and there seems to
> be space for certificates and keys under /etc/ssl/ and
> /etc/apache2/ssl.
> 
> Can anyone suggest which of these knobs I should tweak to set things
> up?  And where should I put the resulting files?  I use KDE, and I see
> it has Kleopatra for certificate management.  Is that useable?
> 
> I want to be my own CA as well as having the certificates (one for
> each virtual domain).
> 
OK.  Here are my notes:

New Certificate Authority:

Check out the SSL HOWTO.

New Certificate:

(All actions take place inside of /etc/ssl)

vi openssl.cnf (change default days if desired)
for i in `ls -1 *.pem` ; do mv $i $i.old-$(date +%Y%m%d); done
openssl req -new -key server.key -out newreq.pem
vi openssl.cnf (change default days back to normal)
openssl ca -revoke demoCA/newcerts/<num of previous cert>.pem
openssl ca -gencrl -out demoCA/crl/sopac-ca.crl
cp demoCA/crl/sopac-ca.crl /var/www/ca.crl
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
cat newcert.pem | sed -n '/BEGIN/,/END/p' >server.pem
cat server.key >> server_key_and_cert.pem
cat server.pem >> server_key_and_cert.pem
chmod -R o-rx *
# chgrp mail server_key_and_cert.pem # This is because cyrus runs
# non-root
/etc/init.d/apache2 restart
/etc/init.d/postfix restart
/etc/init.d/ssh restart
/etc/init.d/slapd restart
/etc/init.d/courier-imap-ssl restart

I have these symlinks in place to make the process easier:

# ll /etc/apache2/ssl/
total 0
lrwxrwxrwx  1 root root 19 Sep  3 12:33 server.crt -> /etc/ssl/server.pem
lrwxrwxrwx  1 root root 19 Sep  3 12:34 server.key -> /etc/ssl/server.key
# ll /etc/courier/imapd.pem
lrwxrwxrwx  1 root root 32 May 16 01:30 /etc/courier/imapd.pem -> /etc/ssl/server_key_and_cert.pem
# ll /etc/postfix/*.pem
lrwxrwxrwx  1 root root  19 Dec 10  2004 /etc/postfix/cert.pem -> /etc/ssl/server.pem
lrwxrwxrwx  1 root root  32 Dec 10  2004 /etc/postfix/key.pem -> /etc/ssl/server_key_and_cert.pem

Also, please note that it is not possible to have multiple virtual hosts
running on SSL using name-based virtual hosting [0].

Hope this helps.

-Roberto

[0] http://httpd.apache.org/docs/2.0/en/ssl/ssl_faq.html#vhosts2

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto

Attachment: pgpi1NzsA9x5Q.pgp
Description: PGP signature

Reply to:

References:
- guidance on SSL certs and Apache2
  - From: Ross Boylan <RossBoylan@stanfordalumni.org>

Prev by Date: Re: Common Users And Passwords For Multiple Computers
Next by Date: Re: kernel, udev, hal problems
Previous by thread: guidance on SSL certs and Apache2
Next by thread: Re: guidance on SSL certs and Apache2
Index(es):
- Date
- Thread