[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: guidance on SSL certs and Apache2



On Sun, Sep 18, 2005 at 10:05:26PM -0700, Ross Boylan wrote:
> I'm trying to set up apache2 to use ssl.  I see numerous bugs about
> this, including the fact that the setup is neither automated nor documented
> (267477 -- which includes some recipes and references to help) and
> that a tool, ssl-cert, used at one point by apache2 for debconf, has
> problems (230485).  The changelog says that ssl-cert was dropped for
> the setup.
> 
> There seem to be at least 3 ways to setup certificates:
> openssl
> ssl-cert
> apache2-ssl-certificate
> 
> There is a configuration file /etc/ssl/openssl.cnf, and there seems to
> be space for certificates and keys under /etc/ssl/ and
> /etc/apache2/ssl.
> 
> Can anyone suggest which of these knobs I should tweak to set things
> up?  And where should I put the resulting files?  I use KDE, and I see
> it has Kleopatra for certificate management.  Is that useable?
> 
> I want to be my own CA as well as having the certificates (one for
> each virtual domain).
> 
OK.  Here are my notes:

New Certificate Authority:

Check out the SSL HOWTO.

New Certificate:

(All actions take place inside of /etc/ssl)

vi openssl.cnf (change default days if desired)
for i in `ls -1 *.pem` ; do mv $i $i.old-$(date +%Y%m%d); done
openssl req -new -key server.key -out newreq.pem
vi openssl.cnf (change default days back to normal)
openssl ca -revoke demoCA/newcerts/<num of previous cert>.pem
openssl ca -gencrl -out demoCA/crl/sopac-ca.crl
cp demoCA/crl/sopac-ca.crl /var/www/ca.crl
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
cat newcert.pem | sed -n '/BEGIN/,/END/p' >server.pem
cat server.key >> server_key_and_cert.pem
cat server.pem >> server_key_and_cert.pem
chmod -R o-rx *
# chgrp mail server_key_and_cert.pem # This is because cyrus runs
# non-root
/etc/init.d/apache2 restart
/etc/init.d/postfix restart
/etc/init.d/ssh restart
/etc/init.d/slapd restart
/etc/init.d/courier-imap-ssl restart

I have these symlinks in place to make the process easier:

# ll /etc/apache2/ssl/
total 0
lrwxrwxrwx  1 root root 19 Sep  3 12:33 server.crt -> /etc/ssl/server.pem
lrwxrwxrwx  1 root root 19 Sep  3 12:34 server.key -> /etc/ssl/server.key
# ll /etc/courier/imapd.pem
lrwxrwxrwx  1 root root 32 May 16 01:30 /etc/courier/imapd.pem -> /etc/ssl/server_key_and_cert.pem
# ll /etc/postfix/*.pem
lrwxrwxrwx  1 root root  19 Dec 10  2004 /etc/postfix/cert.pem -> /etc/ssl/server.pem
lrwxrwxrwx  1 root root  32 Dec 10  2004 /etc/postfix/key.pem -> /etc/ssl/server_key_and_cert.pem

Also, please note that it is not possible to have multiple virtual hosts
running on SSL using name-based virtual hosting [0].

Hope this helps.

-Roberto

[0] http://httpd.apache.org/docs/2.0/en/ssl/ssl_faq.html#vhosts2

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto

Attachment: pgpC8IOjV4BJ_.pgp
Description: PGP signature


Reply to: