Apache mit offiziellen SSL-Zertifikat betreiben

• Keyfile
  • domain.key
  • private Datei mit Schlüssel
• Certification Signing Request
  • verisign.csr
  • für upload zum Zertifizieren
• Zertifikat
  • domain.crt
  • bekommt man vom Zertifizierer zurückgeschickt
• Intermediate
  • „bundle“

Siehe auch: http://support.psw.net/questions/26/Wie-wird-eine-Zertifizierungsanforderung-%28CSR%29-erstellt-%28Apache%29%3F

• cd /etc/apache2/ssl
• openssl req -new -nodes -keyout dateiname.key -out dateiname.csr -newkey rsa:2048

  Generating RSA private key, 2048 bit long modulus
  ....++++++
  ...............................++++++
  e is 65537 (0x10001)
  Enter pass phrase:
  Verifying - Enter pass phrase:

• You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:DE
  State or Province Name (full name) [Berkshire]:Bayern
  Locality Name (eg, city) [Newbury]:Fuerth
  Organization Name (eg, company) [My Company Ltd]:Domain GmbH
  Organizational Unit Name (eg, section) []:  
  Common Name (eg, your name or your server's hostname) []:domain.de
  Email Address []:webmaster@domain.de
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

  • keine Passphrase vergeben
  • der „Common Name“ ist der Domain.name, z.B. domain.de (das ist ungleich www.domain.de )
  • Die E-Mail-Adresse muss es geben

• openssl rsa -in server.key.pass -out server.key

• openssl req -new -x509 -nodes -out server.crt -keyout server.key

Siehe: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert

NameVirtualHost domain.de:443
<VirtualHost domain.de:443>
        DocumentRoot /home/domain/www
        ServerName domain.de:443
        ServerAlias www.domain.de
        ######################################################################
        ServerAdmin webmaster@domain.de
        ErrorLog /var/log/httpd/domain-error_log
        CustomLog /var/log/httpd/domain-access_log common

        <Directory /home/domain/www>
          # beachte .htaccess :
          AllowOverride All
        </Directory>

        # zusaetzlich fuer SSL:
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateKeyFile /etc/pki/tls/domain/domain.key
        SSLCertificateFile /etc/pki/tls/domain/domain.crt
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
</VirtualHost>

Debian:

• cd /etc/apache2/mods-enabled
• ln -s ../mods-available/ssl.conf
• ln -s ../mods-available/ssl.load

• openssl req -in server.csr -noout -text -verify

• openssl rsa -noout -text -in domain.key
• openssl x509 -noout -text -in domain.crt
• „modulus“ und „Exponent“ müssen exakt übereinstimmen

• openssl s_client -quiet -connect servername:443
  • liefert Fehler weil nur mit Zertifikat (CAFile) gültig
  • Lösung: openssl s_client -quiet -CAfile cafile.pem -connect servername:443
• lokal vorhandes Zertifikat prüfen:
  • openssl verify -verbose -CAfile cafile.pem cert.pem

Von https://github.com/wki/MyHomeBinaries/blob/master/bin/check_ssl.sh:

#!/bin/bash
# This script is taken from:
# http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of
#
if [[ "x$1" == "x" ]]; then
  echo "must give ip or host name as parameter"
  exit 1
fi

server=$1
echo "Testing Server $server..."

# OpenSSL requires the port number.
DELAY=1



openssl ciphers -v 'ALL:eNULL' | while read cipher ssl kx au enc mac export
do
      echo -n -e "Testing $cipher, $ssl, $enc... \t"
      result=`echo -n | openssl s_client -cipher "$cipher" -connect $server:443 2>&1`
      if [[ "$result" =~ "Cipher is " ]] ; then
        echo YES
      else
        if [[ "$result" =~ ":error:" ]] ; then
          error=`echo -n $result | cut -d':' -f6`
          echo NO \($error\)
        else
          echo UNKNOWN RESPONSE
          echo $result
        fi
      fi
      sleep $DELAY
done

• lädt intermediate certs automatisch
• https://github.com/zakjan/cert-chain-resolver

• http://kb.psw.net/
• http://www.enterprisessl.com/ssl-certificate-support/server_faq/ssl-server-certificate-apache.html
• https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO7302&actp=search&viewlocale=en_US&searchid=1254230700908
• http://www.verisign.de/support/ssl-certificates-support/page_de_de_dev019431.html
• https://www.ssllabs.com/ssltest/analyze.html
  • Prüfe Server/Config/Zertifikat