Benutzer-Werkzeuge

Webseiten-Werkzeuge


doku:apachessl

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.


doku:apachessl [2016-08-17 15:45] (aktuell) – angelegt - Externe Bearbeitung 127.0.0.1
Zeile 1: Zeile 1:
 +====== Apache mit offiziellen SSL-Zertifikat betreiben ======
 +=====Offiziellen Key erzeugen/kaufen =====
  
 +==== Name und Dateien (wer spielt mit?): ====
 +
 +  * Keyfile
 +    * domain.key
 +    * private Datei mit Schlüssel
 +  * Certification Signing Request
 +    * verisign.csr
 +    * für upload zum Zertifizieren
 +  * Zertifikat
 +    * domain.crt
 +    * bekommt man vom Zertifizierer zurückgeschickt
 +  * Intermediate 
 +    * "bundle"
 +
 +==== Erstellen: ====
 +
 +
 +Siehe auch: http://support.psw.net/questions/26/Wie-wird-eine-Zertifizierungsanforderung-%28CSR%29-erstellt-%28Apache%29%3F
 +
 +  * cd /etc/apache2/ssl
 +  * openssl req -new -nodes -keyout dateiname.key -out dateiname.csr -newkey rsa:2048 <code>
 +Generating RSA private key, 2048 bit long modulus
 +....++++++
 +...............................++++++
 +e is 65537 (0x10001)
 +Enter pass phrase:
 +Verifying - Enter pass phrase:
 +</code>
 +
 +  * <code>
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [GB]:DE
 +State or Province Name (full name) [Berkshire]:Bayern
 +Locality Name (eg, city) [Newbury]:Fuerth
 +Organization Name (eg, company) [My Company Ltd]:Domain GmbH
 +Organizational Unit Name (eg, section) []:  
 +Common Name (eg, your name or your server's hostname) []:domain.de
 +Email Address []:webmaster@domain.de
 +
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +</code>
 +    * :!: keine Passphrase vergeben
 +    * der "Common Name" ist der Domain.name, z.B. ''domain.de'' (das ist ungleich ''www.domain.de'' :!:)
 +    * Die E-Mail-Adresse muss es geben
 +
 +==== Passwort aus Key-Datei löschen ====
 +  * openssl rsa -in server.key.pass -out server.key
 +
 +==== selbst signiertes Zertifikat erstellen ====
 +
 +  * openssl req -new -x509 -nodes -out server.crt -keyout server.key
 +
 +Siehe: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert
 +
 +===== Apache-Konfig =====
 +<code>
 +NameVirtualHost domain.de:443
 +<VirtualHost domain.de:443>
 +        DocumentRoot /home/domain/www
 +        ServerName domain.de:443
 +        ServerAlias www.domain.de
 +        ######################################################################
 +        ServerAdmin webmaster@domain.de
 +        ErrorLog /var/log/httpd/domain-error_log
 +        CustomLog /var/log/httpd/domain-access_log common
 +
 +        <Directory /home/domain/www>
 +          # beachte .htaccess :
 +          AllowOverride All
 +        </Directory>
 +
 +        # zusaetzlich fuer SSL:
 +        SSLEngine on
 +        SSLProtocol all -SSLv2
 +        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 +        SSLCertificateKeyFile /etc/pki/tls/domain/domain.key
 +        SSLCertificateFile /etc/pki/tls/domain/domain.crt
 +        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
 +            SSLOptions +StdEnvVars
 +        </Files>
 +        <Directory "/var/www/cgi-bin">
 +            SSLOptions +StdEnvVars
 +        </Directory>
 +        SetEnvIf User-Agent ".*MSIE.*" \
 +                 nokeepalive ssl-unclean-shutdown \
 +                 downgrade-1.0 force-response-1.0
 +</VirtualHost>
 +</code>
 +
 +Debian:
 +  * cd /etc/apache2/mods-enabled
 +  * ln -s ../mods-available/ssl.conf 
 +  * ln -s ../mods-available/ssl.load 
 +
 +===== CSR-Datei prüfen =====
 +
 +  * openssl req -in server.csr -noout -text -verify
 +
 +===== Wie prüfen, ob Key- und Zertifikatsdatei zusammenpassen? =====
 +  * openssl rsa -noout -text -in domain.key
 +  * openssl x509 -noout -text -in domain.crt
 +  * "modulus" und "Exponent" müssen exakt übereinstimmen
 +
 +===== Prüfe ein Zertifikat / einen Server mit/ohne CAFile =====
 +  * openssl s_client -quiet -connect servername:443
 +    * liefert Fehler weil nur mit Zertifikat (CAFile) gültig
 +    * Lösung: openssl s_client -quiet -CAfile cafile.pem -connect servername:443
 +  * lokal vorhandes Zertifikat prüfen:
 +    * openssl verify -verbose -CAfile cafile.pem cert.pem
 +===== Welche Ciphers kann ein Server? =====
 +
 +Von https://github.com/wki/MyHomeBinaries/blob/master/bin/check_ssl.sh:
 +<code>
 +#!/bin/bash
 +# This script is taken from:
 +# http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of
 +#
 +if [[ "x$1" == "x" ]]; then
 +  echo "must give ip or host name as parameter"
 +  exit 1
 +fi
 +
 +server=$1
 +echo "Testing Server $server..."
 +
 +# OpenSSL requires the port number.
 +DELAY=1
 +
 +
 +
 +openssl ciphers -v 'ALL:eNULL' | while read cipher ssl kx au enc mac export
 +do
 +      echo -n -e "Testing $cipher, $ssl, $enc... \t"
 +      result=`echo -n | openssl s_client -cipher "$cipher" -connect $server:443 2>&1`
 +      if [[ "$result" =~ "Cipher is " ]] ; then
 +        echo YES
 +      else
 +        if [[ "$result" =~ ":error:" ]] ; then
 +          error=`echo -n $result | cut -d':' -f6`
 +          echo NO \($error\)
 +        else
 +          echo UNKNOWN RESPONSE
 +          echo $result
 +        fi
 +      fi
 +      sleep $DELAY
 +done
 +
 +</code>
 +===== SSL certificate chain resolver =====
 +  * lädt intermediate certs automatisch
 +  * https://github.com/zakjan/cert-chain-resolver
 +
 +===== Links =====
 +  * http://kb.psw.net/
 +  * http://www.enterprisessl.com/ssl-certificate-support/server_faq/ssl-server-certificate-apache.html
 +  * https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO7302&actp=search&viewlocale=en_US&searchid=1254230700908
 +  * http://www.verisign.de/support/ssl-certificates-support/page_de_de_dev019431.html
 +  * https://www.ssllabs.com/ssltest/analyze.html
 +    * Prüfe Server/Config/Zertifikat

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki