doku:apachessl
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.
— | doku:apachessl [2016-08-17 15:45] (aktuell) – angelegt - Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Apache mit offiziellen SSL-Zertifikat betreiben ====== | ||
+ | =====Offiziellen Key erzeugen/ | ||
+ | ==== Name und Dateien (wer spielt mit?): ==== | ||
+ | |||
+ | * Keyfile | ||
+ | * domain.key | ||
+ | * private Datei mit Schlüssel | ||
+ | * Certification Signing Request | ||
+ | * verisign.csr | ||
+ | * für upload zum Zertifizieren | ||
+ | * Zertifikat | ||
+ | * domain.crt | ||
+ | * bekommt man vom Zertifizierer zurückgeschickt | ||
+ | * Intermediate | ||
+ | * " | ||
+ | |||
+ | ==== Erstellen: ==== | ||
+ | |||
+ | |||
+ | Siehe auch: http:// | ||
+ | |||
+ | * cd / | ||
+ | * openssl req -new -nodes -keyout dateiname.key -out dateiname.csr -newkey rsa:2048 < | ||
+ | Generating RSA private key, 2048 bit long modulus | ||
+ | ....++++++ | ||
+ | ...............................++++++ | ||
+ | e is 65537 (0x10001) | ||
+ | Enter pass phrase: | ||
+ | Verifying - Enter pass phrase: | ||
+ | </ | ||
+ | |||
+ | * < | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [GB]:DE | ||
+ | State or Province Name (full name) [Berkshire]: | ||
+ | Locality Name (eg, city) [Newbury]: | ||
+ | Organization Name (eg, company) [My Company Ltd]:Domain GmbH | ||
+ | Organizational Unit Name (eg, section) []: | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | </ | ||
+ | * :!: keine Passphrase vergeben | ||
+ | * der " | ||
+ | * Die E-Mail-Adresse muss es geben | ||
+ | |||
+ | ==== Passwort aus Key-Datei löschen ==== | ||
+ | * openssl rsa -in server.key.pass -out server.key | ||
+ | |||
+ | ==== selbst signiertes Zertifikat erstellen ==== | ||
+ | |||
+ | * openssl req -new -x509 -nodes -out server.crt -keyout server.key | ||
+ | |||
+ | Siehe: http:// | ||
+ | |||
+ | ===== Apache-Konfig ===== | ||
+ | < | ||
+ | NameVirtualHost domain.de: | ||
+ | < | ||
+ | DocumentRoot / | ||
+ | ServerName domain.de: | ||
+ | ServerAlias www.domain.de | ||
+ | ###################################################################### | ||
+ | ServerAdmin webmaster@domain.de | ||
+ | ErrorLog / | ||
+ | CustomLog / | ||
+ | |||
+ | < | ||
+ | # beachte .htaccess : | ||
+ | AllowOverride All | ||
+ | </ | ||
+ | |||
+ | # zusaetzlich fuer SSL: | ||
+ | SSLEngine on | ||
+ | SSLProtocol all -SSLv2 | ||
+ | SSLCipherSuite ALL: | ||
+ | SSLCertificateKeyFile / | ||
+ | SSLCertificateFile / | ||
+ | <Files ~ " | ||
+ | SSLOptions +StdEnvVars | ||
+ | </ | ||
+ | < | ||
+ | SSLOptions +StdEnvVars | ||
+ | </ | ||
+ | SetEnvIf User-Agent " | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Debian: | ||
+ | * cd / | ||
+ | * ln -s ../ | ||
+ | * ln -s ../ | ||
+ | |||
+ | ===== CSR-Datei prüfen ===== | ||
+ | |||
+ | * openssl req -in server.csr -noout -text -verify | ||
+ | |||
+ | ===== Wie prüfen, ob Key- und Zertifikatsdatei zusammenpassen? | ||
+ | * openssl rsa -noout -text -in domain.key | ||
+ | * openssl x509 -noout -text -in domain.crt | ||
+ | * " | ||
+ | |||
+ | ===== Prüfe ein Zertifikat / einen Server mit/ohne CAFile ===== | ||
+ | * openssl s_client -quiet -connect servername: | ||
+ | * liefert Fehler weil nur mit Zertifikat (CAFile) gültig | ||
+ | * Lösung: openssl s_client -quiet -CAfile cafile.pem -connect servername: | ||
+ | * lokal vorhandes Zertifikat prüfen: | ||
+ | * openssl verify -verbose -CAfile cafile.pem cert.pem | ||
+ | ===== Welche Ciphers kann ein Server? ===== | ||
+ | |||
+ | Von https:// | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | # This script is taken from: | ||
+ | # http:// | ||
+ | # | ||
+ | if [[ " | ||
+ | echo "must give ip or host name as parameter" | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | server=$1 | ||
+ | echo " | ||
+ | |||
+ | # OpenSSL requires the port number. | ||
+ | DELAY=1 | ||
+ | |||
+ | |||
+ | |||
+ | openssl ciphers -v ' | ||
+ | do | ||
+ | echo -n -e " | ||
+ | result=`echo -n | openssl s_client -cipher " | ||
+ | if [[ " | ||
+ | echo YES | ||
+ | else | ||
+ | if [[ " | ||
+ | error=`echo -n $result | cut -d':' | ||
+ | echo NO \($error\) | ||
+ | else | ||
+ | echo UNKNOWN RESPONSE | ||
+ | echo $result | ||
+ | fi | ||
+ | fi | ||
+ | sleep $DELAY | ||
+ | done | ||
+ | |||
+ | </ | ||
+ | ===== SSL certificate chain resolver ===== | ||
+ | * lädt intermediate certs automatisch | ||
+ | * https:// | ||
+ | |||
+ | ===== Links ===== | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * Prüfe Server/ |