====== Apache mit offiziellen SSL-Zertifikat betreiben ======
=====Offiziellen Key erzeugen/kaufen =====

==== Name und Dateien (wer spielt mit?): ====

  * Keyfile
    * domain.key
    * private Datei mit Schlüssel
  * Certification Signing Request
    * verisign.csr
    * für upload zum Zertifizieren
  * Zertifikat
    * domain.crt
    * bekommt man vom Zertifizierer zurückgeschickt
  * Intermediate 
    * "bundle"

==== Erstellen: ====


Siehe auch: http://support.psw.net/questions/26/Wie-wird-eine-Zertifizierungsanforderung-%28CSR%29-erstellt-%28Apache%29%3F

  * cd /etc/apache2/ssl
  * openssl req -new -nodes -keyout dateiname.key -out dateiname.csr -newkey rsa:2048 <code>
Generating RSA private key, 2048 bit long modulus
....++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
</code>

  * <code>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:DE
State or Province Name (full name) [Berkshire]:Bayern
Locality Name (eg, city) [Newbury]:Fuerth
Organization Name (eg, company) [My Company Ltd]:Domain GmbH
Organizational Unit Name (eg, section) []:  
Common Name (eg, your name or your server's hostname) []:domain.de
Email Address []:webmaster@domain.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</code>
    * :!: keine Passphrase vergeben
    * der "Common Name" ist der Domain.name, z.B. ''domain.de'' (das ist ungleich ''www.domain.de'' :!:)
    * Die E-Mail-Adresse muss es geben

==== Passwort aus Key-Datei löschen ====
  * openssl rsa -in server.key.pass -out server.key

==== selbst signiertes Zertifikat erstellen ====

  * openssl req -new -x509 -nodes -out server.crt -keyout server.key

Siehe: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert

===== Apache-Konfig =====
<code>
NameVirtualHost domain.de:443
<VirtualHost domain.de:443>
        DocumentRoot /home/domain/www
        ServerName domain.de:443
        ServerAlias www.domain.de
        ######################################################################
        ServerAdmin webmaster@domain.de
        ErrorLog /var/log/httpd/domain-error_log
        CustomLog /var/log/httpd/domain-access_log common

        <Directory /home/domain/www>
          # beachte .htaccess :
          AllowOverride All
        </Directory>

        # zusaetzlich fuer SSL:
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateKeyFile /etc/pki/tls/domain/domain.key
        SSLCertificateFile /etc/pki/tls/domain/domain.crt
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
</VirtualHost>
</code>

Debian:
  * cd /etc/apache2/mods-enabled
  * ln -s ../mods-available/ssl.conf 
  * ln -s ../mods-available/ssl.load 

===== CSR-Datei prüfen =====

  * openssl req -in server.csr -noout -text -verify

===== Wie prüfen, ob Key- und Zertifikatsdatei zusammenpassen? =====
  * openssl rsa -noout -text -in domain.key
  * openssl x509 -noout -text -in domain.crt
  * "modulus" und "Exponent" müssen exakt übereinstimmen

===== Prüfe ein Zertifikat / einen Server mit/ohne CAFile =====
  * openssl s_client -quiet -connect servername:443
    * liefert Fehler weil nur mit Zertifikat (CAFile) gültig
    * Lösung: openssl s_client -quiet -CAfile cafile.pem -connect servername:443
  * lokal vorhandes Zertifikat prüfen:
    * openssl verify -verbose -CAfile cafile.pem cert.pem
===== Welche Ciphers kann ein Server? =====

Von https://github.com/wki/MyHomeBinaries/blob/master/bin/check_ssl.sh:
<code>
#!/bin/bash
# This script is taken from:
# http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of
#
if [[ "x$1" == "x" ]]; then
  echo "must give ip or host name as parameter"
  exit 1
fi

server=$1
echo "Testing Server $server..."

# OpenSSL requires the port number.
DELAY=1



openssl ciphers -v 'ALL:eNULL' | while read cipher ssl kx au enc mac export
do
      echo -n -e "Testing $cipher, $ssl, $enc... \t"
      result=`echo -n | openssl s_client -cipher "$cipher" -connect $server:443 2>&1`
      if [[ "$result" =~ "Cipher is " ]] ; then
        echo YES
      else
        if [[ "$result" =~ ":error:" ]] ; then
          error=`echo -n $result | cut -d':' -f6`
          echo NO \($error\)
        else
          echo UNKNOWN RESPONSE
          echo $result
        fi
      fi
      sleep $DELAY
done

</code>
===== SSL certificate chain resolver =====
  * lädt intermediate certs automatisch
  * https://github.com/zakjan/cert-chain-resolver

===== Links =====
  * http://kb.psw.net/
  * http://www.enterprisessl.com/ssl-certificate-support/server_faq/ssl-server-certificate-apache.html
  * https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO7302&actp=search&viewlocale=en_US&searchid=1254230700908
  * http://www.verisign.de/support/ssl-certificates-support/page_de_de_dev019431.html
  * https://www.ssllabs.com/ssltest/analyze.html
    * Prüfe Server/Config/Zertifikat