Difference between revisions of "Internal Installing Apache SSL Certs"
Jump to navigation
Jump to search
(Dumping instructions) |
|||
| Line 1: | Line 1: | ||
*Load StartSSL trusted login cert into browser | *Load StartSSL trusted login cert into browser (Located on Password Gorilla) | ||
*Login and choose the certificate wizard (verify domain if required) | *Login and choose the certificate wizard (verify domain if required) | ||
| Line 7: | Line 7: | ||
*SSH into the server and run in /etc/ssl | *SSH into the server and run in /etc/ssl | ||
wget https://www.startssl.com/certs/ca.pem | wget https://www.startssl.com/certs/ca.pem | ||
wget https://www.startssl.com/certs/sub.class1.server.ca.pem | |||
wget https://www.startssl.com/certs/sub.class1.server.ca.pem | # Generate the request | ||
openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr | |||
openssl req -new -newkey rsa:2048 -nodes -keyout | |||
*Set the server domain name for CN | *Set the server domain name for CN | ||
| Line 19: | Line 18: | ||
*Wait for verification | *Wait for verification | ||
*Follow the instructions in the email and create | *Follow the instructions in the email and create ''fqdn.crt'' | ||
*Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name | |||
*Modify ''/etc/ssl/apache.conf'' to read like this | |||
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | SSLEngine On | ||
SSLProtocol all -SSLv2 | |||
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | |||
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem | |||
SSLCACertificateFile /etc/ssl/ca.pem | |||
SSLCertificateFile /etc/ssl/certs/<common name>.crt | |||
SSLCertificateKeyFile /etc/ssl/private/<common name>.key | |||
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | |||
*Restart the apache server daemon | *Restart the apache server daemon | ||
Revision as of 20:13, 4 January 2013
- Load StartSSL trusted login cert into browser (Located on Password Gorilla)
- Login and choose the certificate wizard (verify domain if required)
- Skip automatic cert generation in the wizard
- SSH into the server and run in /etc/ssl
wget https://www.startssl.com/certs/ca.pem wget https://www.startssl.com/certs/sub.class1.server.ca.pem # Generate the request openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr
- Set the server domain name for CN
- Copy server.csr into StartSSL's Cert Wizard
- Wait for verification
- Follow the instructions in the email and create fqdn.crt
- Rename the fqdn.key and fqdn.crt to the common name
- Modify /etc/ssl/apache.conf to read like this
SSLEngine On SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem SSLCACertificateFile /etc/ssl/ca.pem SSLCertificateFile /etc/ssl/certs/<common name>.crt SSLCertificateKeyFile /etc/ssl/private/<common name>.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- Restart the apache server daemon