Difference between revisions of "Internal Installing Apache SSL Certs"

From GrandCare Systems
Jump to navigation Jump to search
m (Eumhoefer moved page Installing Apache SSL Certs to Internal Installing Apache SSL Certs: Internal Page)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
*Load StartSSL trusted login cert into browser (Located on Password Gorilla)
*Load StartSSL trusted login cert into browser (Located on Password Gorilla)
*Login and choose the certificate wizard (verify domain if required)
*Login and choose the certificate wizard (verify domain if required)
*Skip automatic cert generation in the wizard
*Skip automatic cert generation in the wizard
*SSH into the server and run in ''/etc/ssl''
*SSH into the server and run in ''/etc/ssl''


  wget https://www.startssl.com/certs/ca.pem
  wget https://www.startssl.com/certs/ca.pem
  wget https://www.startssl.com/certs/sub.class1.server.ca.pem
  wget https://www.startssl.com/certs/sub.class1.server.ca.pem
# Generate the request
 
*Generate the request
 
  openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr
  openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr


*Set the server domain name for CN
*Set the server domain name for CN
*Copy server.csr into StartSSL's Cert Wizard
*Copy server.csr into StartSSL's Cert Wizard
 
*Wait for verification (check support mailing list)
*Wait for verification
 
*Follow the instructions in the email and create ''fqdn.crt''
*Follow the instructions in the email and create ''fqdn.crt''
*Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name
*Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name
 
*Modify /etc/ssl/apache.conf to read like this
*Modify ''/etc/ssl/apache.conf'' to read like this


  SSLEngine On
  SSLEngine On
  SSLProtocol all -SSLv2
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
  SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
  SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
  SSLCACertificateFile /etc/ssl/ca.pem
  SSLCACertificateFile /etc/ssl/ca.pem
  SSLCertificateFile /etc/ssl/certs/<common name>.crt
  SSLCertificateFile /etc/ssl/certs/fqdn.crt
  SSLCertificateKeyFile /etc/ssl/private/<common name>.key
  SSLCertificateKeyFile /etc/ssl/private/fqdn.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


*Restart the apache server daemon
*Restart the apache server daemon
/etc/init.d/apache2 restart
==== Notes ====
Copy the private key to Password Gorilla

Latest revision as of 17:20, 10 July 2017

  • Load StartSSL trusted login cert into browser (Located on Password Gorilla)
  • Login and choose the certificate wizard (verify domain if required)
  • Skip automatic cert generation in the wizard
  • SSH into the server and run in /etc/ssl
wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem
  • Generate the request
openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr
  • Set the server domain name for CN
  • Copy server.csr into StartSSL's Cert Wizard
  • Wait for verification (check support mailing list)
  • Follow the instructions in the email and create fqdn.crt
  • Rename the fqdn.key and fqdn.crt to the common name
  • Modify /etc/ssl/apache.conf to read like this
SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/ca.pem
SSLCertificateFile /etc/ssl/certs/fqdn.crt
SSLCertificateKeyFile /etc/ssl/private/fqdn.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  • Restart the apache server daemon
/etc/init.d/apache2 restart

Notes

Copy the private key to Password Gorilla