Difference between revisions of "Internal Installing Apache SSL Certs"
Jump to navigation
Jump to search
m (moved User:Tmosey/StartSSL to Installing Apache SSL Certs: Publishing article) |
|||
| Line 1: | Line 1: | ||
*Load StartSSL trusted login cert into browser (Located on Password Gorilla) | *Load StartSSL trusted login cert into browser (Located on Password Gorilla) | ||
*Login and choose the certificate wizard (verify domain if required) | *Login and choose the certificate wizard (verify domain if required) | ||
*Skip automatic cert generation in the wizard | *Skip automatic cert generation in the wizard | ||
*SSH into the server and run in ''/etc/ssl'' | *SSH into the server and run in ''/etc/ssl'' | ||
wget https://www.startssl.com/certs/ca.pem | |||
wget https://www.startssl.com/certs/ca.pem | wget https://www.startssl.com/certs/sub.class1.server.ca.pem\ | ||
wget https://www.startssl.com/certs/sub.class1.server.ca.pem\ | |||
*Generate the request | *Generate the request | ||
openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr | |||
*Set the server domain name for CN | *Set the server domain name for CN | ||
*Copy server.csr into StartSSL's Cert Wizard | *Copy server.csr into StartSSL's Cert Wizard | ||
*Wait for verification (check support mailing list) | *Wait for verification (check support mailing list) | ||
*Follow the instructions in the email and create ''fqdn.crt'' | *Follow the instructions in the email and create ''fqdn.crt'' | ||
*Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name | *Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name | ||
*Modify /etc/ssl/apache.conf to read like this | *Modify /etc/ssl/apache.conf to read like this | ||
SSLEngine On | |||
SSLEngine On | SSLProtocol all -SSLv2 | ||
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | |||
SSLProtocol all -SSLv2 | SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem | ||
SSLCACertificateFile /etc/ssl/ca.pem | |||
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | SSLCertificateFile /etc/ssl/certs/<common name>.crt | ||
SSLCertificateKeyFile /etc/ssl/private/<common name>.key | |||
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem | SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | ||
SSLCACertificateFile /etc/ssl/ca.pem | |||
SSLCertificateFile /etc/ssl/certs/<common name>.crt | |||
SSLCertificateKeyFile /etc/ssl/private/<common name>.key | |||
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | |||
*Restart the apache server daemon | *Restart the apache server daemon | ||
/etc/init.d/apache2 restart | |||
Revision as of 20:26, 4 January 2013
- Load StartSSL trusted login cert into browser (Located on Password Gorilla)
- Login and choose the certificate wizard (verify domain if required)
- Skip automatic cert generation in the wizard
- SSH into the server and run in /etc/ssl
wget https://www.startssl.com/certs/ca.pem wget https://www.startssl.com/certs/sub.class1.server.ca.pem\
- Generate the request
openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr
- Set the server domain name for CN
- Copy server.csr into StartSSL's Cert Wizard
- Wait for verification (check support mailing list)
- Follow the instructions in the email and create fqdn.crt
- Rename the fqdn.key and fqdn.crt to the common name
- Modify /etc/ssl/apache.conf to read like this
SSLEngine On SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem SSLCACertificateFile /etc/ssl/ca.pem SSLCertificateFile /etc/ssl/certs/<common name>.crt SSLCertificateKeyFile /etc/ssl/private/<common name>.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- Restart the apache server daemon
/etc/init.d/apache2 restart