Difference between revisions of "Internal Installing Apache SSL Certs"
Jump to navigation
Jump to search
m (Eumhoefer moved page Installing Apache SSL Certs to Internal Installing Apache SSL Certs: Internal Page) |
|||
| (7 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
*Load StartSSL trusted login cert into browser (Located on Password Gorilla) | *Load StartSSL trusted login cert into browser (Located on Password Gorilla) | ||
*Login and choose the certificate wizard (verify domain if required) | *Login and choose the certificate wizard (verify domain if required) | ||
*Skip automatic cert generation in the wizard | *Skip automatic cert generation in the wizard | ||
*SSH into the server and run in ''/etc/ssl'' | *SSH into the server and run in ''/etc/ssl'' | ||
wget https://www.startssl.com/certs/ca.pem | wget https://www.startssl.com/certs/ca.pem | ||
wget https://www.startssl.com/certs/sub.class1.server.ca.pem | wget https://www.startssl.com/certs/sub.class1.server.ca.pem | ||
*Generate the request | |||
openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr | openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr | ||
*Set the server domain name for CN | *Set the server domain name for CN | ||
*Copy server.csr into StartSSL's Cert Wizard | *Copy server.csr into StartSSL's Cert Wizard | ||
*Wait for verification (check support mailing list) | |||
*Wait for verification | |||
*Follow the instructions in the email and create ''fqdn.crt'' | *Follow the instructions in the email and create ''fqdn.crt'' | ||
*Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name | *Rename the ''fqdn.key'' and ''fqdn.crt'' to the common name | ||
*Modify /etc/ssl/apache.conf to read like this | |||
*Modify | |||
SSLEngine On | SSLEngine On | ||
SSLProtocol all -SSLv2 | SSLProtocol all -SSLv2 | ||
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | ||
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem | SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem | ||
SSLCACertificateFile /etc/ssl/ca.pem | SSLCACertificateFile /etc/ssl/ca.pem | ||
SSLCertificateFile /etc/ssl/certs/ | SSLCertificateFile /etc/ssl/certs/fqdn.crt | ||
SSLCertificateKeyFile /etc/ssl/private/ | SSLCertificateKeyFile /etc/ssl/private/fqdn.key | ||
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | ||
*Restart the apache server daemon | *Restart the apache server daemon | ||
/etc/init.d/apache2 restart | |||
==== Notes ==== | |||
Copy the private key to Password Gorilla | |||
Latest revision as of 17:20, 10 July 2017
- Load StartSSL trusted login cert into browser (Located on Password Gorilla)
- Login and choose the certificate wizard (verify domain if required)
- Skip automatic cert generation in the wizard
- SSH into the server and run in /etc/ssl
wget https://www.startssl.com/certs/ca.pem wget https://www.startssl.com/certs/sub.class1.server.ca.pem
- Generate the request
openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr
- Set the server domain name for CN
- Copy server.csr into StartSSL's Cert Wizard
- Wait for verification (check support mailing list)
- Follow the instructions in the email and create fqdn.crt
- Rename the fqdn.key and fqdn.crt to the common name
- Modify /etc/ssl/apache.conf to read like this
SSLEngine On SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem SSLCACertificateFile /etc/ssl/ca.pem SSLCertificateFile /etc/ssl/certs/fqdn.crt SSLCertificateKeyFile /etc/ssl/private/fqdn.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- Restart the apache server daemon
/etc/init.d/apache2 restart
Notes
Copy the private key to Password Gorilla