Insert the following into your ssl.conf and continue creating the keys:
SSLCertificateFile /etc/mail/certs/newcert.pem SSLCertificateKeyFile /etc/mail/certs/req.pem SSLCertificateChainFile /etc/mail/certs/cacert.pem
To create a certificate do the following:
Generate the CA key:
cd /etc/mail/certs/ edit CA.pl and set days to high value like 10-20 years maybe edit /etc/ssl/openssl.cnf /usr/src/crypto/openssl/apps/CA.pl -newca cp demoCA/cacert.pem .
Generate keypair:
edit CA.pl again and set it to 1-2 years /usr/src/crypto/openssl/apps/CA.pl -newreq as COMMON NAME put FQDN
Sign the keypair:
/usr/src/crypto/openssl/apps/CA.pl -sign
Remove the password from keypair:
openssl rsa -in newkey.pem -out req.pem rm newreq.pem chmod 0600 *
To add you self created CA to the chain of trust you must import the file cacert.pem on all computers and select trust completely.
Sign the keypair:
cd /etc/mail/certs /usr/src/crypto/openssl/apps/CA.pl -sign
see: http://linio.boo.pl/eng/certs.html http://www.freebsddiary.org/openssl-client-authentication.php
http://www.bsdguides.org/guides/freebsd/webserver/apache_ssl_php_mysql.php
http://wiki.cacert.org/wiki/VhostTaskForce
To convert your own CA to a format Android can read use:
openssl x509 -inform PEM -outform DER -in newcert.pem -out CA.crt
To create your certificate (same for renewal) by going to http://startssl.com and login. To have a secure key, make sure we have the following settings in /etc/ssl/openssl.cnf:
default_md = sha2 # which md to use. default_bits = 4096
Create your key:
/usr/src/crypto/openssl/apps/CA.pl -newreq
Copy the content of newreq.pem to the certificate request on startssl.com. Store the content from startssl.com to a file ssl.crt.
Remove the passphrase with:
openssl rsa -in newkey.pem -out ssl.key
Download the files from startssl.com:
wget -N https://www.startssl.com/certs/sub.class1.server.ca.pem wget -N https://www.startssl.com/certs/ca.pem
You have the following:
Datei | Beschreibung |
---|---|
ca.pem | startssl root certificate |
sub.class1.server.ca.pem | startssl intermediate certificate |
newkey.pem | encrypted private key |
newreq.pem | certificate request |
ssl.key | decrypted private key |
ssl.crt | certificate for your key, signed by startssl.com |
Configure your apache:
SSLCertificateFile /usr/local/etc/apache22/ssl/ssl.crt SSLCertificateKeyFile /usr/local/etc/apache22/ssl/ssl.key SSLCertificateChainFile /usr/local/etc/apache22/ssl/sub.class1.server.ca.pem SSLCACertificateFile /usr/local/etc/apache22/ssl/ca.pem
Create openssl config file name openssl.cnf
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = DE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Bayern localityName = Locality Name (eg, city) localityName_default = Munich organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = FM-Data commonName = FM-Data commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.fechner.net DNS.2 = *.idefix.lan
openssl genrsa -out newkey.pem 4096 openssl req -new -out san_idefix_lan.csr -key newkey.pem -config openssl.cnf openssl req -text -noout -in san_idefix_lan.csr openssl x509 -req -days 3650 -in san_idefix_lan.csr -signkey newkey.pem -out mv san_idefix_lan.csr cacert.pem openssl x509 -req -days 3650 -in cacert.pem -signkey newkey.pem -out newreq.pem -extensions v3_req -extfile openssl.cnf mv newreq.pem newcert.pem mv newkey.pem req.pem
Based on this calculator https://mozilla.github.io/server-side-tls/ssl-config-generator/
... SSLProtocol all -SSLv2 -SSLv3 SSLCompression Off SSLHonorCipherOrder on SSLSessionTickets off SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000)
nmap -p 993 --script ssl-enum-ciphers hostname
To conffigure the tomcat connector for apache 2.4 I added in the httpd.conf:
Include conf/tomcat_connector.conf
And configure then all in the tomcat_connector.conf:
LoadModule jk_module modules/mod_jk.so # Where to find workers.properties # Update this path to match your conf directory location (put workers.properties next to httpd.conf) JkWorkersFile "conf/workers.properties" # Where to put jk shared memory # Update this path to match your local state directory or logs directory JkShmFile "logs/mod_jk.shm" <VirtualHost _default_:80> # Where to put jk logs # Update this path to match your logs directory location (put mod_jk.log next to access_log) JkLogFile "logs/mod_jk.log" # Set the jk log level [debug/error/info] JkLogLevel error # Select the timestamp log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # Define the mapping JkMountFile "conf/uriworkermap.properties" </VirtualHost>
Sometimes you have a buggy website and the company is not willing to fix the problems on it. The website only works if the IE is forced to Quirks mode. To get this fixed with apache you can use the module headers_module. To enable it load the module:
LoadModule headers_module modules/mod_headers.so
Now add to your virtual host the line:
Header set X-UA-Compatible "IE=5;charset=iso-8859-1"
Before you start, make sure you have a current version of apache from here installed. Do not forget the openssl update!
At first make sure that the path to openssl is in the windows path so we can execute the openssl command from the console. Path for me is d:\Apache24\bin.
To create a SSL certificate for apache with windows:
d: cd apache24 cd conf cd ssl openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout hostname.key -out hostname.crt
Add to your virtual host config something like this:
<VirtualHost _default_:443> ServerName hostname ... # SSL configuration SSLEngine on SSLCertificateFile conf/ssl/hostname.crt SSLCertificateKeyFile conf/ssl/hostname.key SSLCertificateChainFile conf/ssl/hostname.crt </VirtualHost>
We use apache 2.4 together php-fpm to use the event model insted of the pre-fork module which memory consuming and slow. Make sure you have php-fpm running.
# PHP FPM php_fpm_enable="YES"
service php-fpm restart
Make sure the proxy modules are loaded:
LoadModule proxy_module libexec/apache24/mod_proxy.so LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
In your virtalhost definition:
<VirtualHost *> ... ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/opt/local/www/phpmyadmin/$1 DirectoryIndex /index.php index.php <Directory /opt/local/www/phpmyadmin> ...