Benutzer-Werkzeuge

Webseiten-Werkzeuge


freebsd:startssl

Creation of new Key

Go to the site http://www.startssl.com and verify the domain (Use the button Control Panel).

At first we set the default key size to 2048 by editing the file /etc/ssl/openssl.cnf. Change in section req default_bits to 2048.

We create on the host a new key and csr:

openssl req -new -nodes -keyout ssl.key -out ssl.csr

As common name fill the domain and do not fill the challenge password.

Go to startssl.com and select new certificate and select WEB. For the private key select Skip.

Now copy the content of the ssl.csr to the website. Select the domain and fill the common name you inserted above while creating the private key.

Copy the certificate on the website in the file ssl.crt. Download the two files:

wget https:<nowiki>//</nowiki>www.startssl.com/certs/sub.class1.server.ca.pem
wget https:<nowiki>//</nowiki>www.startssl.com/certs/ca.pem

Configure apache with the following lines:

ServerSignature On
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /usr/local/etc/apache22/ssl/ssl.crt
SSLCertificateKeyFile /usr/local/etc/apache22/ssl/ssl.key
SSLCertificateChainFile /usr/local/etc/apache22/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /usr/local/etc/apache22/ssl/ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Restart apache.

freebsd/startssl.txt · Zuletzt geändert: 2013/12/16 12:29 von idefix