linux:apache:ssl

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung		 Vorhergehende Überarbeitung
Letzte ÜberarbeitungBeide Seiten der Revision
linux:apache:ssl [2008/12/28 19:47] – angelegt psycorelinux:apache:ssl [2024/01/12 22:16] – Externe Bearbeitung 127.0.0.1
Zeile 1: Zeile 1:
 +{{tag>deutsch linux debian apache tls}}
 +====== SSL unter Apache einrichten ======
  
 +===== Erstellen des private Keys =====
 +
 +<code bash>
 +root@srv-web:~# openssl genrsa -out server.key 4096
 +Generating RSA private key, 4096 bit long modulus
 +.....................................................................................................................++
 +...............................................................................++
 +e is 65537 (0x10001)
 +</code>
 +
 +===== CSR Request =====
 +
 +<code bash>
 +root@srv-web:~# openssl req -new -key server.key -out server.csr -sha256
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:DE
 +State or Province Name (full name) [Some-State]:NRW
 +Locality Name (eg, city) []:Neuss
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Company
 +Organizational Unit Name (eg, section) []:.
 +Common Name (e.g. server FQDN or YOUR name) []:www.yourdomain.com
 +Email Address []:admin@yourdomain.com
 +
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:.
 +An optional company name []:.
 +
 +</code>
 +
 +===== Zertifikat Anbieter =====
 +
 +[[https://www.psw.net]]
 +
 +===== Apache Konfiguration =====
 +
 +mhost.conf bzw. entsprechende Subdomain unter sites-enabled:
 +
 +<code text>
 +NameVirtualHost your.server.ip.here:443
 +...
 +    SSLEngine on
 +    SSLCertificateKeyFile /etc/ssl.key/name.of.key
 +    SSLCertificateFile /etc/ssl.crt/name.of.crt
 +    SSLCertificateChainFile /etc/ssl.crt/name.of.ca-bundle
 +    
 +    # The following lines stopps the BEAST attack
 +    # more info at
 +    # https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
 +    
 +    SSLHonorCipherOrder On
 +    SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
 +</code>
 +
 +Evt. muss das SSL Modul im Apache noch aktiviert werden:
 +
 +<code bash>
 +a2enmod ssl
 +</code>
 +
 +Nun ein Neustart und es sollte funktionieren:
 +
 +<code bash>
 +/etc/init.d/apache2 restart
 +</code>