linux:apache:ssl

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
Letzte ÜberarbeitungBeide Seiten der Revision
linux:apache:ssl [2009/03/16 20:09] – update 1.1 psycorelinux:apache:ssl [2024/01/12 22:16] – Externe Bearbeitung 127.0.0.1
Zeile 1: Zeile 1:
 +{{tag>deutsch linux debian apache tls}}
 +====== SSL unter Apache einrichten ======
  
 +===== Erstellen des private Keys =====
 +
 +<code bash>
 +root@srv-web:~# openssl genrsa -out server.key 4096
 +Generating RSA private key, 4096 bit long modulus
 +.....................................................................................................................++
 +...............................................................................++
 +e is 65537 (0x10001)
 +</code>
 +
 +===== CSR Request =====
 +
 +<code bash>
 +root@srv-web:~# openssl req -new -key server.key -out server.csr -sha256
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:DE
 +State or Province Name (full name) [Some-State]:NRW
 +Locality Name (eg, city) []:Neuss
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Company
 +Organizational Unit Name (eg, section) []:.
 +Common Name (e.g. server FQDN or YOUR name) []:www.yourdomain.com
 +Email Address []:admin@yourdomain.com
 +
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:.
 +An optional company name []:.
 +
 +</code>
 +
 +===== Zertifikat Anbieter =====
 +
 +[[https://www.psw.net]]
 +
 +===== Apache Konfiguration =====
 +
 +mhost.conf bzw. entsprechende Subdomain unter sites-enabled:
 +
 +<code text>
 +NameVirtualHost your.server.ip.here:443
 +...
 +    SSLEngine on
 +    SSLCertificateKeyFile /etc/ssl.key/name.of.key
 +    SSLCertificateFile /etc/ssl.crt/name.of.crt
 +    SSLCertificateChainFile /etc/ssl.crt/name.of.ca-bundle
 +    
 +    # The following lines stopps the BEAST attack
 +    # more info at
 +    # https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
 +    
 +    SSLHonorCipherOrder On
 +    SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
 +</code>
 +
 +Evt. muss das SSL Modul im Apache noch aktiviert werden:
 +
 +<code bash>
 +a2enmod ssl
 +</code>
 +
 +Nun ein Neustart und es sollte funktionieren:
 +
 +<code bash>
 +/etc/init.d/apache2 restart
 +</code>