Hello Mat, At 2000-03-28 21:35, you wrote:
Hello can some me please tell me how to install and configure the ssl option on apache so that all the pages access from the server are ssl secured
best regards Mat
I posted this step-by-step procedure a while ago: ---cut--- o Configuring SSL - properly and create your own Certificate Authority (CA) Become root and change to some empty work directory. - First create your own Certificate Authority (CA) signing key. Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted): # openssl genrsa -des3 -out ca.key 1024 Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted). Important: you should simply use your own name (or formalized, like 'CA John Doe', 'CA Officer') in the CN (Common Name) field for the CA key, which we are self-signing now, but _not_ for the web server key (use the FQDN there), but we will come to that later! Enter a secret password in lieu of "CA-XXXX", and write it down on a floppy sticker, too (validity of one (1) year): # openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /usr/ssl/openssl.cnf Enter PEM pass phrase: CA-XXXX You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:MV State or Province Name (full name) [Some-State]:Your State Locality Name (eg, city) []:Your City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization Organizational Unit Name (eg, section) []:CA Your section Common Name (eg, YOUR name) []:CA Your Name Email Address []:ca@yourdomain - Secondly, create a RSA private key for the web server itself. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted): # openssl genrsa -des3 -out server.key 1024 Create a Certificate Signing Request (CSR) with the web server RSA private key (output will be PEM formatted). Important: you must use the FQDN of the web server and NOT your own name in the CN (Common Name) field (as contrasted to the CA key, where we did use our own name)! Enter secret (challenge) passwords in lieu of "SERVER-XXXX" and "CHAL-XXXX", and write it down on the floppy sticker, too: # openssl req -new -key server.key -out server.csr Using configuration from /usr/ssl/openssl.cnf Enter PEM pass phrase:SERVER-XXXX You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:MV State or Province Name (full name) [Some-State]:Your State Locality Name (eg, city) []:Your City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization Organizational Unit Name (eg, section) []:Your section Common Name (eg, YOUR name) []:yourhost.yourdomain Email Address []:webmaster@yourhost.yourdomain Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:CHAL-XXXX An optional company name []:Your Organization/Section: www.yourdomain - Thirdly, and finally, CA sign the server key's signing request. Sign the server key's signing request with your own CA key (validity of one (1) year); create a serial number in the form of the ISO 8601 date (http://www.cl.cam.ac.uk/~mgk25/iso-time.html) if the serial file is not already there (bourne shell assumed): # [ ! -f ca.ser ] && date '+%Y%m%d' > ca.ser # openssl x509 -days 365 \ -CA ca.crt -CAkey ca.key -CAserial ca.ser \ -in server.csr -req -out server.crt Getting CA Private Key Enter PEM pass phrase:CA-XXXX You now have these files (file sizes and dates will probably differ!): # ls -lrt -rw-r--r-- 1 root root 963 Feb 16 14:01 ca.key -rw-r--r-- 1 root root 1533 Feb 16 14:06 ca.crt -rw-r--r-- 1 root root 963 Feb 16 14:08 server.key -rw-r--r-- 1 root root 915 Feb 16 14:14 server.csr -rw-r--r-- 1 root root 1123 Feb 16 14:14 server.crt -rw-r--r-- 1 root root 9 Feb 16 14:14 ca.ser Verify that the web server public key MD5 hashes are the same (web server key, SERVER-XXXX, necessary for second command): # openssl x509 -noout -modulus -in server.crt | openssl md5 # openssl rsa -noout -modulus -in server.key | openssl md5 Remove the signing request file and serial file (if you are not generating more keys today), fix permissions and put files in place (you might also want to save them on a floppy and store securely): # rm server.csr ca.ser # chmod 0400 ca.crt ca.key server.crt server.key # mv ca.key server.key /etc/httpd/ssl.key/. # mv ca.crt server.crt /etc/httpd/ssl.crt/. To enable SSL, edit the Apache configuration file and set the SSL related tags, and ServerName and ServerAdmin (if not already done): ServerName yourhost.yourdomain ServerAdmin webmaster@yourhost.yourdomain SSLEngine on SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCACertificatePath /etc/httpd/ssl.crt Because we use SSLCACertificatePath (and not SSLCACertificateFile), the hash symlinks must be updated: # cd /etc/httpd/ssl.crt && make clean && make Restart the web server, monitor log files and check both the unsecure (http) and secure (https) page. # rcapache restart # tail -f /var/log/httpd.error_log # tail -f /var/log/ssl_engine_log # lynx http://www.yourdomain/ # lynx https://www.yourdomain/ You might want to keep the ca and server keys and certs on a floppy and store them in a secure place. ---cut--- Good luck, Eric Maryniak -- Eric Maryniak <e.maryniak@pobox.com> Home page: http://pobox.com/~e.maryniak/ University of Amsterdam, Department of Psychology. Tel/Fax: +31 20 5256853/6391656. Internet: http://www.neuromod.org/ The best way to accelerate Windows is at 9.8 m/s^2. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/