www.bonsaiframework.com
Page tree

Versions Compared

Old Version 114

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 115

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • 2048 - make the RSA private key 2048 bit
  • The default file format will be PEM.
Note

Notice the creation of the private directory. It is very important that only the proper administrators should have access to the private key.

File Output

It is important to understand the file format used in the event the keys need to be transferred to different systems.

In general, PEM formats are used with Unix, PCKS12 with Microsoft world and DER with Java.

OpenSSL uses PEM by default.

Generate the CSR

Generate the CSR (Certificate Signing Request) which will be submitted to the CA,

Code Block
languagebash
openssl req -new -key www.earth.com_server.pem.key -out www.earth.com_server.pem.csr

You will be prompted to enter information about the certificate. The values should reflect your organization.

...

Code Block
languagexml
linenumberstrue
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    ServerName www.earch.com
    ServerAlias earch.com

    DocumentRoot /home/www.earth.com/www
    <Directory />
        # This prevents use of .htaccess
        AllowOverride None    
    </Directory>

    ErrorLog /var/log/apache2/ssl_www.earth.com.error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined

    # ---------------------
    # Start Enable SSL
    # -----------------

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # Load the keys
    SSLCertificateFile    /etc/ssl/certs/www.earth.com_server.pem.crt
    SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key

    # Load the Certificate chain
    SSLCertificateChainFile /etc/ssl/certs/StartSSL_Sub_Class1_CA.pem

    # Loads all Certificate Authorities in the provided path
    SSLCACertificatePath /etc/ssl/certs/

    # Alternatively, load the specific Certificate Authority
    # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem

    # SSL Engine Options
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    # SSL Protocol Adjustments
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # -----------------
    # End Enable SSL
    # ---------------------

</VirtualHost>
</IfModule>

...