www.bonsaiframework.com
Page tree

Versions Compared

Old Version 133

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 134

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
www.earth.com_server.pem.base64.crt

earth.com_server.crt.

Warning

Provide a sub-page to explain the CA signing process as an example.

...

You don't need it. Yes, it is noted in many tutorials on the Internet, but as explained in the Apache 2 documentation,

These are used to verify the client certificate on Client Authentication.

...

In other words, you only need CA certificates on Web Servers if you intent to have the Browsers authenticate and identify themselves.

Store Certificates

In Ubuntu, the default location for SSL certificates are,

...

Code Block
languagebash
sudo cp www.earth.com.base64.pem.crt /etc/ssl/certs
sudo chown root:root /etc/ssl/certs/www.earth.com.base64.pem.crt
Note

The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user.

...

Code Block
languagebash
sudo cp www.earth.com_server.key /etc/ssl/private/
sudo chmod 600 /etc/ssl/private/www.earth.com_server.base64.pem.key # The file should only be view-able by the owner
sudo chown root:ssl-cert /etc/ssl/private/www.earth.com_server.base64.pem.key # Make the user starting Apache the owner, in this case it is root.

...

Code Block
languagexml
linenumberstrue
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    ServerName www.earch.com
    ServerAlias earch.com

    DocumentRoot /home/www.earth.com/www
    <Directory />
        # This prevents use of .htaccess
        AllowOverride None    
    </Directory>

    ErrorLog /var/log/apache2/ssl_www.earth.com.error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined

    # ---------------------
    # Start Enable SSL
    # -----------------

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # Load the keys
    SSLCertificateFile    /etc/ssl/certs/www.earth.com_server.pem.crt
    SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key

    # Load the Certificate chain
    SSLCertificateChainFile /etc/ssl/certs/StartSSL_Sub_Class1_CA.pem

    # Loads all Certificate Authorities in the provided path
    SSLCACertificatePath # SSLCACertificatePath /etc/ssl/certs/

    # Alternatively, load the specific Certificate Authority
    # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem

    # SSL Engine Options
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    # SSL Protocol Adjustments
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # -----------------
    # End Enable SSL
    # ---------------------

</VirtualHost>
</IfModule>

...