www.bonsaiframework.com
Page tree

Versions Compared

Old Version 176

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 177

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This tutorial shows you how to setup Apache with a new SSL Certificates for web sites. Please read Apache - Renewing SSL Certificates for the renewal process.

Table of Contents

Select SSL Certificate

SSLShopper provides an overview of the different types of SSL certificates available with pros and cons. If you are still unsure, use the SSL Shopper Wizard to guide you.

...

Code Block
languagebash
ls -al /etc/ssl/
total 44
drwxr-xr-x  4 root root      4096 2011-04-07 10:15 .
drwxr-xr-x 71 root root      4096 2011-06-08 14:22 ..
drwxr-xr-x  2 root root     20480 2011-06-21 11:41 certs
-rw-r--r--  1 root root      9374 2010-10-06 20:51 openssl.cnf
drwx--x---  2 root ssl-cert  4096 2011-06-13 20:59 private



Panel

If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/

Code Block
languagebash
sudo chown -R root:ssl-cert /opt/apache/httpd/ssl/private/* # Make the user starting Apache the owner, in this case it is root.
sudo chown 710 /opt/apache/httpd/ssl/private/

Again, I will stress that this is very important!

...

Building upon the work in BonsaiFramework Apache Virtual Hosting, below are the minimal recommend lines to enable SSL.

Code Block
languagexml
linenumberstrue
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    ServerName www.earth.com
    ServerAlias earth.com

    DocumentRoot /home/www.earth.com/www
    <Directory />
        # This prevents use of .htaccess
        AllowOverride None
    </Directory>

    ErrorLog /var/log/apache2/ssl_www.earth.com.error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined

    # ---------------------
    # Start Enable SSL
    # -----------------

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # Load the keys signed key
    SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.crt

    # Load the private key
    SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.key

    # Load the Certificate chain
    SSLCertificateChainFile /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt

    # Loads all Certificate Authorities in the provided path
    # SSLCACertificatePath /etc/ssl/certs/

    # Alternatively, load the specific Certificate Authority
    # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem

    # SSL Engine Options
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    # SSL Protocol Adjustments
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # -----------------
    # End Enable SSL
    # ---------------------

</VirtualHost>
</IfModule>

...

Warning

Expand this section with topics like, are server certs bound to the server?

Are server certs bound to the server?

No, server certs are not bound to the server. You can simply copy/move certs around between servers. In a load balanced environment you would be using the same certs on the different web servers.

References

https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.

...