...
This tutorial shows you how to setup Apache with a new SSL Certificates for web sites. Please read Apache - Renewing SSL Certificates for the renewal process.
Table of Contents |
---|
Select SSL Certificate
SSLShopper provides an overview of the different types of SSL certificates available with pros and cons. If you are still unsure, use the SSL Shopper Wizard to guide you.
...
Code Block | ||
---|---|---|
| ||
ls -al /etc/ssl/ total 44 drwxr-xr-x 4 root root 4096 2011-04-07 10:15 . drwxr-xr-x 71 root root 4096 2011-06-08 14:22 .. drwxr-xr-x 2 root root 20480 2011-06-21 11:41 certs -rw-r--r-- 1 root root 9374 2010-10-06 20:51 openssl.cnf drwx--x--- 2 root ssl-cert 4096 2011-06-13 20:59 private |
Panel | |||||
---|---|---|---|---|---|
If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/
Again, I will stress that this is very important! |
...
Building upon the work in BonsaiFramework Apache Virtual Hosting, below are the minimal recommend lines to enable SSL.
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.earth.com ServerAlias earth.com DocumentRoot /home/www.earth.com/www <Directory /> # This prevents use of .htaccess AllowOverride None </Directory> ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # --------------------- # Start Enable SSL # ----------------- # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Load the keys signed key SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.crt # Load the private key SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.key # Load the Certificate chain SSLCertificateChainFile /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt # Loads all Certificate Authorities in the provided path # SSLCACertificatePath /etc/ssl/certs/ # Alternatively, load the specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # SSL Engine Options <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # ----------------- # End Enable SSL # --------------------- </VirtualHost> </IfModule> |
...
Warning |
---|
Expand this section with topics like, are server certs bound to the server? |
Are server certs bound to the server?
No, server certs are not bound to the server. You can simply copy/move certs around between servers. In a load balanced environment you would be using the same certs on the different web servers.
References
https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.
...