root@srv-web:~# openssl genrsa -out server.key 4096 Generating RSA private key, 4096 bit long modulus .....................................................................................................................++ ...............................................................................++ e is 65537 (0x10001)
root@srv-web:~# openssl req -new -key server.key -out server.csr -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:NRW Locality Name (eg, city) []:Neuss Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Company Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:www.yourdomain.com Email Address []:admin@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.
mhost.conf bzw. entsprechende Subdomain unter sites-enabled:
NameVirtualHost your.server.ip.here:443 ... SSLEngine on SSLCertificateKeyFile /etc/ssl.key/name.of.key SSLCertificateFile /etc/ssl.crt/name.of.crt SSLCertificateChainFile /etc/ssl.crt/name.of.ca-bundle # The following lines stopps the BEAST attack # more info at # https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Evt. muss das SSL Modul im Apache noch aktiviert werden:
a2enmod ssl
Nun ein Neustart und es sollte funktionieren:
/etc/init.d/apache2 restart