Draft | Approver: psycore
Set up SSL under Apache
tutname=SSL unter Apache|tutautor=PsyCore|tutversion=1.4|tutquelle=https://www.schirmacher.de/display/Linux/Apache+SSL+Zertifikat+erstellen
Creating the private key
root@srv-web:~# openssl genrsa -out server.key 4096 Generating RSA private key, 4096 bit long modulus .....................................................................................................................++ ...............................................................................++ e is 65537 (0x10001)
CSR request
root@srv-web:~# openssl req -new -key server.key -out server.csr -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:NRW Locality Name (eg, city) []:Neuss Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Company Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:www.yourdomain.com Email Address []:admin@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.
Certificate provider
Apache configuration
mhost.conf or corresponding subdomain under sites-enabled:
NameVirtualHost your.server.ip.here:443 ... SSLEngine on SSLCertificateKeyFile /etc/ssl.key/name.of.key SSLCertificateFile /etc/ssl.crt/name.of.crt SSLCertificateChainFile /etc/ssl.crt/name.of.ca-bundle # The following lines stopps the BEAST attack # more info at # https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
The SSL module may still need to be activated in Apache:
a2enmod ssl
Now restart and it should work:
/etc/init.d/apache2 restart