[gilug.org] apache i ssl amb ubuntu
David Casals hakd0c telefonica net
2007-06-05 20:58:07 UTC
Tinc instalat un ordinador amb Apache on hi he de posar un certificat
(creat per mi) ja que ha d'anar amb ssl.
He creat el certificat i l'he instal·lat segons posa a l'ajuda de la
propia ubuntu:
/6.1.3.HTTPS Configuration/
/
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar./
/
The mod_ssl module is available in apache2-common package. If you have installed this package, you can run the following command from a terminal prompt to enable the mod_ssl module:/
/
/
/sudo a2enmod ssl/
/
/
/ /
/6.1.3.1.Certificates and Security/
/
To set up your secure server, use public key cryptography to create a public and private key pair. In most cases, you send your certificate request (including your public key), proof of your company's identity, and payment to a Certificate Authority (CA). The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server./
/
Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection./
/
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server./
/6.1.3.2.Types of Certificates/
/
You need a key and a certificate to operate your secure server, which means that you can either generate a self-signed certificate or purchase a CA-signed certificate. A CA-signed certificate provides two important capabilities for your server:/
/
*/
/
/
/ Browsers (usually) automatically recognise the certificate and allow a secure connection to be made without prompting the user./
/ /
/ */
/
When a CA issues a signed certificate, it is guaranteeing the identity of the organisation that is providing the web pages to the browser./
/ /
/
Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorising CA is not in the list, the browser asks the user to either accept or decline the connection./
/
You can generate a self-signed certificate for your secure server, but be aware that a self-signed certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate is not automatically recognised by most Web browsers, and a self-signed certificate does not provide any guarantee concerning the identity of the organisation that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:/
/
1./
/
/
/ /
/
Create a private and public encryption key pair./
/
/
/ 2./
/
/
/
Create a certificate request based on the public key. The certificate request contains information about your server and the company hosting it./
/
/
/ 3./
/
/
/
Send the certificate request, along with documents proving your identity, to a CA. We cannot tell you which certificate authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors./
/
/
/ /
/
Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them./
/
/
/ 4./
/
/
/
When the CA is satisfied that you are indeed who you claim to be, they send you a digital certificate./
/
/
/ 5./
/
/
/
Install this certificate on your secure server, and begin handling secure transactions./
/
/
/
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key./
/6.1.3.3.Generating a Certificate Signing Request (CSR)/
/
To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:/
/
/
/openssl genrsa -des3 -out server.key 1024/
/
/
/ /
/
Generating RSA private key, 1024 bit long modulus/
/.....................++++++/
/.................++++++/
/unable to write 'random state'/
/e is 65537 (0x10001)/
/Enter pass phrase for server.key:/
/
You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive./
/
Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in server.key file./
/
/
/
You can also run your secure Web server without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure Web server. But it is highly insecure and a compromise of the key means a compromise of the server as well./
/
/
/
In any case, you can choose to run your secure Web server without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:/
/
/
/openssl rsa -in server.key -out server.key.insecure/
/
/
/ /
/
Once you run the above command, the insecure key will be stored in the server.key.insecure file. You can use this file to generate the CSR without passphrase./
/
To create the CSR, run the following command at a terminal prompt:/
/
/
/openssl req -new -key server.key -out server.csr/
/
/
/ /
/
It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, E-mail Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR./
/6.1.3.4.Creating a Self-Signed Certificate/
/
To create the self-signed certificate, run the following command at a terminal prompt:/
/
/
/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt/
/
/
/ /
/
The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file./
/
/
/
If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate./
/
/
/6.1.3.5.Installing the Certificate/
/
You can install the key file server.key and certificate file server.crt or the certificate file issued by your CA by running following commands at a terminal prompt:/
/
/
/sudo cp server.crt /etc/ssl/certs/
/sudo cp server.key /etc/ssl/private/
/
/
/ /
/
You should add the following four lines to the /etc/apache2/sites-available/default file or the configuration file for your secure virtual host. You should place them in the VirtualHost section. They should be placed under the DocumentRoot line:/
/
SSLEngine on/
/
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire/
/
SSLCertificateFile /etc/ssl/certs/server.crt/
/SSLCertificateKeyFile /etc/ssl/private/server.key/
/
HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:/
/
Listen 443/
Tot funciona perfectament, pero cada vegada que arrenco l'apache em
demana que escrigui la contrasenya del certificat i això inclou cada
vegada que s'arrenca la màquina cosa que em complica molt les coses ja
que esterà totalment desatesa, sense monitor ni teclat, algú sap com
s'ha de fer erquè no m'ho demani?
Atentament
David Casals
PD: Al que opini que he de posar debian ja es pot estalviar el
comentari, si fos per mi aniria amb Gentoo :-p
Més informació sobre la llista de correu gilug