tachtler:apache_http_server_-_mod_ssl_-_ssl-verschluesselung_https
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende Überarbeitung | |||
tachtler:apache_http_server_-_mod_ssl_-_ssl-verschluesselung_https [2012/06/11 12:58] – klaus | tachtler:apache_http_server_-_mod_ssl_-_ssl-verschluesselung_https [Unbekanntes Datum] (aktuell) – gelöscht - Externe Bearbeitung (Unbekanntes Datum) 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Apache HTTP Server - mod_ssl - SSL-Verschlüsselung (https) ====== | ||
- | |||
- | Das '' | ||
- | |||
- | Ab hier werden '' | ||
- | < | ||
- | $ su - | ||
- | Password: | ||
- | </ | ||
- | |||
- | ===== Installation ===== | ||
- | |||
- | Zur Installation des [[http:// | ||
- | * **'' | ||
- | installiert werden. | ||
- | |||
- | Mit nachfolgendem Befehl, wird das Pakete **'' | ||
- | < | ||
- | # yum install mod_ssl | ||
- | Loaded plugins: fastestmirror, | ||
- | Loading mirror speeds from cached hostfile | ||
- | * base: centos.intergenia.de | ||
- | * extras: centos.intergenia.de | ||
- | * updates: centos.intergenia.de | ||
- | Setting up Install Process | ||
- | Resolving Dependencies | ||
- | --> Running transaction check | ||
- | ---> Package mod_ssl.x86_64 1: | ||
- | --> Finished Dependency Resolution | ||
- | |||
- | Dependencies Resolved | ||
- | |||
- | ================================================================================ | ||
- | | ||
- | ================================================================================ | ||
- | Installing: | ||
- | | ||
- | |||
- | Transaction Summary | ||
- | ================================================================================ | ||
- | Install | ||
- | Upgrade | ||
- | |||
- | Total download size: 85 k | ||
- | Installed size: 183 k | ||
- | Is this ok [y/N]: y | ||
- | Downloading Packages: | ||
- | mod_ssl-2.2.15-5.el6.centos.x86_64.rpm | ||
- | Running rpm_check_debug | ||
- | Running Transaction Test | ||
- | Transaction Test Succeeded | ||
- | Running Transaction | ||
- | Installing | ||
- | |||
- | Installed: | ||
- | mod_ssl.x86_64 1: | ||
- | |||
- | Complete! | ||
- | </ | ||
- | |||
- | Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket **'' | ||
- | < | ||
- | # rpm -qil mod_ssl | ||
- | Name : mod_ssl | ||
- | Version | ||
- | Release | ||
- | Install Date: Mon 31 Oct 2011 08:56:56 AM CET Build Host: c6b6.bsys.dev.centos.org | ||
- | Group : System Environment/ | ||
- | Size : 187233 | ||
- | Signature | ||
- | Packager | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | The mod_ssl module provides strong cryptography for the Apache Web | ||
- | server via the Secure Sockets Layer (SSL) and Transport Layer | ||
- | Security (TLS) protocols. | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | </ | ||
- | |||
- | ===== SSL-Zertifikat erstellen ===== | ||
- | |||
- | Die Erstellung eines SSL-Zertifikates erfordert das Vorhandensein des RPM-Paketes '' | ||
- | < | ||
- | # yum install openssl | ||
- | </ | ||
- | |||
- | Der Inhalt des RPM-Paketes '' | ||
- | < | ||
- | Name : openssl | ||
- | Version | ||
- | Release | ||
- | Install Date: Thu 08 Jan 2009 08:42:04 PM CET Build Host: builder16.centos.org | ||
- | Group : System Environment/ | ||
- | Size : 3423000 | ||
- | Signature | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | The OpenSSL toolkit provides support for secure communications between | ||
- | machines. OpenSSL includes a certificate management tool and shared | ||
- | libraries which provide various cryptographic algorithms and | ||
- | protocols. | ||
- | /etc/pki/CA | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | </ | ||
- | |||
- | ==== Self-Signed SSL-Zertifikat erstellen ==== | ||
- | |||
- | Für Testzwecke und aus Kostengründen, | ||
- | |||
- | Zu Realisierung sind nachfolgende Schritte notwendig. | ||
- | |||
- | Zuerst sollten mit folgendem Befehl in das Verzeichnis ''/ | ||
- | < | ||
- | # cd /tmp | ||
- | </ | ||
- | |||
- | Als nächster Schritt wird zuerst eine sogenannter **" | ||
- | < | ||
- | # openssl genrsa -out tachtler.key 1024 | ||
- | Generating RSA private key, 1024 bit long modulus | ||
- | .++++++ | ||
- | ....++++++ | ||
- | e is 65537 (0x10001) | ||
- | </ | ||
- | * //Es wird die Datei ''/ | ||
- | |||
- | Als nächster Schritt wird ein sogenannter **" | ||
- | |||
- | :!: **WICHTIG** - **Nicht benötigte Angaben werden mit Eingabe eines Punktes [.] übersprungen, | ||
- | |||
- | < | ||
- | # openssl req -new -key tachtler.key -out tachtler.csr | ||
- | You are about to be asked to enter information that will be incorporated | ||
- | into your certificate request. | ||
- | What you are about to enter is what is called a Distinguished Name or a DN. | ||
- | There are quite a few fields but you can leave some blank | ||
- | For some fields there will be a default value, | ||
- | If you enter ' | ||
- | ----- | ||
- | Country Name (2 letter code) [GB]:DE | ||
- | State or Province Name (full name) [Berkshire]: | ||
- | Locality Name (eg, city) [Newbury]: | ||
- | Organization Name (eg, company) [My Company Ltd]: | ||
- | Organizational Unit Name (eg, section) []: | ||
- | Common Name (eg, your name or your server' | ||
- | Email Address []: | ||
- | |||
- | Please enter the following ' | ||
- | to be sent with your certificate request | ||
- | A challenge password []: | ||
- | An optional company name []: | ||
- | </ | ||
- | * //Es wird die Datei ''/ | ||
- | |||
- | Mit folgendem Befehl kann festgestellt werden, ob alle Angaben im **" | ||
- | < | ||
- | # openssl req -noout -text -in tachtler.csr | ||
- | Certificate Request: | ||
- | Data: | ||
- | Version: 0 (0x0) | ||
- | Subject: C=DE, ST=Bavaria, L=Munich, O=My Company Ltd, CN=www.tachtler.net/ | ||
- | Subject Public Key Info: | ||
- | Public Key Algorithm: rsaEncryption | ||
- | RSA Public Key: (1024 bit) | ||
- | Modulus (1024 bit): | ||
- | 00: | ||
- | 1f: | ||
- | f9: | ||
- | cd: | ||
- | fd: | ||
- | 73: | ||
- | 48: | ||
- | e6: | ||
- | 13: | ||
- | Exponent: 65537 (0x10001) | ||
- | Attributes: | ||
- | a0:00 | ||
- | Signature Algorithm: sha1WithRSAEncryption | ||
- | a6: | ||
- | fa: | ||
- | 3c: | ||
- | 65: | ||
- | 49: | ||
- | 04: | ||
- | 8a: | ||
- | 09:70 | ||
- | </ | ||
- | |||
- | Zum Abschluß wird mit folgendem Befehl ein // | ||
- | < | ||
- | # openssl x509 -req -days 365 -in tachtler.csr -signkey tachtler.key -out tachtler.crt | ||
- | Signature ok | ||
- | subject=/ | ||
- | Getting Private key | ||
- | </ | ||
- | * //Es wird die Datei ''/ | ||
- | |||
- | Die Installation des gerade erzeugten // | ||
- | |||
- | Zuerst wird die Datei ''/ | ||
- | < | ||
- | # mv / | ||
- | </ | ||
- | |||
- | Dann wird die Datei '' | ||
- | < | ||
- | # mv / | ||
- | </ | ||
- | |||
- | Die Datei '' | ||
- | < | ||
- | # rm / | ||
- | </ | ||
- | |||
- | :!: **WICHTIG** - Zur Sicherheit sollten mit nachfolgenden Befehlen, die Datei-Zugriffsrechte für die Dateien | ||
- | * ''/ | ||
- | * ''/ | ||
- | noch wie folgt gesetzte werden: | ||
- | |||
- | Datei-Zugriffsrechte für ''/ | ||
- | < | ||
- | # chmod 400 / | ||
- | </ | ||
- | |||
- | Datei-Zugriffsrechte für ''/ | ||
- | < | ||
- | # chmod 400 / | ||
- | </ | ||
- | |||
- | ===== Konfiguration ssl.conf ===== | ||
- | |||
- | Folgende Ergänzungen der Konfigurationsdatei ''/ | ||
- | <code apache> | ||
- | ... | ||
- | ## | ||
- | ## SSL Virtual Host Context | ||
- | ## | ||
- | |||
- | < | ||
- | |||
- | # General setup for the virtual host, inherited from global configuration | ||
- | # Tachtler | ||
- | # default: # | ||
- | # default: #ServerName www.example.com: | ||
- | DocumentRoot "/ | ||
- | ServerName www.tachtler.net | ||
- | ... | ||
- | ... | ||
- | ... | ||
- | # | ||
- | # Point SSLCertificateFile at a PEM encoded certificate. | ||
- | # the certificate is encrypted, then you will be prompted for a | ||
- | # pass phrase. | ||
- | # certificate can be generated using the genkey(1) command. | ||
- | # Tachtler | ||
- | # default: SSLCertificateFile / | ||
- | SSLCertificateFile / | ||
- | |||
- | # | ||
- | # If the key is not combined with the certificate, | ||
- | # | ||
- | # | ||
- | # both in parallel (to also allow the use of DSA ciphers, etc.) | ||
- | # Tachtler | ||
- | # default: SSLCertificateKeyFile / | ||
- | SSLCertificateKeyFile / | ||
- | ... | ||
- | </ | ||
- | |||
- | ===== Neustart Apache HTTP Server ===== | ||
- | |||
- | Ein erneuter oder erster Start des [[http:// | ||
- | < | ||
- | # service httpd start | ||
- | </ | ||
- | oder einen erneuten Start des [[http:// | ||
- | < | ||
- | # service httpd restart | ||
- | </ | ||
- | macht die oben beschriebenen Konfigurationen für den [[http:// | ||
- | |||
- | ===== Self-Signed SSL-Zertifikat Hinweise ===== | ||
- | |||
- | :!: Folgende Hinweise werden, je nach Browser ausgegeben - **als Beispiel soll hier die Ausgabe eines [[http:// | ||
- | |||
- | Durch den Aufruf der Seite [[https:// | ||
- | |||
- | {{: | ||
- | |||
- | Nach einem Klick mit der linken Maustaste auf "Or you can add an exception..." | ||
- | |||
- | {{: | ||
- | |||
- | Nach einem Klick mit der linken Maustaste auf die Schaltfläche "Add Exception..." | ||
- | |||
- | {{: | ||
- | |||
- | Nach einem Klick mit der linken Maustaste auf die Schaltfläche "Get Certificate..." | ||
- | |||
- | {{: | ||
- | |||
- | Nach einer allerletzten Bestätigung mit der linken Maustaste auf die Schaltfläche " | ||
- | |||
- | {{: | ||
- | |||
- | ===== Class 3 Wildcard-Certificate ===== | ||
- | |||
- | Hier soll kurz beschrieben werden, wie ein //Class 3 Wildcard-Certificate// | ||
- | |||
- | Als erstes muss ein // | ||
- | |||
- | :!: **WICHTIG** - Es muss jedoch eine neuer //**CSR (Certificate Signing Request) erstellt werden**//! | ||
- | |||
- | Der " | ||
- | |||
- | :!: **WICHTIG** - **Nicht benötigte Angaben werden mit Eingabe eines Punktes [.] übersprungen, | ||
- | |||
- | < | ||
- | # openssl req -new -key / | ||
- | # openssl req -new -key / | ||
- | You are about to be asked to enter information that will be incorporated | ||
- | into your certificate request. | ||
- | What you are about to enter is what is called a Distinguished Name or a DN. | ||
- | There are quite a few fields but you can leave some blank | ||
- | For some fields there will be a default value, | ||
- | If you enter ' | ||
- | ----- | ||
- | Country Name (2 letter code) [GB]:DE | ||
- | State or Province Name (full name) [Berkshire]: | ||
- | Locality Name (eg, city) [Newbury]: | ||
- | Organization Name (eg, company) [My Company Ltd]:. | ||
- | Organizational Unit Name (eg, section) []:. | ||
- | Common Name (eg, your name or your server' | ||
- | Email Address []: | ||
- | |||
- | Please enter the following ' | ||
- | to be sent with your certificate request | ||
- | A challenge password []: | ||
- | An optional company name []:. | ||
- | </ | ||
- | * //Es wird die Datei ''/ | ||
- | |||
- | Mit folgendem Befehl kann festgestellt werden, ob alle Angaben im **" | ||
- | < | ||
- | # openssl req -noout -text -in / | ||
- | Certificate Request: | ||
- | Data: | ||
- | Version: 0 (0x0) | ||
- | Subject: C=DE, ST=Bavaria (Bayern), L=Munich (Muenchen), CN=*.tachtler.net/ | ||
- | Subject Public Key Info: | ||
- | Public Key Algorithm: rsaEncryption | ||
- | RSA Public Key: (1024 bit) | ||
- | Modulus (1024 bit): | ||
- | 00: | ||
- | b0: | ||
- | ab: | ||
- | 56: | ||
- | 9a: | ||
- | 73: | ||
- | 53: | ||
- | e3: | ||
- | 0e: | ||
- | Exponent: 65537 (0x10001) | ||
- | Attributes: | ||
- | a0:00 | ||
- | Signature Algorithm: sha1WithRSAEncryption | ||
- | 5f: | ||
- | c2: | ||
- | ff: | ||
- | fc: | ||
- | 71: | ||
- | c3: | ||
- | 8c: | ||
- | ab:9c | ||
- | </ | ||
- | |||
- | :!: **WICHTIG** - Dieser Zertifikatsantrag muss nun bei der Zertifizierungsstelle der Wahl z.B. [[http:// | ||
- | |||
- | ==== Herunterladen CAcert_chain.pem === | ||
- | |||
- | Das '' | ||
- | * [[http:// | ||
- | |||
- | ==== Konfiguration ssl.conf ==== | ||
- | |||
- | Folgende Ergänzungen der Konfigurationsdatei ''/ | ||
- | <code apache> | ||
- | ... | ||
- | ## | ||
- | ## SSL Virtual Host Context | ||
- | ## | ||
- | |||
- | < | ||
- | |||
- | # General setup for the virtual host, inherited from global configuration | ||
- | # Tachtler | ||
- | # default: # | ||
- | # default: #ServerName www.example.com: | ||
- | DocumentRoot "/ | ||
- | ServerName www.tachtler.net | ||
- | ... | ||
- | ... | ||
- | ... | ||
- | # | ||
- | # Point SSLCertificateFile at a PEM encoded certificate. | ||
- | # the certificate is encrypted, then you will be prompted for a | ||
- | # pass phrase. | ||
- | # certificate can be generated using the genkey(1) command. | ||
- | # Tachtler | ||
- | SSLCertificateFile / | ||
- | |||
- | # | ||
- | # If the key is not combined with the certificate, | ||
- | # | ||
- | # | ||
- | # both in parallel (to also allow the use of DSA ciphers, etc.) | ||
- | # Tachtler | ||
- | SSLCertificateKeyFile / | ||
- | |||
- | # | ||
- | # Point SSLCertificateChainFile at a file containing the | ||
- | # | ||
- | # | ||
- | # the referenced file can be the same as SSLCertificateFile | ||
- | # when the CA certificates are directly appended to the server | ||
- | # | ||
- | # Tachtler | ||
- | SSLCertificateChainFile / | ||
- | ... | ||
- | </ | ||
- | |||
- | Abschließend sollten noch die Datei-Zugriffsrechte für ''/ | ||
- | < | ||
- | # chmod 400 / | ||
- | </ | ||
- | und ebenfalls für '' | ||
- | < | ||
- | # chmod 400 / | ||
- | </ | ||
- | |||
- | ==== Neustart Apache HTTP Server ==== | ||
- | |||
- | Ein erneuter oder erster Start des [[http:// | ||
- | < | ||
- | # service httpd start | ||
- | </ | ||
- | oder einen erneuten Start des [[http:// | ||
- | < | ||
- | # service httpd restart | ||
- | </ | ||
- | macht die oben beschriebenen Konfigurationen für den [[http:// | ||