Apache2/Certificats SSL
De Gentoo Linux Wiki.
< Apache2
|
Apache2 | |
| |
Sommaire |
[modifier] Introduction
Cet article va vous expliquer comment obtenir et utiliser un certificat SSL avec Apache 2.
[modifier] Obtention de votre propre certificat
Le but est d'obtenir un certificat SSL de http://www.cacert.org (Vous devez déjà avoir un compte avec cacert.org)
[modifier] Génération d'un CSR
Générez un nouveau csr (certificate signing request) est nécessaire pour obtenir votre certificat. (Exemple avec example.org)
dev-libs/openssl est nécessaire pour la génération.
[modifier] En utilisant OpenSSL directement
openssl req -nodes -new -keyout private.key -out server.csr
| Code: openssl req -nodes -new -keyout private.key -out server.csr |
Generating a 1024 bit RSA private key .......++++++ ..++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Any State Locality Name (eg, city) []:Anytown Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example, Inc. Organizational Unit Name (eg, section) []:Administration Common Name (eg, YOUR name) []:www.example.com Email Address []:webmaster@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Copiez les certificats :
mv /home/example/example_{privatekey,cert}.pem /etc/apache2/ssl/
[modifier] En utilisant le script csr de cacert
Et lorsque vous le lancez vous avez quelque chose comme ça :
sh csr
Private Key and Certificate Signing Request Generator This script was designed to suit the request format needed by the CAcert Certificate Authority. www.CAcert.org Short Hostname (ie. imap big_srv www2): example FQDN/CommonName (ie. www.example.com) : example.org Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:example.org SubjectAltName: DNS:www.example.org SubjectAltName: DNS:foo.example.org SubjectAltName: DNS:www.foo.example.org SubjectAltName: DNS:bar.example.org SubjectAltName: DNS:www.bar.example.org SubjectAltName: DNS:example.bar SubjectAltName: DNS:www.example.bar SubjectAltName: DNS: Running OpenSSL... Generating a 2048 bit RSA private key ........................................................+++ ................................................+++ writing new private key to '/home/chris/example_privatekey.pem' ----- Copy the following Certificate Request and paste into CAcert website to obtain a Certificate. When you receive your certificate, you 'should' name it something like example_server.pem -----BEGIN CERTIFICATE REQUEST----- MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5 80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+ 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3 LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1 74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb 4Kf5vAucZZVe7g== -----END CERTIFICATE REQUEST----- The Certificate request is also available in /home/example/example_csr.pem The Private Key is stored in /home/example/example_privatekey.pem
Copiez la demande et utilisez la sur la page de cacert.org. Maintenant vous pouvez mettre le certificat qui est créé dans un fichier /home/example/example_cert.pem.
cat > /home/example/example_cert.pem
copiez la sortie de la page cacert.org dnas un terminal. Ctrl + d (ça indique à cat de quitter et de sauver. Vous devez le faire depuis une ligne vide)
mv /home/example/example_{privatekey,cert}.pem /etc/apache2/ssl/
[modifier] Configuration d'Apache
Il y a quelques étapes à faire afin d'héberger un site gérant SSL.
Déjà, Apache doit être compilé avec les bonnes USEs :
ssl
emerge -av apache
Puis, -D SSL -D SSL_DEFAULT_VHOST doit être ajouté à la ligne APACHE2_OPTS.
Fichier : /etc/conf.d/apache2
... # Here are the options available in the default configuration: # # AUTH_DIGEST Enables mod_auth_digest # AUTHNZ_LDAP Enables authentication through mod_ldap (available if USE=ldap) # CACHE Enables mod_cache # DAV Enables mod_dav # ERRORDOCS Enables default error documents for many languages. # INFO Enables mod_info, a useful module for debugging # LANGUAGE Enables content-negotiation based on language and charset. # LDAP Enables mod_ldap (available if USE=ldap) # MANUAL Enables /manual/ to be the apache manual (available if USE=docs) # MEM_CACHE Enables default configuration mod_mem_cache # PROXY Enables mod_proxy # SSL Enables SSL (available if USE=ssl) # SUEXEC Enables running CGI scripts (in USERDIR) through suexec. # USERDIR Enables /~username mapping to /home/username/public_html # # # The following two options provide the default virtual host for the HTTP and # HTTPS protocol. YOU NEED TO ENABLE AT LEAST ONE OF THEM, otherwise apache # will not listen for incomming connections on the approriate port. # # DEFAULT_VHOST Enables name-based virtual hosts, with the default # virtual host being in /var/www/localhost/htdocs # SSL_DEFAULT_VHOST Enables default vhost for SSL (you should enable this # when you enable SSL) # APACHE2_OPTS="-D LANGUAGE -D ERRORDOCS -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PHP5" ...
Enfin, vous devez créer un vhost avec SSL d'activer.
Fichier : /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
# Change the next two lines according to where you've actually
# stored the certificate and key files.
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ServerName domain.tld
SSLOptions StrictRequire
SSLProtocol all -SSLv2
DocumentRoot /path/to/ssl/enabled/site
<Directory /path/to/ssl/enabled/site/>
SSLRequireSSL
Order Deny,Allow
Allow from All
</Directory>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
Testez
[modifier] Voir également
- (en) http://wiki.cacert.org/wiki/VhostsApache
- (en) http://wiki.cacert.org/wiki/VhostTaskForce
- (en) http://www.cryptocity.net/blog/2005/07/08/gentoo-apachessl-w-cacertorg-howto/ un blog décrivant comment utiliser cacert.org avec Gentoo et les vhosts dans Apache2
- (en) http://cert.startcom.org/
