Self Signed Certificate It is supposed you have already installed XAMPP wit apache and SSL support and you just wish to change certificate detailsIt means:-your server will display what you will write in your certificate-your certificate will be presented as been untrusted. It is not the case if your company is registered as being SSL provider. You need access as root on the server.Open ssh connection or open a console and login as root.
1) Create a temporary folder and go to that folder (it is not mandatory as long as you know where you are and what filw will be created)
# mkdir temp-ssl
#cd temp-ssl
2) create private key file (PK)Will be created server.key file
#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus....++++++............++++++e is 65537 (0x10001)
Enter pass phrase for server.key: HERE YOU MUST ENTERE A PHARSE (keep in mind, you will need it lated !!!!)Verifying - Enter pass phrase for server.key:
3) create a certificate request file (CSR)Will be created server.csr
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: ENTER THE SAME PHARSE as aboveYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:NSWLocality Name (eg, city) []:SydneyOrganization Name (eg, company) [Internet Widgits Pty Ltd]:OLALA.COM.AU(TM)Organizational Unit Name (eg, section) []:SSLCommon Name (eg, YOUR name) []:AdministratorEmail Address []:ssladmin@olala.com.auPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:ENTERE A PASSWORDAn optional company name []:OLALA.COM.AU
You can see the details of this CSR by using following command
#openssl req -noout -text -in server.csr
4) Remove password protection from server.key You need it unless you wish to enter it any time apache start.
Do not do it so ... save secured key in a safe place, make a copy of it and unprotect itYou will have two files:server.key.secure (keep it in a safe place)server.key - you will need it
# cp server.key server.key.secure
# openssl rsa -in server.key.secure -out server.key
How do I verify that a private key matches its Certificate?
The `modulus' and the `public exponent' portions in the key and the Certificate must match
#openssl x509 -noout -modulus -in server.crt | openssl md5
#openssl rsa -noout -modulus -in server.key | openssl md5
(For wildcard commadn used ***
#openssl pkcs12 -in rkwild.pfx -out rkwild.pem
viriawild.pem
vi server.key
#openssl rsa -in server.key -out server.key ) wildcard ssl.
5) Generate the certificate file (CRT)you will have server.crt - you will need it
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature oksubject=/C=AU/ST=NSW/L=Sydney/O=OLALA.COM.AU(TM)/OU=SSL/CN=Administrator/emailAddress=ssladmin@olala.com.auGetting Private keyEnter pass phrase for server.key: ENTER PHARSE - the same like you entered at point 2) and 3
(6) Based on assumption you have /opt/lamppcopy as following (OVERWRITE)
#cp server.key in /opt/lampp/etc/ssl.key/server.key
#cp server.crt in /opt/lampp/etc/ssl.crt/server.crt
7) Restart apache
#/opt/lampp/lampp restart apache
Now all your websites hosted and accessed via https will show your self signed SSL certificate.
For test cert (30-09-08)
for certificate key generation from csr
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out cert.crt
************************************************************************************
1) make sure use dedicated ip for ssl.
take the back up of original httpd-ssl.conf, & make ur httpd-ssl.conf
#vi httpd-ssl.conf
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
# SSLLog /usr/local/apache/logs/ssl_engine_log
# SSLLogLevel info
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
NameVirtualHost 192.168.11.238
ServerAdmin webmaster@abc.com
DocumentRoot /path/of/site
ServerName abc.xyz.com
ServerAlias www.abc.xyz.com
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/of/abc.xyz.crt
SSLCertificateKeyFile /server/server.key
SSLCACertificateFile /path/of/CA_bundle.crt
SSLEngine on
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
And in host file make sure entry like this,
NameVirtualHost 192.168.11.235:80
ServerAdmin webmaster@infoproworld.com
DocumentRoot /a/b/c/site.com
ServerName site.com
ErrorLog logs/www.site.com-error_log
CustomLog logs/www.site.com-access_log common
Save the file .... restart the services
#/opt/lampp/lampp restart
No comments:
Post a Comment