|
I've always had a conceptual understanding of SSL, but had never implemented it. Ideally you should have a key signed by a certifying authority, but that's only to verify your authenticity. You can use SSL for security even when you don't use it for authenticity. The best resource i found was: http://www.vanemery.com/Linux/Apache/apache-SSL.html- fix the passphrase-at-startup by decrypting the key:
-
- openssl rsa -in server.key -out server.open.key
- chmod 400 *.key
- add listen 443 to ports
- put the ssl stuff on a separate virtualhost in the sites-enable folder, not conf.d
- include SSLEngine on in the virtualhost section
- change the 000-default site to VirtualHost *:80
-
- <VirtualHost *:443>
- SSLEngine on
- DocumentRoot "/var/www/SSL"
- ServerName joefitz.is-a-geek.net:443
- ServerAdmin
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
- SSLCipherSuite HIGH:MEDIUM
- SSLProtocol all -SSLv2
- SSLCertificateFile /etc/apache2/conf/ssl.crt/joefitz.is-a-geek.net.crt
- SSLCertificateKeyFile /etc/apache2/conf/ssl.key/joefitz.is-a-geek.net.open.key
- SSLCertificateChainFile /etc/apache2/conf/ssl.crt/my-ca.crt
- SSLCACertificateFile /etc/apache2/conf/ssl.crt/my-ca.crt
- <Directory "/var/www/SSL">
- Options Indexes
- AllowOverride None
- Allow from from all
- Order allow,deny
- </Directory>
- </VirtualHost>
A more difficult howto that's good for reference: http://www.securityfocus.com/infocus/1818- openssl connect is helpful for troubleshooting. If it displays a cert, ssl is good
-
- openssl s_client -connect localhost:443
|
