$ openssl req \ > -new -newkey rsa:2048 -nodes \ > -keyout private_key.pem -out key_csr.pem Generating a 2048 bit RSA private key ......................................................+++ ......................+++ writing new private key to 'private_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:EU State or Province Name (full name) [Some-State]:state_g0 Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:IPduh Organizational Unit Name (eg, section) []:Systems Common Name (eg, YOUR name) []:g0 Email Address []:fckna@bot.ipduh.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The CSR we need to send for signing to our Certificate Authority is at key_csr.pem
Apache 2 Virtual Host SSL setup
Let's name the public key certificate that our Certificate Authority signed: signed_public.pem
Put the keys in the appropriate /etc/ssl/ directories
#cp signed_public.pem /etc/ssl/certs #cp private_key.pem /etc/ssl/private
Enable mod_ssl
# cd /etc/apache2/mods-available/ # a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration!
Adjust /etc/apache2/ports.conf
# cat /etc/apache2/ports.conf Listen 192.0.2.44:80 NameVirtualHost 192.0.2.44:80 <IfModule mod_ssl.c> Listen 192.0.2.44:443 </IfModule> <IfModule mod_gnutls.c> Listen 192.0.2.44:443 </IfModule>
Configure the Virtual Hosts:
#head -7 ssl.example.netServerAdmin admin@example.net DocumentRoot /var/www/example.net SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /etc/ssl/certs/signed_public.pem SSLCertificateKeyFile /etc/ssl/private/private_key.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
or
#head -9 ssl.alt.example.netServerAdmin admin@example.net DocumentRoot /var/www/example.net SSLEngine on SSLOptions +StrictRequire SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/ssl/certs/signed_public.pem SSLCertificateKeyFile /etc/ssl/private/private_key.pem # SSLCertificateChainFile # SSLCACertificateFile SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Alternative MSIE SSL connection handling workaround
( taken from /usr/share/doc/apache2.2-common/README.Debian.gz )
SSL workaround for MSIE ----------------------- The SSL workaround for MS Internet Explorer needs to be added to your SSL VirtualHost section (it was previously in ssl.conf but caused keepalive to be disabled even for non-SSL connections): BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown The default SSL virtual host in /etc/apache2/sites-available/default-ssl already contains this workaround.
ref:
Apache 2 mod_ssl
Private Key and Certificate Signing Request CSR