TIP cacert.org SSL certificates
From Gentoo Linux Wiki
|
|
|
Main Modules
Addons & Tunnels Tips
Configuring Other |
| edit |
[edit] Introduction
This HOWTO is aimed at using SSL certificates from http://www.cacert.org
[edit] Requirements
- You must already have an account with cacert.org
[edit] Installing
[edit] Apache 2.x
Generate a new csr (certificate signing request). (Example for example.org)
wget http://svn.cacert.org/CAcert/CSRGenerator/csr sh csr
And it looks something like this.
example@example ~ $ sh csr Private Key and Certificate Signing Request Generator This script was designed to suit the request format needed by the CAcert Certificate Authority. www.CAcert.org Short Hostname (ie. imap big_srv www2): example FQDN/CommonName (ie. www.example.com) : example.org Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:example.org SubjectAltName: DNS:www.example.org SubjectAltName: DNS:foo.example.org SubjectAltName: DNS:www.foo.example.org SubjectAltName: DNS:bar.example.org SubjectAltName: DNS:www.bar.example.org SubjectAltName: DNS:example.bar SubjectAltName: DNS:www.example.bar SubjectAltName: DNS: Running OpenSSL... Generating a 2048 bit RSA private key ........................................................+++ ................................................+++ writing new private key to '/home/chris/example_privatekey.pem' ----- Copy the following Certificate Request and paste into CAcert website to obtain a Certificate. When you receive your certificate, you 'should' name it something like example_server.pem -----BEGIN CERTIFICATE REQUEST----- MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5 80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+ 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3 LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1 74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb 4Kf5vAucZZVe7g== -----END CERTIFICATE REQUEST----- The Certificate request is also available in /home/example/example_csr.pem The Private Key is stored in /home/example/example_privatekey.pem
Copy the request and use this on the cacert.org webpage. Now put the server certificate that is created into a file /home/example/example_cert.pem.
example@example ~ $ cat > /home/example/example_cert.pem
<paste output from cacert.org webpage into term>
<ctrl + d key> (this tells cat to quit and save it must be done from a empty line)
example@example ~ $ mv /home/example/example_{privatekey,cert}.pem /etc/apache2/ssl/
[edit] Configuring
[edit] Apache 2.2.x
Edit /etc/apache2/vhosts.d/00_default_ssl_vhost.conf.
| File: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf |
<VirtualHost _default_:443>
ServerName example.org
ServerAlias www.example.org
...
SSLEngine on
# Following 2 lines disable the weaker/older ciphers/protocol.
# Use with caution (older browsers and such).
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/ssl/example_cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/example_privatekey.pem
...
# Uncommenting this is a good idea as long as you know what it means (line 128)
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
...
|
For custom configs edit the section within your VirtualHost tags for the SSL host
[edit] Testing
Surf to the appropriate https address and check that the certificate is what it should be.
[edit] Related Links
- http://wiki.cacert.org/wiki/VhostsApache
- http://wiki.cacert.org/wiki/VhostTaskForce
- http://www.cryptocity.net/blog/2005/07/08/gentoo-apachessl-w-cacertorg-howto/ is a well written blog post detailing how to use cacert.org with Gentoo and Named Virtual Hosts in Apache2
- http://cert.startcom.org/ another free cert authority
