Creazione del certificato

macondo:~# rm -rf /root/CertAuth
macondo:~# mkdir /root/CertAuth
macondo:~# chmod 700 /root/CertAuth
macondo:~# cd /root/CertAuth
macondo:~/CertAuth# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...............++++++
..............................................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italia
Locality Name (eg, city) []:Firenze
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tommyblue.it
Organizational Unit Name (eg, section) []:Tommyblue.it
Common Name (eg, YOUR name) []:Tommyblue
Email Address []:info@tommyblue.it
macondo:~/CertAuth# /usr/lib/ssl/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
..................++++++
...++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italia
Locality Name (eg, city) []:Firenze
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tommyblue.it
Organizational Unit Name (eg, section) []:Tommyblue.it
Common Name (eg, YOUR name) []:Tommyblue
Email Address []:info@tommyblue.it

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
macondo:~/CertAuth# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            9b:49:17:c6:49:1a:09:7a
        Validity
            Not Before: Oct 25 17:01:48 2005 GMT
            Not After : Oct 25 17:01:48 2006 GMT
        Subject:
            countryName               = IT
            stateOrProvinceName       = Italia
            localityName              = Firenze
            organizationName          = Tommyblue.it
            organizationalUnitName    = Tommyblue.it
            commonName                = Tommyblue
            emailAddress              = info@tommyblue.it
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FF:E0:BB:B6:A4:03:B7:8D:8F:32:51:3D:1D:A8:E9:84:5B:7C:4B:BA
            X509v3 Authority Key Identifier:
                keyid:6A:E5:B3:7D:68:BF:19:6F:E5:3D:5A:7D:23:90:3E:03:00:2A:41:23
                DirName:/C=IT/ST=Italia/L=Firenze/O=Tommyblue.it/OU=Tommyblue.it/CN=Tommyblue/emailAddress=info@tommyblue.it
                serial:9B:49:17:C6:49:1A:09:79

Certificate is to be certified until Oct 25 17:01:48 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
macondo:~/CertAuth# openssl rsa < newreq.pem > newkey.pem
Enter pass phrase:
writing RSA key
macondo:~/CertAuth# cp /root/CertAuth/demoCA/cacert.pem /etc/ssl/certs/cacert.pem
macondo:~/CertAuth# cp /root/CertAuth/newcert.pem /etc/ssl/certs/ldapcert.pem
macondo:~/CertAuth# cp /root/CertAuth/newkey.pem /etc/ssl/certs/ldapkey.pem
macondo:~/CertAuth# chmod 600 /root/CertAuth/newkey.pem

Configurazione di Apache2

Cominciamo aprendo, oltre alla porta 80, anche la porta 443
macondo:~# echo -e "Listen 80\nListen 443" > /etc/apache2/ports.conf
Quindi attiviamo i moduli ssl necessari:
macondo:~# ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
macondo:~# ln -s /etc/apache2/mods-available/load.conf /etc/apache2/mods-enabled/ssl.load
Se adesso vogliamo che il nostro server sia raggiungibile sia in http che in https dobbiamo modificare il file /etc/apache2/sites-available/default:
NameVirtualHost *
diventa
NameVirtualHost *:80
NameVirtualHost *:443
La parte successiva (tra <VirtualHost *> e </VirtualHost>) deve essere replicata, sostituendo <VirtualHost *> con <VirtualHost *:80> in un caso e <VirtualHost *:443> nell'altro. Infine inserite le righe seguenti in <VirtualHost *:443>
 <VirtualHost *:443>
   <IfModule mod_ssl.c>
    SSLEngine on
    SSLCACertificateFile        /etc/ssl/certs/cacert.pem
    SSLCertificateFile          /etc/ssl/certs/ldapcert.pem
    SSLCertificateKeyFile       /etc/ssl/certs/ldapkey.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   </IfModule>
...
...
...
Se non lo fosse attiviamo il file appena modificato creando un link simbolico:
macondo:~# ln -s /etc/apache2/sites-available/default /etc/apache2/sites-enabled/000-default
Infine riavviamo Apache2:
macondo:~# /etc/init.d/apache2 restart

blog comments powered by Disqus