Creazione del certificato
macondo:~# rm -rf /root/CertAuth
macondo:~# mkdir /root/CertAuth
macondo:~# chmod 700 /root/CertAuth
macondo:~# cd /root/CertAuth
macondo:~/CertAuth# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...............++++++
..............................................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italia
Locality Name (eg, city) []:Firenze
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tommyblue.it
Organizational Unit Name (eg, section) []:Tommyblue.it
Common Name (eg, YOUR name) []:Tommyblue
Email Address []:info@tommyblue.it
macondo:~/CertAuth# /usr/lib/ssl/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
..................++++++
...++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italia
Locality Name (eg, city) []:Firenze
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tommyblue.it
Organizational Unit Name (eg, section) []:Tommyblue.it
Common Name (eg, YOUR name) []:Tommyblue
Email Address []:info@tommyblue.it
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
macondo:~/CertAuth# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9b:49:17:c6:49:1a:09:7a
Validity
Not Before: Oct 25 17:01:48 2005 GMT
Not After : Oct 25 17:01:48 2006 GMT
Subject:
countryName = IT
stateOrProvinceName = Italia
localityName = Firenze
organizationName = Tommyblue.it
organizationalUnitName = Tommyblue.it
commonName = Tommyblue
emailAddress = info@tommyblue.it
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:E0:BB:B6:A4:03:B7:8D:8F:32:51:3D:1D:A8:E9:84:5B:7C:4B:BA
X509v3 Authority Key Identifier:
keyid:6A:E5:B3:7D:68:BF:19:6F:E5:3D:5A:7D:23:90:3E:03:00:2A:41:23
DirName:/C=IT/ST=Italia/L=Firenze/O=Tommyblue.it/OU=Tommyblue.it/CN=Tommyblue/emailAddress=info@tommyblue.it
serial:9B:49:17:C6:49:1A:09:79
Certificate is to be certified until Oct 25 17:01:48 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
macondo:~/CertAuth# openssl rsa < newreq.pem > newkey.pem
Enter pass phrase:
writing RSA key
macondo:~/CertAuth# cp /root/CertAuth/demoCA/cacert.pem /etc/ssl/certs/cacert.pem
macondo:~/CertAuth# cp /root/CertAuth/newcert.pem /etc/ssl/certs/ldapcert.pem
macondo:~/CertAuth# cp /root/CertAuth/newkey.pem /etc/ssl/certs/ldapkey.pem
macondo:~/CertAuth# chmod 600 /root/CertAuth/newkey.pem
Configurazione di Apache2
Cominciamo aprendo, oltre alla porta 80, anche la porta 443
macondo:~# echo -e "Listen 80\nListen 443" > /etc/apache2/ports.conf
Quindi attiviamo i moduli ssl necessari:
macondo:~# ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
macondo:~# ln -s /etc/apache2/mods-available/load.conf /etc/apache2/mods-enabled/ssl.load
Se adesso vogliamo che il nostro server sia raggiungibile sia in http che in https dobbiamo modificare il file
/etc/apache2/sites-available/default:
NameVirtualHost *
diventa
NameVirtualHost *:80
NameVirtualHost *:443
La parte successiva (tra
<VirtualHost *> e
</VirtualHost>) deve essere replicata, sostituendo
<VirtualHost *> con
<VirtualHost *:80> in un caso e
<VirtualHost *:443> nell'altro. Infine inserite le righe seguenti in
<VirtualHost *:443>
<VirtualHost *:443>
<IfModule mod_ssl.c>
SSLEngine on
SSLCACertificateFile /etc/ssl/certs/cacert.pem
SSLCertificateFile /etc/ssl/certs/ldapcert.pem
SSLCertificateKeyFile /etc/ssl/certs/ldapkey.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
...
...
...
Se non lo fosse attiviamo il file appena modificato creando un link simbolico:
macondo:~# ln -s /etc/apache2/sites-available/default /etc/apache2/sites-enabled/000-default
Infine riavviamo Apache2:
macondo:~# /etc/init.d/apache2 restart