====== Metodika a navod pro generovani vsech certifikatu ======
Prestoze jsem priznivce prikazove radky, pro ucelenou spravu vsech certifikatu doporucuji nastroj TinyCA. Jakmile nebude vse na jednom miste, bude v tom bordel.
Zde uvadim prikazy pro vytvoreni
* nadrazene CA pro firmu PragueBest
* vytvoreni klice a certifikatu web serveru
* nasledne vytvoreni klice a certifikatu pro uzivatele a jeho konverze do formatu PKCS12
* vyjmuti passphrase z klice pro web server
openssl genrsa -des3 -out pb-ca.key 2048
openssl req -new -x509 -days 3650 -key pb-ca.key -out pb-ca.crt
test -> openssl x509 -in my-ca.crt -text -noout
openssl genrsa -des3 -out web-server.key 1024
openssl req -new -key web-server.key -out web-server.csr
openssl x509 -req -in web-server.csr -out web-server.crt -sha1 -CA pb-ca.crt -CAkey pb-ca.key -CAcreateserial -days 365
test -> openssl x509 -in mars-server.crt -text -noout
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -out client.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
openssl pkcs12 -export -in client.crt -inkey client.key -name "Jarda Jahoda Cert" -out client.p12
test -> openssl pkcs12 -in client.p12 -clcerts -nokeys -info
openssl rsa -in server.key -out server-nopass.key
===== Konfigurace Apache =====
ServerName bomba.praguebest.cz
DocumentRoot /var/www/auth-ssl
SSLEngine on
# Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
SSLVerifyClient none
SSLCertificateFile /home/uziv/ca/server.crt
SSLCertificateKeyFile /home/uziv/ca/server-nopass.key
SSLCertificateChainFile /home/uziv/ca/ca.crt
SSLCACertificateFile /home/uziv/ca/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
CustomLog /var/log/apache2/auth-ssl-a.log combined
ErrorLog /var/log/apache2/auth-ssl-e.log