Metodika a navod pro generovani vsech certifikatu

Prestoze jsem priznivce prikazove radky, pro ucelenou spravu vsech certifikatu doporucuji nastroj TinyCA. Jakmile nebude vse na jednom miste, bude v tom bordel.

Zde uvadim prikazy pro vytvoreni

openssl genrsa -des3 -out pb-ca.key 2048
openssl req -new -x509 -days 3650 -key pb-ca.key -out pb-ca.crt
test -> openssl x509 -in my-ca.crt -text -noout
openssl genrsa -des3 -out web-server.key 1024

openssl req -new -key web-server.key -out web-server.csr
openssl x509 -req -in web-server.csr -out web-server.crt -sha1 -CA pb-ca.crt -CAkey pb-ca.key -CAcreateserial -days 365
test -> openssl x509 -in mars-server.crt -text -noout

openssl genrsa -des3 -out client.key 1024

openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -out client.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
openssl pkcs12 -export -in client.crt -inkey client.key -name "Jarda Jahoda Cert" -out client.p12
test -> openssl pkcs12 -in client.p12 -clcerts -nokeys -info

openssl rsa -in server.key -out server-nopass.key

Konfigurace Apache

<VirtualHost bomba.praguebest.cz:443>
        ServerName      bomba.praguebest.cz
        DocumentRoot /var/www/auth-ssl

        SSLEngine on
        # Here, I am allowing only "high" and "medium" security key lengths.
        SSLCipherSuite HIGH:MEDIUM
 
        # Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
        SSLProtocol all -SSLv2


        SSLVerifyClient none
        SSLCertificateFile /home/uziv/ca/server.crt
        SSLCertificateKeyFile /home/uziv/ca/server-nopass.key
        SSLCertificateChainFile /home/uziv/ca/ca.crt
        SSLCACertificateFile /home/uziv/ca/ca.crt


        <Location /cert>
                SSLVerifyClient require
                SSLVerifyDepth 1
        </Location>


        CustomLog /var/log/apache2/auth-ssl-a.log combined
        ErrorLog /var/log/apache2/auth-ssl-e.log

<VirtualHost>