- [Show pagesource]
- [Old revisions]
- [[unknown link type]]
- []
Metodika a navod pro generovani vsech certifikatu
Prestoze jsem priznivce prikazove radky, pro ucelenou spravu vsech certifikatu doporucuji nastroj TinyCA. Jakmile nebude vse na jednom miste, bude v tom bordel.
Zde uvadim prikazy pro vytvoreni
- nadrazene CA pro firmu PragueBest
- vytvoreni klice a certifikatu web serveru
- nasledne vytvoreni klice a certifikatu pro uzivatele a jeho konverze do formatu PKCS12
- vyjmuti passphrase z klice pro web server
openssl genrsa -des3 -out pb-ca.key 2048 openssl req -new -x509 -days 3650 -key pb-ca.key -out pb-ca.crt test -> openssl x509 -in my-ca.crt -text -noout
openssl genrsa -des3 -out web-server.key 1024 openssl req -new -key web-server.key -out web-server.csr openssl x509 -req -in web-server.csr -out web-server.crt -sha1 -CA pb-ca.crt -CAkey pb-ca.key -CAcreateserial -days 365 test -> openssl x509 -in mars-server.crt -text -noout
openssl genrsa -des3 -out client.key 1024 openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -out client.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 openssl pkcs12 -export -in client.crt -inkey client.key -name "Jarda Jahoda Cert" -out client.p12 test -> openssl pkcs12 -in client.p12 -clcerts -nokeys -info
openssl rsa -in server.key -out server-nopass.key
Konfigurace Apache
<VirtualHost bomba.praguebest.cz:443>
ServerName bomba.praguebest.cz
DocumentRoot /var/www/auth-ssl
SSLEngine on
# Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
SSLVerifyClient none
SSLCertificateFile /home/uziv/ca/server.crt
SSLCertificateKeyFile /home/uziv/ca/server-nopass.key
SSLCertificateChainFile /home/uziv/ca/ca.crt
SSLCACertificateFile /home/uziv/ca/ca.crt
<Location /cert>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
CustomLog /var/log/apache2/auth-ssl-a.log combined
ErrorLog /var/log/apache2/auth-ssl-e.log
<VirtualHost>
linux/apache/certificate.txt · Last modified: 2009/09/07 14:05 by admin