On Sun, Sep 18, 2005 at 10:05:26PM -0700, Ross Boylan wrote: > I'm trying to set up apache2 to use ssl. I see numerous bugs about > this, including the fact that the setup is neither automated nor documented > (267477 -- which includes some recipes and references to help) and > that a tool, ssl-cert, used at one point by apache2 for debconf, has > problems (230485). The changelog says that ssl-cert was dropped for > the setup. > > There seem to be at least 3 ways to setup certificates: > openssl > ssl-cert > apache2-ssl-certificate > > There is a configuration file /etc/ssl/openssl.cnf, and there seems to > be space for certificates and keys under /etc/ssl/ and > /etc/apache2/ssl. > > Can anyone suggest which of these knobs I should tweak to set things > up? And where should I put the resulting files? I use KDE, and I see > it has Kleopatra for certificate management. Is that useable? > > I want to be my own CA as well as having the certificates (one for > each virtual domain). > OK. Here are my notes:
New Certificate Authority: Check out the SSL HOWTO. New Certificate: (All actions take place inside of /etc/ssl) vi openssl.cnf (change default days if desired) for i in `ls -1 *.pem` ; do mv $i $i.old-$(date +%Y%m%d); done openssl req -new -key server.key -out newreq.pem vi openssl.cnf (change default days back to normal) openssl ca -revoke demoCA/newcerts/<num of previous cert>.pem openssl ca -gencrl -out demoCA/crl/sopac-ca.crl cp demoCA/crl/sopac-ca.crl /var/www/ca.crl openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem cat newcert.pem | sed -n '/BEGIN/,/END/p' >server.pem cat server.key >> server_key_and_cert.pem cat server.pem >> server_key_and_cert.pem chmod -R o-rx * # chgrp mail server_key_and_cert.pem # This is because cyrus runs # non-root /etc/init.d/apache2 restart /etc/init.d/postfix restart /etc/init.d/ssh restart /etc/init.d/slapd restart /etc/init.d/courier-imap-ssl restart I have these symlinks in place to make the process easier: # ll /etc/apache2/ssl/ total 0 lrwxrwxrwx 1 root root 19 Sep 3 12:33 server.crt -> /etc/ssl/server.pem lrwxrwxrwx 1 root root 19 Sep 3 12:34 server.key -> /etc/ssl/server.key # ll /etc/courier/imapd.pem lrwxrwxrwx 1 root root 32 May 16 01:30 /etc/courier/imapd.pem -> /etc/ssl/server_key_and_cert.pem # ll /etc/postfix/*.pem lrwxrwxrwx 1 root root 19 Dec 10 2004 /etc/postfix/cert.pem -> /etc/ssl/server.pem lrwxrwxrwx 1 root root 32 Dec 10 2004 /etc/postfix/key.pem -> /etc/ssl/server_key_and_cert.pem Also, please note that it is not possible to have multiple virtual hosts running on SSL using name-based virtual hosting [0]. Hope this helps. -Roberto [0] http://httpd.apache.org/docs/2.0/en/ssl/ssl_faq.html#vhosts2 -- Roberto C. Sanchez http://familiasanchez.net/~roberto
pgpMDpP06KQGy.pgp
Description: PGP signature
