TIP_cacert.org_SSL_certificates
Main Modules
Addons & Tunnels Tips
Configuring Other |
| edit |
Introduction
This HOWTO is aimed at using SSL certificates from http://www.cacert.org
Requirements
- You must already have an account with cacert.org
Installing
Apache 2.x
Generate a new csr (certificate signing request). (Example for example.org)
wget http://svn.cacert.org/CAcert/Software/CSRGenerator/csr sh csr
And it looks something like this.
example@example ~ $ sh csr Private Key and Certificate Signing Request Generator This script was designed to suit the request format needed by the CAcert Certificate Authority. www.CAcert.org Short Hostname (ie. imap big_srv www2): example FQDN/CommonName (ie. www.example.com) : example.org Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:example.org SubjectAltName: DNS:www.example.org SubjectAltName: DNS:foo.example.org SubjectAltName: DNS:www.foo.example.org SubjectAltName: DNS:bar.example.org SubjectAltName: DNS:www.bar.example.org SubjectAltName: DNS:example.bar SubjectAltName: DNS:www.example.bar SubjectAltName: DNS: Running OpenSSL... Generating a 2048 bit RSA private key ........................................................+++ ................................................+++ writing new private key to '/home/chris/example_privatekey.pem' ----- Copy the following Certificate Request and paste into CAcert website to obtain a Certificate. When you receive your certificate, you 'should' name it something like example_server.pem -----BEGIN CERTIFICATE REQUEST----- MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5 80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+ 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3 LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1 74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb 4Kf5vAucZZVe7g== -----END CERTIFICATE REQUEST----- The Certificate request is also available in /home/example/example_csr.pem The Private Key is stored in /home/example/example_privatekey.pem
Copy the request and use this on the cacert.org webpage. Now put the server certificate that is created into a file /home/example/example_cert.pem.
example@example ~ $ cat > /home/example/example_cert.pem
<paste output from cacert.org webpage into term>
<ctrl + d key> (this tells cat to quit and save it must be done from a empty line)
example@example ~ $ mv /home/example/example_{privatekey,cert}.pem /etc/apache2/ssl/
Configuring
Apache 2.2.x
Edit /etc/apache2/vhosts.d/00_default_ssl_vhost.conf.
| File: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf |
<VirtualHost _default_:443>
ServerName example.org
ServerAlias www.example.org
...
SSLEngine on
# Following 2 lines disable the weaker/older ciphers/protocol.
# Use with caution (older browsers and such).
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/ssl/example_cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/example_privatekey.pem
...
# Uncommenting this is a good idea as long as you know what it means (line 128)
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
...
|
For custom configs edit the section within your VirtualHost tags for the SSL host
Testing
Surf to the appropriate https address and check that the certificate is what it should be.
Related Links
- http://wiki.cacert.org/wiki/VhostsApache
- http://wiki.cacert.org/wiki/VhostTaskForce
- http://www.cryptocity.net/blog/2005/07/08/gentoo-apachessl-w-cacertorg-howto/ is a well written blog post detailing how to use cacert.org with Gentoo and Named Virtual Hosts in Apache2
- http://cert.startcom.org/ another free cert authority
Last modified: Mon, 22 Sep 2008 08:43:00 +1000 Hits: 44,983
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.