SSL

ProgYSM Carte Développement Documentation Données Test Yan Morin

Vérifications de domaine

SSL Shopper: https://www.sslshopper.com/ssl-checker.html#nomdedomaine.com
nom de domaine to IP, server type, intermediate certificate, issued by company name, expire in X days, hostname listed in the certificate.

Projet Let's encrypt

./certbot-auto

# Ajouter un certificat SSL à un nom de domaine web (apache2), 
# installation dans /etc/apache2/sites-available, activation (a2ensite) et redémarrage (service apache2 reload)
./certbot-auto run -d www.serveur.com

# Enlever un certificat SSL de la liste /etc/letsencrypt/live/ et /etc/letsencrypt/archive/
# Ne supprime pas la configuration apache2, on doit faire un a2dissite file-le.conf, rm file-le.conf et service apache2 reload
./certbot-auto delete -d www.serveur.com

# Renouvellement à tous les jours avec un fichier cron
echo '#!/bin/sh' > /etc/cron.daily/certbot
echo '/usr/local/bin/certbot-auto renew --quiet --no-self-upgrade' >> /etc/cron.daily/certbot
chmod +x /etc/cron.daily/certbot

Debian 9 stretch: apt install python-certbot-apache

Certificat pour apache avec debian

#Debian: 
mkdir /etc/apache2/ssl
openssl req -new -x509 -days 3650 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
 /etc/apache2/ssl/`/usr/bin/openssl x509 \
 -noout -hash < /etc/apache2/ssl/apache.pem`.0

#ubuntu 6.06
apache2-ssl-certificate

dans un virtual hosts (/etc/apache2/sites-enabled/...):
NameVirtualHost *:443
<VirtualHost *:443>
	SSLEngine On
	SSLCertificateFile    /etc/apache2/ssl/apache.pem
	SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
	BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
	                          downgrade-1.0 force-response-1.0
	BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#	...
</VirtualHost>

# activer ssl
a2enmod ssl

Créer une demande de certificat (.csr)

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Générer un certificat ssl pour apache

# mod-ssl-makecert (option 3, no encryption). Vu sur gforge debian install guide

Steps

first edit _default configuration with yours and commonName_default/emailAddress_default:
# vim /etc/pki/tls/openssl.cnf
note that strangely, emailAddress_default doesn't work
and that if you want to retry, erase ../../private/cakey.pem

then create the certificate
# cd /etc/pki/tls/misc
# ./CA -newca
# ./CA -newreq
# ./CA -sign

then copy all the information in one directory for later use
# cd .. 
# mkdir myCA
# cd myCA
# cp /etc/pki/CA/cacert.pem .
# cp /etc/pki/tls/misc/newcert.pem servercert.pem
# cp /etc/pki/tls/misc/newreq.pem serverkey.pem
# ls

then, copy over apache (backup before ;p)
# mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.bck
# mv /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.key/server.key.bck
# cp servercert.pem /etc/httpd/conf/ssl.crt/server.crt 
# cp serverkey.pem /etc/httpd/conf/ssl.key/server.key

last thing, enable ssl (with DocumentRoot, ServerName, ServerAdmin)
# vim /etc/httpd/conf.d/ssl.conf

Hyperliens...

HOWTO configure apache2 on fedora with SSL
mod_ssl pour Apache HTTPD
Anciennement (avant 2018-09): [http://www.modssl.org/docs/2.8/ssl_howto.html mod_ssl: HowTo]

Hyperliens...

SSL Checker - SSL Certificate Verify

Lire les commentaires | Laisser un commentaire

doc.progysm.com

Rechercher