Configuración de SSL en Apache, generación de certificados y DOEFrid Certificates
Configure SSL
Modify httpd.conf (and ssl.conf if you have one)
Your httpd.conf needs to contain the following lines in the main body: Listen your.ip.address:80Listen your.ip.address:443LoadModule ssl_module modules/mod_ssl.soAddType application/x-x509-ca-cert .crtAddType application/x-pkcs7-crl .crl
You will need at least two virtual hosts - one for port 80 and one for port 443.
Turn SSL off for port 80: <VirtualHost *:80>
SSLEngine off
.... </VirtualHost>
Make sure you have a virtual host for port 443: <VirtualHost websrv1.fnal.gov:443>
SSLEngine on
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLCACertificatePath /full/path/to/TrustedCAs
SSLCertificateFile /full/path/to/certs/yourserver.cert.cert
SSLCertificateKeyFile /full/path/to/certs/yourserver.cert.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
....
</VirtualHost>
Make sure to require SSL permissions for the appropriate directories <Directory "/some/html/dir/secure">
SSLRequireSSL
.... </Directory >
You will get a request ID that you can use to download your certificate, usually the next business day.
You may have to cut and paste to download your certificate into some file.
Save the "Base 64 encoded certificate" as doehostcert.cert.
As part of generating your request for a certificate, you also generated a pem keyfile, perhaps named privkey.pem. You must strip the password from this file to use it with apache: openssl rsa -in privkey.pem -out doe.cert.key
Your httpd.conf or ssl.conf file will need both the certificate and key file: SSLCertificateFile /full/path/to/certs/doehostcert.certSSLCertificateKeyFile /full/path/to/certs/doe.cert.key(See Configure SSL)
Getting a self-signed Kerberos certificate
openssl req -new -out myhost.cert.csr
Generating a 1024 bit RSA private key
...++++++
...................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: My Country
State or Province Name (full name) [Berkshire]: My State
Locality Name (eg, city) [Newbury]: My Town
Organization Name (eg, company) [My Company Ltd]: My Lab
Organizational Unit Name (eg, section) []: My Department
Common Name (eg, your name or your server's hostname) []: myserver.some.domain
Email Address []: Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The previous step creates both myhost.cert.csr and privkey.pem.
openssl req -new > new.cert.csrYour answers to the questions are crucial.
DOE will simply reject the request if it does not recognize the organization and organizational unit. (The OU is probably "Services".)
Please check with your institution.
The "Common Name" is the name of your webserver (e.g., myserver.some.domain).
Generating a 1024 bit RSA private key
...++++++
...................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: My Country
State or Province Name (full name) [Berkshire]: My State
Locality Name (eg, city) [Newbury]: My Town
Organization Name (eg, company) [My Company Ltd]: FOLLOW YOUR INSTITUTION'S INSTRUCTIONS
Organizational Unit Name (eg, section) []: Services
Common Name (eg, your name or your server's hostname) []: myserver.some.domain
Email Address []: Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: EMPTY FOR DOE
An optional company name []:
The previous step creates both new.cert.csr and privkey.pem.
Remove the passphrase from the key: openssl rsa -in privkey.pem -out new.cert.key