Herramientas de Accesibilidad

Skip to main content

Configurar SSL en Apache

Configuración de SSL en Apache, generación de certificados y DOEFrid Certificates

Configure SSL

  1. Modify httpd.conf (and ssl.conf if you have one)
  2. Your httpd.conf needs to contain the following lines in the main body:
    Listen your.ip.address:80Listen your.ip.address:443LoadModule ssl_module modules/mod_ssl.soAddType application/x-x509-ca-cert .crtAddType application/x-pkcs7-crl .crl
  3. You will need at least two virtual hosts - one for port 80 and one for port 443.
  4. Turn SSL off for port 80:
    <VirtualHost *:80>
    SSLEngine off
    ....
    </VirtualHost>
  5. Make sure you have a virtual host for port 443:
    <VirtualHost websrv1.fnal.gov:443>
    SSLEngine on
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    SSLCACertificatePath /full/path/to/TrustedCAs
    SSLCertificateFile /full/path/to/certs/yourserver.cert.cert
    SSLCertificateKeyFile /full/path/to/certs/yourserver.cert.key
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLOptions +StdEnvVars
    SetEnvIf User-Agent ".*MSIE.*"
    \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    ....
    </VirtualHost>
  6. Make sure to require SSL permissions for the appropriate directories
    <Directory "/some/html/dir/secure">
    SSLRequireSSL
    ....
    </Directory >
  7. You will need signed certificates in /full/path/to/certs/
 

 

 

 

 

 

Server Certificates

  1. You will need signed certificates in /full/path/to/certs/ (defined in Configure SSL)
  2. First make sure you have openssl.
    You may need to install the openssl rpm.
  3. At any point, openssl can be used to view certificate information:
    openssl req -noout -text -in some.cert.file
  4. Do this work in /full/path/to/certs (defined in Configure SSL)
  5. DOEGrid certificates:
    • IMPORTANT: You will need both a certificate and a key file
    • Generic DOEGrid certificate instructions
    • Getting a DOEGrid Server Certificate for a Fermilab server
    • You will get a request ID that you can use to download your certificate, usually the next business day.
    • You may have to cut and paste to download your certificate into some file.
    • Save the "Base 64 encoded certificate" as doehostcert.cert.
    • As part of generating your request for a certificate, you also generated a pem keyfile, perhaps named privkey.pem. You must strip the password from this file to use it with apache:
      openssl rsa -in privkey.pem -out doe.cert.key
    • Your httpd.conf or ssl.conf file will need both the certificate and key file:
      SSLCertificateFile /full/path/to/certs/doehostcert.certSSLCertificateKeyFile /full/path/to/certs/doe.cert.key(See Configure SSL)
  6. Getting a self-signed Kerberos certificate
    • openssl req -new -out myhost.cert.csr
  •      Generating a 1024 bit RSA private key
  •      ...++++++
  •      ...................................++++++
  •      writing new private key to 'privkey.pem'
  •      Enter PEM pass phrase:
  •      Verifying - Enter PEM pass phrase:
  •      -----
  •      You are about to be asked to enter information that will be incorporated
  •      into your certificate request.
  •      What you are about to enter is what is called a Distinguished Name or a DN.
  •      There are quite a few fields but you can leave some blank
  •      For some fields there will be a default value,
  •      If you enter '.', the field will be left blank.
  •      -----
  •      Country Name (2 letter code) [GB]: My Country
  •      State or Province Name (full name) [Berkshire]: My State
  •      Locality Name (eg, city) [Newbury]: My Town
  •      Organization Name (eg, company) [My Company Ltd]: My Lab
  •      Organizational Unit Name (eg, section) []: My Department
  •      Common Name (eg, your name or your server's hostname) []: myserver.some.domain
  •      Email Address []: Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
  •      Please enter the following 'extra' attributes
  •      to be sent with your certificate request
  •      A challenge password []:
  •      An optional company name []:
    • The previous step creates both myhost.cert.csr and privkey.pem.
    • openssl rsa -in privkey.pem -out myhost.cert.key
  •      Enter pass phrase for privkey.pem:
  •      writing RSA key
    • openssl x509 -in myhost.cert.csr -out myhost.cert.cert -req -signkey myhost.cert.key -days 365
    • If you want to view the certificate request: openssl req -noout -text -in myhost.cert.csr
    • If you want to view your key: openssl req -noout -text -in myhost.cert.key
    • Add the following line to httpd.confSSLCertificateKeyFile /full/path/to/certs/myhost.cert.key
 

DOEGrid Certificates

  1. Do this work in /full/path/to/certs (defined in Configure SSL)
  2. If you are at Fermilab, use these instructions.
  3. openssl req -new > new.cert.csrYour answers to the questions are crucial.
    DOE will simply reject the request if it does not recognize the organization and organizational unit. (The OU is probably "Services".)
    Please check with your institution.
    The "Common Name" is the name of your webserver (e.g., myserver.some.domain).
  1.      Generating a 1024 bit RSA private key
  2.      ...++++++
  3.      ...................................++++++
  4.      writing new private key to 'privkey.pem'
  5.      Enter PEM pass phrase:
  6.      Verifying - Enter PEM pass phrase:
  7. -----
  8. You are about to be asked to enter information that will be incorporated
  9. into your certificate request.
  10. What you are about to enter is what is called a Distinguished Name or a DN.
  11. There are quite a few fields but you can leave some blank
  12. For some fields there will be a default value,
  13. If you enter '.', the field will be left blank.
  14. -----
  15. Country Name (2 letter code) [GB]: My Country
  16. State or Province Name (full name) [Berkshire]: My State
  17. Locality Name (eg, city) [Newbury]: My Town
  18. Organization Name (eg, company) [My Company Ltd]: FOLLOW YOUR INSTITUTION'S INSTRUCTIONS
  19. Organizational Unit Name (eg, section) []: Services
  20. Common Name (eg, your name or your server's hostname) []: myserver.some.domain
  21. Email Address []: Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
  22. Please enter the following 'extra' attributes
  23. to be sent with your certificate request
  24. A challenge password []:  EMPTY FOR DOE
  25. An optional company name []:
  1. The previous step creates both new.cert.csr and privkey.pem.
  2. Remove the passphrase from the key:
    openssl rsa -in privkey.pem -out new.cert.key
  3. Go to the DOEgrids Certificate Manager
  4. Click on the "Grid or SSL Server" link
  5. Cut & paste the new.cert.csr data into the "PKCS #10 Request" field on the form. Fill out the rest of the information and submit.
| Apache