Search:  
Gentoo Wiki

TIP_cacert.org_SSL_certificates

Apache2 Series


Main


Modules


Addons & Tunnels


Tips

  • Using cacert.org SSL certificates with Apache

Configuring


Other

edit

Introduction

Image:Cacert.png


This HOWTO is aimed at using SSL certificates from http://www.cacert.org

Requirements

Installing

Apache 2.x

Generate a new csr (certificate signing request). (Example for example.org)

wget http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
sh csr

And it looks something like this.

 example@example ~ $ sh csr
 Private Key and Certificate Signing Request Generator
 This script was designed to suit the request format needed by
 the CAcert Certificate Authority. www.CAcert.org
 Short Hostname (ie. imap big_srv www2): example
 FQDN/CommonName (ie. www.example.com) : example.org
 Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
 SubjectAltName: DNS:example.org
 SubjectAltName: DNS:www.example.org
 SubjectAltName: DNS:foo.example.org
 SubjectAltName: DNS:www.foo.example.org
 SubjectAltName: DNS:bar.example.org
 SubjectAltName: DNS:www.bar.example.org
 SubjectAltName: DNS:example.bar
 SubjectAltName: DNS:www.example.bar
 SubjectAltName: DNS:
 Running OpenSSL...
 Generating a 2048 bit RSA private key
 ........................................................+++
 ................................................+++
 writing new private key to '/home/chris/example_privatekey.pem'
 -----
 Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
 When you receive your certificate, you 'should' name it something like example_server.pem
 -----BEGIN CERTIFICATE REQUEST-----
 MIIDBjCCAe4CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
 DQEBAQUAA4IBDwAwggEKAoIBAQClsXcoj86dyYlIe96khbZqYtyV03ak+teyClv5
 80I46irKcYQx4CFiirTCuusiAwsDfnDyZvnrwoxaUkc5nkw4Tlmb1j/y91U8rusX
 Zu43rep8s0zs7aMx/q34TTCc5Mru8UQjbnj9aCX1DF+8cA0ayQMm1BOFv8nTFcjK
 SnI5NdxRKDyqeH3KUgfxgGkBVU4VFVRU9XKD/zprzj+hWFT+fsjF7yQm0ZXDXaJ+
 0Yr9mDQjfzdLP3GObc7y7rwz8a5ozATwfpqZiWYjM34oKFPSj7kwLdA+otx0glGG
 e+P7G/E2uE+lbzi41CSFgKAjw3E0l1x47NoVD6DADS5mYIatAgMBAAGggaowgacG
 CSqGSIb3DQEJDjGBmTCBljCBkwYDVR0RBIGLMIGIggtleGFtcGxlLm9yZ4IPd3d3
 LmV4YW1wbGUub3Jngg9mb28uZXhhbXBsZS5vcmeCE3d3dy5mb28uZXhhbXBsZS5v
 cmeCD2Jhci5leGFtcGxlLm9yZ4ITd3d3LmJhci5leGFtcGxlLm9yZ4ILZXhhbXBs
 ZS5iYXKCD3d3dy5leGFtcGxlLmJhcjANBgkqhkiG9w0BAQQFAAOCAQEAHFiUDgVc
 lDGoq+2kLmQxKtYagc37sugw4OoutILxrXF0zJUSplF4Aco/KhBcSLQUpsW5u11Q
 tcxj4DqXrxsoZuawATKTGQXDaAxL/ud2FsXyhe2FC1h0id2cH12GsnDSziuFCM+t
 rz05dqnW6mZR5OHILlYPoIPNqk3tbkIyOs4GplL9PZLNjSKJ3oeXJXn1iSI6oegB
 dBJQMByDZsh7Xd/d1OFJMQq3TFMqmLEXErkXQnOmzBN375AHGYGZwozhVPjhfFZ1
 74AvmxOe17+OLm1j10EA9J/5jLzIgK0vs7HgK0131S/JAV4Ik9JccAWByGlxeuVb
 4Kf5vAucZZVe7g==
 -----END CERTIFICATE REQUEST-----
 The Certificate request is also available in /home/example/example_csr.pem
 The Private Key is stored in /home/example/example_privatekey.pem

Copy the request and use this on the cacert.org webpage. Now put the server certificate that is created into a file /home/example/example_cert.pem.

 example@example ~ $ cat > /home/example/example_cert.pem
 <paste output from cacert.org webpage into term>
 <ctrl + d key> (this tells cat to quit and save it must be done from a empty line)
 example@example ~ $ mv /home/example/example_{privatekey,cert}.pem /etc/apache2/ssl/

Configuring

Apache 2.2.x

Edit /etc/apache2/vhosts.d/00_default_ssl_vhost.conf.

File: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
<VirtualHost _default_:443>
        ServerName example.org
        ServerAlias www.example.org
...
        SSLEngine on
        # Following 2 lines disable the weaker/older ciphers/protocol. 
        # Use with caution (older browsers and such).
        SSLCipherSuite HIGH:MEDIUM
        SSLProtocol all -SSLv2

        SSLCertificateFile /etc/apache2/ssl/example_cert.pem
        SSLCertificateKeyFile /etc/apache2/ssl/example_privatekey.pem
...
        # Uncommenting this is a good idea as long as you know what it means (line 128)
        SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 
...

For custom configs edit the section within your VirtualHost tags for the SSL host

Testing

Surf to the appropriate https address and check that the certificate is what it should be.

Related Links

Retrieved from "http://www.gentoo-wiki.info/TIP_cacert.org_SSL_certificates"

Last modified: Sun, 21 Sep 2008 22:43:00 +0000 Hits: 43,126