Created
February 1, 2015 18:59
-
-
Save frankyueh/40de29d1409ba1b46af3 to your computer and use it in GitHub Desktop.
Setup StartSSL on Apache Server (OpenSSL)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Setup StartSSL on Apache Server (OpenSSL) | |
===================================== | |
This is a note about how to make a certificate request for StartSSL https://www.startssl.com/ and setup correctly for Apache Server. | |
---------- | |
[toc] | |
---------- | |
Key/Request (Self-Signed Cert) Generation | |
--------------------------------------------------------- | |
### Generate a Key | |
``` | |
openssl genrsa -aes256 -passout "pass:%keyPassword%" -out "%keyFileName%.key" %keyStrength% | |
``` | |
>**Parameters** | |
>: %keyPassword% - *key password* | |
>: %keyFileName% - *key file name* | |
>: %keyStrength% - *1024, 2048 or **4096*** | |
### *Prepare a non-encrypted Key File (Optional)* | |
``` | |
openssl rsa -passin "pass:%keyPassword%" -in "%keyFileName%.key" -out "%insecureKeyFileName%.key" | |
``` | |
### Prepare OpenSSL Config File | |
In file **btt.cfg**, it have settings for self signed and also for sign request. All with wild card domain name setup. Although we cannot request for a wild card domain name without higher CA Class Level, but still works fine with lower Level Request. | |
First you need copy original OpenSSL config file, and then do following altering: | |
#### Add/Setup extensions for request | |
``` | |
req_extensions = v3_req | |
``` | |
>Uncomment or add above line in **[ req ]** section | |
``` | |
[ v3_req ] | |
basicConstraints = CA:FALSE | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
subjectAltName = @alternate_names | |
[ alternate_names ] | |
DNS.1 = *.example.com | |
DNS.2 = example.com | |
``` | |
>Uncomment or add [ v3_req ] and [ alternate_names ] sections in the config file | |
#### *Add/Setup extensions for self-signed Cert (Optional for Self-Signed Cert)* | |
*Skip this step if you have no need to produce a self-signed Cert* | |
``` | |
copy_extensions = copy | |
``` | |
>Uncomment or add above line in **[ CA_default ]** section | |
``` | |
basicConstraints = CA:FALSE | |
keyUsage = digitalSignature, keyEncipherment | |
subjectAltName = @alternate_names | |
``` | |
>Uncomment or add above lines in **[ v3_ca ]** section | |
>**Note:** No need to add another section [ alternate_names ] if you have already add this section in the file. | |
> | |
### Generate a Request | |
``` | |
openssl req -new -sha%shaStrength% -key "%keyFileName%.key" -passin "pass:%keyPassword%" -out "%certReqFileName%.csr" -subj "/CN=%CN%" -config "%cfgFileName%" | |
``` | |
>**Parameters** | |
>: %keyPassword% - *key password* | |
>: %shaStrength% - *1, 128 or **256*** | |
>: %cfgFileName% - *config file name* | |
### *Generate a Self-Signed Cert (Optional)* | |
``` | |
openssl req -new -x509 -sha%shaStrength% -days %certValidDays% -key "%fileName%.secure.key" -passin "pass:%keyPassword%" -out "%certFileName%.crt" -subj "/CN=%CN%" -config "%cfgFileName%" | |
``` | |
>**Parameters** | |
>: %certValidDays% - *cert validation days* | |
Request from StartSSL | |
------------------------------ | |
### Login Authentication | |
Based on it using certificate authentication key pair for Login | |
the browser or OS must pre-install Login usage cert/key pair **CORRECTLY**! | |
>**Notes:** | |
>Certificate file may occur wrong chain file path while installation, it may different between each environment. There just needs to remove some conflict certificate file in the certs database. | |
> http://www.s-jpg.com/blog/?p=48 | |
### Certificate Request | |
Simply open generated request file **%certReqFileName%.csr** and paste content to StartSSL site by the request procedure. Then you will get a signed certificate file by StartCom, and save it as the file name **%certFileName%.crt**. | |
>**Note:** | |
> Open the **crt** file, there must have a signed path for your certificate file. | |
> | |
> The **root** of the signed path "*StartCom Certification Authority*" which must exists in client local side, it called **Trusted Root CA**. | |
> | |
> In the middle of signed path, there have **Intermediate CA certificate** "*StartCom Class 1 Primary Intermediate Server CA*" which not always exists in client local side. If not, client may see this **crt** file as a untrusted cert just because the missing **Intermediate CA certificate**. | |
> | |
> In this case, you may need to download intermediate certificate prepare for your server which can provide for the client. You may find the corresponding cert from the official site https://www.startssl.com/certs/sub.class1.server.ca.crt. | |
``` | |
- - StartCom Certification Authority | |
| | |
- - StartCom Class 1 Primary Intermediate Server CA | |
| | |
- - mydomain.com | |
``` | |
SSL Setup for Apache | |
---------------------------- | |
### Setup Key/Cert Files | |
``` | |
SSLCertificateFile "%pathToYourFile%/%certFileName%.crt" | |
SSLCertificateChainFile "%pathToYourFile%/%subCAFileName%.crt" | |
SSLCertificateKeyFile "%pathToYourFile%/%keyFileName%.key" | |
``` | |
### Strong SSL Security Setup | |
Here is an article (https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html) about each setting showing below. | |
#### Secure and Robust Setting for Cipher Suite | |
``` | |
# enable SSLv3, for supporting much legacy browser but suffer with POODLE attack | |
# SSLProtocol all -SSLv2 | |
SSLProtocol all -SSLv2 -SSLv3 | |
SSLHonorCipherOrder on | |
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" | |
``` | |
>**Note:** If you still want to let more legacy browser support SSL setup like XP/IE6, you may need to enable SSLv3. | |
#### HTTP Strict Transport Security | |
``` | |
# HSTS header setup | |
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" | |
# force to https | |
RewriteCond %{HTTPS} !=on | |
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
``` | |
>**Note:** This config need install module **mod_rewrite** and **mod_headers**. | |
### Testing Each Setup | |
https://www.ssllabs.com/ssltest/ | |
More Informations | |
------------------------ | |
### Export key/crt/ca.crt Into PFX (Windows) File | |
If you want to request and install a certificate manually for Windows IIS, you only have to do is export those Key/Certificate files into a PFX file and then import the PFX file on IIS. | |
``` | |
openssl pkcs12 -export -inkey %keyFileName%.key -in %certFileName%.crt -certfile subCAFileName.crt -passin "pass:%keyPassword%" -passout "pass:%pfxPassword%" -out pfxFileName.pfx | |
``` | |
>**Reference:** | |
>https://www.openssl.org/docs/apps/pkcs12.html | |
### Renew StartSSL Certificate | |
Simply use there Certificates Wizard from Control Panel request it again. | |
>**Note: ** If certificate is not expired in 2 weeks, the following message will be shown: *A certificate with domain already exists at Class 1 level.* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment