frankyueh/Setup StartSSL on Apache Server (OpenSSL)

## Setup StartSSL on Apache Server (OpenSSL)

Setup StartSSL on Apache Server (OpenSSL)
=====================================


This is a note about how to make a certificate request for StartSSL https://www.startssl.com/ and setup correctly for Apache Server.

----------

[toc]

----------

Key/Request (Self-Signed Cert) Generation
---------------------------------------------------------

### Generate a Key
```
openssl genrsa -aes256 -passout "pass:%keyPassword%" -out "%keyFileName%.key" %keyStrength%
```
>**Parameters**
>: %keyPassword% - *key password*
>: %keyFileName% - *key file name*
>: %keyStrength% - *1024, 2048 or **4096***

### *Prepare a non-encrypted Key File (Optional)*
```
openssl rsa -passin "pass:%keyPassword%" -in "%keyFileName%.key" -out "%insecureKeyFileName%.key"
```
### Prepare OpenSSL Config File

In file **btt.cfg**, it have settings for self signed and also for sign request. All with wild card domain name setup. Although we cannot request for a wild card domain name without higher CA Class Level, but still works fine with lower Level Request.

First you need copy original OpenSSL config file, and then do following altering:

#### Add/Setup extensions for request
```
req_extensions = v3_req
```
>Uncomment or add above line in **[ req ]** section

```
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternate_names

[ alternate_names ]
DNS.1 = *.example.com
DNS.2 = example.com
```
>Uncomment or add [ v3_req ] and [ alternate_names ] sections in the config file

#### *Add/Setup extensions for self-signed Cert (Optional for Self-Signed Cert)*
*Skip this step if you have no need to produce a self-signed Cert*
```
copy_extensions = copy
```
>Uncomment or add above line in **[ CA_default ]** section

```
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
```
>Uncomment or add above lines in **[ v3_ca ]** section
>**Note:** No need to add another section [ alternate_names ] if you have already add this section in the file.
>
### Generate a Request

```
openssl req -new -sha%shaStrength% -key "%keyFileName%.key" -passin "pass:%keyPassword%" -out "%certReqFileName%.csr" -subj "/CN=%CN%" -config "%cfgFileName%"
```
>**Parameters**
>: %keyPassword% - *key password*
>: %shaStrength% - *1, 128 or **256***
>: %cfgFileName% - *config file name*

### *Generate a Self-Signed Cert (Optional)*

```
openssl req -new -x509 -sha%shaStrength% -days %certValidDays% -key "%fileName%.secure.key" -passin "pass:%keyPassword%" -out "%certFileName%.crt" -subj "/CN=%CN%" -config "%cfgFileName%"
```
>**Parameters**
>: %certValidDays% - *cert validation days*


Request from StartSSL
------------------------------

### Login Authentication

Based on it using certificate authentication key pair for Login
the browser or OS must pre-install Login usage cert/key pair **CORRECTLY**!

>**Notes:**
>Certificate file may occur wrong chain file path while installation, it may different between each environment. There just needs to remove some conflict certificate file in the certs database.
> http://www.s-jpg.com/blog/?p=48

### Certificate Request

Simply open generated request file **%certReqFileName%.csr** and paste content to StartSSL site by the request procedure. Then you will get a signed certificate file by StartCom, and save it as the file name **%certFileName%.crt**.

>**Note:**
> Open the **crt** file, there must have a signed path for your certificate file.
>
> The **root** of the signed path "*StartCom Certification Authority*" which must exists in client local side, it called **Trusted Root CA**.
>
> In the middle of signed path, there have **Intermediate CA certificate** "*StartCom Class 1 Primary Intermediate Server CA*" which not always exists in client local side. If not, client may see this **crt** file as a untrusted cert just because the missing **Intermediate CA certificate**.
>
> In this case, you may need to download intermediate certificate prepare for your server which can provide for the client. You may find the corresponding cert from the official site https://www.startssl.com/certs/sub.class1.server.ca.crt.

```
 - - StartCom Certification Authority
   |
   - - StartCom Class 1 Primary Intermediate Server CA
     |
     - - mydomain.com
```

SSL Setup for Apache
----------------------------

### Setup Key/Cert Files

```
SSLCertificateFile "%pathToYourFile%/%certFileName%.crt"
SSLCertificateChainFile "%pathToYourFile%/%subCAFileName%.crt"
SSLCertificateKeyFile "%pathToYourFile%/%keyFileName%.key"
```

### Strong SSL Security Setup

Here is an article (https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html) about each setting showing below.

#### Secure and Robust Setting for Cipher Suite

```
# enable SSLv3, for supporting much legacy browser but suffer with POODLE attack
# SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
```
>**Note:** If you still want to let more legacy browser support SSL setup like XP/IE6, you may need to enable SSLv3.

#### HTTP Strict Transport Security

```
# HSTS header setup
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

# force to https
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
```
>**Note:** This config need install module **mod_rewrite** and **mod_headers**.

### Testing Each Setup

https://www.ssllabs.com/ssltest/

More Informations
------------------------

### Export key/crt/ca.crt Into PFX (Windows) File

If you want to request and install a certificate manually for Windows IIS, you only have to do is export those Key/Certificate files into a PFX file and then import the PFX file on IIS.
```
openssl pkcs12 -export -inkey %keyFileName%.key -in %certFileName%.crt -certfile subCAFileName.crt -passin "pass:%keyPassword%" -passout "pass:%pfxPassword%" -out pfxFileName.pfx
```
>**Reference:**
>https://www.openssl.org/docs/apps/pkcs12.html


### Renew StartSSL Certificate

 Simply use there Certificates Wizard from Control Panel request it again.
 >**Note: ** If certificate is not expired in 2 weeks, the following message will be shown: *A certificate with domain already exists at Class 1 level.*

	Setup StartSSL on Apache Server (OpenSSL)
	=====================================


	This is a note about how to make a certificate request for StartSSL https://www.startssl.com/ and setup correctly for Apache Server.

	----------

	[toc]

	----------

	Key/Request (Self-Signed Cert) Generation
	---------------------------------------------------------

	### Generate a Key
	```
	openssl genrsa -aes256 -passout "pass:%keyPassword%" -out "%keyFileName%.key" %keyStrength%
	```
	>Parameters
	>: %keyPassword% - key password
	>: %keyFileName% - key file name
	>: %keyStrength% - 1024, 2048 or 4096**

	### Prepare a non-encrypted Key File (Optional)
	```
	openssl rsa -passin "pass:%keyPassword%" -in "%keyFileName%.key" -out "%insecureKeyFileName%.key"
	```
	### Prepare OpenSSL Config File

	In file btt.cfg, it have settings for self signed and also for sign request. All with wild card domain name setup. Although we cannot request for a wild card domain name without higher CA Class Level, but still works fine with lower Level Request.

	First you need copy original OpenSSL config file, and then do following altering:

	#### Add/Setup extensions for request
	```
	req_extensions = v3_req
	```
	>Uncomment or add above line in [ req ] section

	```
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectAltName = @alternate_names

	[ alternate_names ]
	DNS.1 = *.example.com
	DNS.2 = example.com
	```
	>Uncomment or add [ v3_req ] and [ alternate_names ] sections in the config file

	#### Add/Setup extensions for self-signed Cert (Optional for Self-Signed Cert)
	Skip this step if you have no need to produce a self-signed Cert
	```
	copy_extensions = copy
	```
	>Uncomment or add above line in [ CA_default ] section

	```
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment
	subjectAltName = @alternate_names
	```
	>Uncomment or add above lines in [ v3_ca ] section
	>Note: No need to add another section [ alternate_names ] if you have already add this section in the file.
	>
	### Generate a Request

	```
	openssl req -new -sha%shaStrength% -key "%keyFileName%.key" -passin "pass:%keyPassword%" -out "%certReqFileName%.csr" -subj "/CN=%CN%" -config "%cfgFileName%"
	```
	>Parameters
	>: %keyPassword% - key password
	>: %shaStrength% - 1, 128 or 256**
	>: %cfgFileName% - config file name

	### Generate a Self-Signed Cert (Optional)

	```
	openssl req -new -x509 -sha%shaStrength% -days %certValidDays% -key "%fileName%.secure.key" -passin "pass:%keyPassword%" -out "%certFileName%.crt" -subj "/CN=%CN%" -config "%cfgFileName%"
	```
	>Parameters
	>: %certValidDays% - cert validation days


	Request from StartSSL
	------------------------------

	### Login Authentication

	Based on it using certificate authentication key pair for Login
	the browser or OS must pre-install Login usage cert/key pair CORRECTLY!

	>Notes:
	>Certificate file may occur wrong chain file path while installation, it may different between each environment. There just needs to remove some conflict certificate file in the certs database.
	> http://www.s-jpg.com/blog/?p=48

	### Certificate Request

	Simply open generated request file %certReqFileName%.csr and paste content to StartSSL site by the request procedure. Then you will get a signed certificate file by StartCom, and save it as the file name %certFileName%.crt.

	>Note:
	> Open the crt file, there must have a signed path for your certificate file.
	>
	> The root of the signed path "StartCom Certification Authority" which must exists in client local side, it called Trusted Root CA.
	>
	> In the middle of signed path, there have Intermediate CA certificate "StartCom Class 1 Primary Intermediate Server CA" which not always exists in client local side. If not, client may see this crt file as a untrusted cert just because the missing Intermediate CA certificate.
	>
	> In this case, you may need to download intermediate certificate prepare for your server which can provide for the client. You may find the corresponding cert from the official site https://www.startssl.com/certs/sub.class1.server.ca.crt.

	```
	- - StartCom Certification Authority
	\|
	- - StartCom Class 1 Primary Intermediate Server CA
	\|
	- - mydomain.com
	```

	SSL Setup for Apache
	----------------------------

	### Setup Key/Cert Files

	```
	SSLCertificateFile "%pathToYourFile%/%certFileName%.crt"
	SSLCertificateChainFile "%pathToYourFile%/%subCAFileName%.crt"
	SSLCertificateKeyFile "%pathToYourFile%/%keyFileName%.key"
	```

	### Strong SSL Security Setup

	Here is an article (https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html) about each setting showing below.

	#### Secure and Robust Setting for Cipher Suite

	```
	# enable SSLv3, for supporting much legacy browser but suffer with POODLE attack
	# SSLProtocol all -SSLv2
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder on
	SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
	```
	>Note: If you still want to let more legacy browser support SSL setup like XP/IE6, you may need to enable SSLv3.

	#### HTTP Strict Transport Security

	```
	# HSTS header setup
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

	# force to https
	RewriteCond %{HTTPS} !=on
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
	```
	>Note: This config need install module mod_rewrite and mod_headers.

	### Testing Each Setup

	https://www.ssllabs.com/ssltest/

	More Informations
	------------------------

	### Export key/crt/ca.crt Into PFX (Windows) File

	If you want to request and install a certificate manually for Windows IIS, you only have to do is export those Key/Certificate files into a PFX file and then import the PFX file on IIS.
	```
	openssl pkcs12 -export -inkey %keyFileName%.key -in %certFileName%.crt -certfile subCAFileName.crt -passin "pass:%keyPassword%" -passout "pass:%pfxPassword%" -out pfxFileName.pfx
	```
	>Reference:
	>https://www.openssl.org/docs/apps/pkcs12.html


	### Renew StartSSL Certificate

	Simply use there Certificates Wizard from Control Panel request it again.
	>Note: If certificate is not expired in 2 weeks, the following message will be shown: A certificate with domain already exists at Class 1 level.