[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Using SSL Certs



Eric,

Here are some differences I see in my working setup of Apache with SSL.

Q> Which directory?? httpd? or apache2?? or both??
  
Answer> My files are kept in: /etc/apache2/ssl.*/


Q> So in this example, if my server was 'homeserver' I would rename all the 
certs (cert.pem, key.pem & req.pem) as follows respectively: 
homeserver.crt, homeserver.key, & homeserver.csr and copy them to the 
corresponding directories?  This is the boxes local name? or FQDN that 
the cert specifies?

Answer> When I generated my certs they were named by default: server.crt,
server.key, server.csr, etc. I did not rename them (myhostname.*). It works
fine this way, but if there's a reason to change the names I am not aware of
it.


Q> Edit /etc/httpd/httpd.conf:

<VirtualHost _default_:443>

   #  General setup for the virtual host
   DocumentRoot "/srv/www/htdocs"
   ServerName <SERVER-FULL-NAME>
   ServerAdmin www@<SERVER-FULL-NAME>
   ErrorLog /var/log/httpd/error_log
   TransferLog /var/log/httpd/access_log

Answer> I do not use the above example. Instead I do the following:

cd /etc/apache2/vhosts.d

cp -p vhost-ssl.template vhost-ssl.conf

vi vhost-ssl.conf

Change DocumentRoot, ServerName, ServerAdmin, etcetera to your
configuration.

By default your httpd.conf file contains a line: 

Include /etc/apache2/vhosts.d/*.conf

Which will pick up the vhost-ssl.conf file. You can also use the following
command to check the syntax of your vhost-ssl.conf file:

httpd2 -S


Q> Again, which one? apache or apache2??

   HTTPD_START_TIMEOUT="5"
   HTTPD_SEC_MOD_SSL="yes"

Answer> /etc/sysconfig/apache2







-----Original Message-----
From: Eric Kahklen [mailto:eric@xxxxxxxxxxx] 
Sent: Friday, February 06, 2004 11:25 AM
To: Philippe Vogel
Cc: suse-security@xxxxxxxx
Subject: Re: [suse-security] Using SSL Certs

Philippe,

Thanks allot of for the help! I have a few questions below.

>This will do:
>
>gensslcert --help
>
>All Options are shown!
>
>Gensslcert will generate a certificate for 2000 days (this should be long
>enough).
>  
>
I've already generated a cert with openssl.  Is gensslcert another way 
to do it or a way to test Apache?

>Go to /etc/httpd (/etc/apache2) and there to
>  
>
Which directory?? httpd? or apache2?? or both??  I am running SUSE 9.0 
which I assume is using apache2.

>ssl.crt/
>ssl.key/
>ssl.csr/
>
>and rename all new certs (<SERVERNAME>server.*) to:
>  
>
So in this example, if my server was 'homeserver' I would rename all the 
certs (cert.pem, key.pem & req.pem) as follows respectively: 
homeserver.crt, homeserver.key, & homeserver.csr and copy them to  the 
corresponding directories?  This is the boxes local name? or FQDN that 
the cert specifies?

>/etc/httpd/ssl.crt/server.crt
>/etc/httpd/ssl.key/server.key
>/etc/httpd/ssl.csr/server.csr
>
>
>
>Edit /etc/sysconfig/apache (apache2)
>  
>
Again, which one? apache or apache2??

>HTTPD_START_TIMEOUT="5"
>HTTPD_SEC_MOD_SSL="yes"
>
>Apache2:
>
>APACHE_SERVER_FLAGS="-D SSL"
>APACHE_MODULES=" [...] ssl"
>
>Next do a
>  
>
I should know from your above answers, but this would depend upon which 
version of apache correct???


Thanka allot!!!

Eric

>SuSEconfig --module apache (or apache2)
>
>rcapache restart
>
>Check if the server comes up.
>
>Philippe

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here