[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Using SSL Certs



It appears there are a million ways to define things, which make it extremely frustrating. I'd like to keep things as "standard" as possible so down the road when I am troubleshooting things I don't forget where certain configs are kept of their dependencies get screwed up for path problems. Does anyone know where I can find a "How To" that explains this stuff from start to finish? Most of the docs I find either aren't complete or reference other distros and the location of things aren't the same.


Thanks,
Eric


Shaun Hess wrote:

Eric,

Here are some differences I see in my working setup of Apache with SSL.

Q> Which directory?? httpd? or apache2?? or both??
Answer> My files are kept in: /etc/apache2/ssl.*/


Q> So in this example, if my server was 'homeserver' I would rename all the certs (cert.pem, key.pem & req.pem) as follows respectively: homeserver.crt, homeserver.key, & homeserver.csr and copy them to the corresponding directories? This is the boxes local name? or FQDN that the cert specifies?

Answer> When I generated my certs they were named by default: server.crt,
server.key, server.csr, etc. I did not rename them (myhostname.*). It works
fine this way, but if there's a reason to change the names I am not aware of
it.


Q> Edit /etc/httpd/httpd.conf:

<VirtualHost _default_:443>

  #  General setup for the virtual host
  DocumentRoot "/srv/www/htdocs"
  ServerName <SERVER-FULL-NAME>
  ServerAdmin www@<SERVER-FULL-NAME>
  ErrorLog /var/log/httpd/error_log
  TransferLog /var/log/httpd/access_log

Answer> I do not use the above example. Instead I do the following:

cd /etc/apache2/vhosts.d

cp -p vhost-ssl.template vhost-ssl.conf

vi vhost-ssl.conf

Change DocumentRoot, ServerName, ServerAdmin, etcetera to your
configuration.

By default your httpd.conf file contains a line:
Include /etc/apache2/vhosts.d/*.conf

Which will pick up the vhost-ssl.conf file. You can also use the following
command to check the syntax of your vhost-ssl.conf file:

httpd2 -S


Q> Again, which one? apache or apache2??

  HTTPD_START_TIMEOUT="5"
  HTTPD_SEC_MOD_SSL="yes"

Answer> /etc/sysconfig/apache2







-----Original Message-----
From: Eric Kahklen [mailto:eric@xxxxxxxxxxx] Sent: Friday, February 06, 2004 11:25 AM
To: Philippe Vogel
Cc: suse-security@xxxxxxxx
Subject: Re: [suse-security] Using SSL Certs

Philippe,

Thanks allot of for the help! I have a few questions below.

This will do:

gensslcert --help

All Options are shown!

Gensslcert will generate a certificate for 2000 days (this should be long
enough).


I've already generated a cert with openssl. Is gensslcert another way to do it or a way to test Apache?

Go to /etc/httpd (/etc/apache2) and there to


Which directory?? httpd? or apache2?? or both?? I am running SUSE 9.0 which I assume is using apache2.

ssl.crt/
ssl.key/
ssl.csr/

and rename all new certs (<SERVERNAME>server.*) to:


So in this example, if my server was 'homeserver' I would rename all the certs (cert.pem, key.pem & req.pem) as follows respectively: homeserver.crt, homeserver.key, & homeserver.csr and copy them to the corresponding directories? This is the boxes local name? or FQDN that the cert specifies?

/etc/httpd/ssl.crt/server.crt
/etc/httpd/ssl.key/server.key
/etc/httpd/ssl.csr/server.csr



Edit /etc/sysconfig/apache (apache2)


Again, which one? apache or apache2??

HTTPD_START_TIMEOUT="5"
HTTPD_SEC_MOD_SSL="yes"

Apache2:

APACHE_SERVER_FLAGS="-D SSL"
APACHE_MODULES=" [...] ssl"

Next do a


I should know from your above answers, but this would depend upon which version of apache correct???


Thanka allot!!!

Eric

SuSEconfig --module apache (or apache2)

rcapache restart

Check if the server comes up.

Philippe



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here