SSL: Difference between revisions
Jump to navigation
Jump to search
(→Links) |
|||
| Line 35: | Line 35: | ||
</source> |
</source> |
||
== Generate a new SSL certificate for Apache server == |
== Generate a new self-signed SSL certificate for Apache server == |
||
* Generate the certificate [https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html], and change permission |
* Generate the certificate [https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html], and change permission |
||
<source lang=bash> |
<source lang=bash> |
||
| Line 58: | Line 58: | ||
sudo service apache2 restart # OR /usr/local/apache/bin/apachectl restart |
sudo service apache2 restart # OR /usr/local/apache/bin/apachectl restart |
||
</source> |
</source> |
||
== Accept self-signed certificates (bypass browser warning) == |
|||
;Internet Explorer |
|||
* Click on the ''error certificate'' icon in address bar, |
|||
* Cick ''View certificates'', |
|||
* then click ''Install certificate...''. |
|||
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode). |
|||
Revision as of 08:36, 7 May 2015
Links
Questions
- What are file types .crt, .pem, .key
- Given a file, how can recognize its type?
Split PKCS#12 certificate into CA / Cert / Private key
Use openssl pkcs12 to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces PEM files [1].
openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem
Checking Certificate Chain with OpenSSL
Checking A Remote Certificate Chain With OpenSSL
Change .p12 / .pfx password
Say you have a private key / certificate file mycert.pfx, and you want to change its password:
# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key')
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes # Don't encrypt private key at all
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx
rm mycert.pem # DON'T FORGET THIS!
Extract key from .p12/ .pfx
openssl pkcs12takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable withopenssl rsa. The PEM may contain either private key, certificates, root certificates or even public keys.
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes # Don't encrypt private key at all, don't output certificates
openssl rsa -noout -modulus -in mycert.pem # To extract the modulus
openssl rsa -noout -text -in mycert.pem # To extract all the fields
Generate a new self-signed SSL certificate for Apache server
- Generate the certificate [2], and change permission
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl-cert-myserver.key -out ssl-cert-myserver.pem
sudo chgrp ssl-cert ssl-cert-myserver.key
sudo chmod 640 ssl-cert-myserver.key
sudo mv ssl-cert-myserver.key /etc/ssl/private
sudo mv ssl-cert-myserver.pem /etc/ssl/certs
- Edit SSL config for Apache (typically file /etc/apache2/sites-available/default-ssl.conf):
<VirtualHost _default_:443>
DocumentRoot /var/www/website
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-myserver.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-myserver.key
</VirtualHost>
- Restart Apache:
sudo service apache2 restart # OR /usr/local/apache/bin/apachectl restart
Accept self-signed certificates (bypass browser warning)
- Internet Explorer
- Click on the error certificate icon in address bar,
- Cick View certificates,
- then click Install certificate....
- Server public certificate must be imported in the Trusted Root Certification Authorities (and *not* in Intermediate CA which is chosen in automatic mode).