Generarea certificatelor SSL
Se creeaza folderul unde se vor pastra certificatele si cheia privata:
mkdir /var/SSL && cd /var/SSL
Se genereaza cheia privata (domeniu.com.key) cu OpenSSL in terminalul serverului domeniului sau in Control Panel
openssl genrsa -out /var/SSL/domeniu.com.key 2048
Se creeaza fisierul “domeniu.com.csr”
openssl req -new -sha256 -key /var/SSL/domeniu.com.key -out /var/SSL/domeniu.com.csr
Country: RO
State or Province: Galati
City or Locality: Galati
Organization Name: Home
Organizational Unit: IT
Common Name: domeniu.com
Password chalenge ramane gol (Enter)
Se verifica certificatul CSR:
openssl req -noout -text -in /var/SSL/domeniu.com.csr
Acum exista cheia privata (domeniu.com.key) care va ramane instalata pe serverul domeniului si certificatul (domeniu.com.csr) care va fi transmis catre autoritatea comerciala de certificare (Comodo,VeriSign, GoDaddy,etc.) pentru a genera cheia publica care va avea extensia .crt
GoDaddy genereaza 2 fisiere: fa87f784d9b6ea29.crt si gd_bundle-g2-g1.crt. Primul este certificatul domeniu.com.csr semnat digital de GoDaddy si se redenumeste domeniu.com.crt iar al doilea este certificatul intermediar al autoritatii de certificare si se redenumeste intermediate.crt. Ambele fisiere se salveaza in /var/SSL
Se concateneaza cele doua fisiere:
cat domeniu.com.crt intermediate.crt > domeniu.com.chained.crt
Comodo genereaza 4 fisiere: Root (AddTrustExternalCARoot.crt si
COMODORSAAddTrustCA.crt), Intermediate2 (COMODORSADomainValidationSecureServerCA.crt), si Primary Certificates (domeniu.com.crt).
Se concateneeaza cele 4 fisiere in ordinea: Primary, Intermediate, Root:
cat domeniu.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domeniu.com.pem
Fisierele concatenate obtinute arata asa:
—–BEGIN CERTIFICATE—–
MIIFNjCCBB6gAwIBAgIJAPqH94TZtuopMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2VjS0NIRftLNXpgFWeGeqZpW9Tdh7prvvsy78cGo+aqAIVUNe0tMWAV2RupaSaWajr7s7uEWBWGWRVFDyAXGOyx/ytwa6SrxDq7
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
RzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzDBNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOvK/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23ecSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3FiCPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4HTu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
FJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+YihfukEHU1jPE44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLEsNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5=
—–END CERTIFICATE—–
Configurarea serverului Apache
cd /etc/apache2/sites-available cp 000-default.conf 000-default.conf.orig nano 000-default.conf
Se inlocuieste continutul fisierului cu urmatorul:
<VirtualHost *:80>
ServerName domeniu.com
Redirect permanent / https://domeniu.com/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName www.domeniu.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/SSL/domeniu.com.crt
SSLCertificateKeyFile /var/SSL/domeniu.com.key
SSLCACertificateFile /var/SSL/intermediate.crt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Se activeaza modulul SSL al serverului Apache
a2enmod ssl
Se activeaza suportul pentru „perfect forward secrecy” in modulul ssl;
nano /etc/apache2/mods-available/ssl.conf
Se activeaza „SSLHonorCipherOrder on” si se inlocuieste „SSLCipherSuite HIGH:!aNULL” cu
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
Se salveaza fisierul si se reporneste serverul Apache
systemctl restart apache2.service
Se verifica domeniul:
https://domeniu.com