Difference between revisions of "SSL-self-signed-certificate-creation-and-config"
		
		
		
		
		
		Jump to navigation
		Jump to search
		
				
		
 
		
	
| m (2017-07-25 - Ted adding top-of-article links to search engines and more general pages.) | |||
| Line 156: | Line 156: | ||
| *  https://certbot.eff.org/#ubuntuxenial-apache | *  https://certbot.eff.org/#ubuntuxenial-apache | ||
| + | Invoking certbot to obtain certificate for one sub-domain: | ||
| + | *  https://community.letsencrypt.org/t/certificate-for-just-a-subdomain/23785/4 | ||
Revision as of 23:59, 23 August 2017
Google : Neela Nurseries : Ted at Neela Wiki
- 2017-07-20 Thursday -
Ted's first finding of instructions on setting up SSL and configuring Apache2 web server to use this encrypted protocol library:
Copy of summary of steps from above instructions on-line:
"
Here's what we're going to do, in order:
 
-   Make sure Apache has SSL enabled.
 
-   Generate a certificate signing request (CSR).
 
-   Generate a self-signed certificate.
 
-   Copy the certificate and keys we've generated.
 
-   Tell Apache about the certificate.
 
-   Modify the VirtualHosts to use the certificate.
 
-   Restart Apache and test.
 
"
Note From SSL Config On Generic Server
 
STEP 1
ted@localhost:~$ sudo a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration! ted@localhost:~$
STEP 2
ted@localhost:~$ # https://www.linux.com/learn/creating-self-signed-ssl-certificates-apache-linux ted@localhost:~$ # STEP 2 ted@localhost:~$ sudo openssl req -new > new.ssl.csr Generating a 1024 bit RSA private key ...........++++++ .................................++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:General Industry Organizational Unit Name (eg, section) []:Web and CMS Common Name (eg, YOUR name) []:Ted Havelka Email Address []:ted@general-industry.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. ted@localhost:~$
Checking for new files . . .
ted@localhost:~$ ls -lt total 60 -rw-r--r-- 1 ted ted 720 2017-07-20 12:22 new.ssl.csr -rw-r--r-- 1 root root 963 2017-07-20 12:22 privkey.pem drwxr-xr-x 2 ted ted 4096 2017-05-05 15:08 archive . . .
STEP 3
ted@localhost:~$ sudo openssl rsa -in privkey.pem -out new.cert.key Enter pass phrase for privkey.pem: writing RSA key ted@localhost:~$ ted@localhost:~$ sudo openssl x509 -in new.ssl.csr -out new.cert.cert -req -signkey new.cert.key -days 365 Signature ok subject=/C=US/ST=Oregon/L=Portland/O=General Industry/OU=Alta/CN=Ted Havelka/emailAddress=ted@general-industry.com Getting Private key ted@localhost:~$ sudo cp new.cert.cert /etc/ssl/certs/server-localhost.crt [sudo] password for ted: ted@localhost:~$ sudo cp new.cert.key /etc/ssl/private/server-localhost.key
Checking permissions of newly created private key file:
ted@localhost:/etc/ssl$ sudo su # id uid=0(root) gid=0(root) groups=0(root) # cd private/ # ls -l total 8 -rw-r--r-- 1 root root 887 2017-07-20 14:15 server-localhost.key -rw-r----- 1 root ssl-cert 1679 2011-05-10 08:24 ssl-cert-snakeoil.key # exit exit ted@localhost:/etc/ssl$ ls -l /etc/ssl/certs/server-localhost.crt -rw-r--r-- 1 root root 993 2017-07-20 14:14 /etc/ssl/certs/server-localhost.crt ted@localhost:/etc/ssl$
Certificate Authorities and CertBot
Invoking certbot to obtain certificate for one sub-domain: