Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.
Letzte ÜberarbeitungBeide Seiten, nächste Überarbeitung | |||
server_und_serverdienste:tls_zertifikate_und_deren_verwendung_unter_ubuntu_und_gentoo [2017/04/01 02:44] – angelegt admin | server_und_serverdienste:tls_zertifikate_und_deren_verwendung_unter_ubuntu_und_gentoo [2017/04/01 18:41] – gelöscht admin | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== TLS Zertifikate und deren Verwendung unter Ubuntu und Gentoo ====== | ||
- | |||
- | Zuerst besorgt man sich mal ein kostenloses Zertifikat bei Startssl: https:// | ||
- | |||
- | ===== Pfade ===== | ||
- | |||
- | |||
- | Hier kann man die Pfade hinterlegen: | ||
- | | ||
- | ## Gentoo | ||
- | nano / | ||
- | | ||
- | ## Ubuntu | ||
- | nano / | ||
- | |||
- | |||
- | |||
- | ===== CSR erstellen ===== | ||
- | |||
- | | ||
- | openssl req -new -key ssl.key -out cert.csr | ||
- | |||
- | |||
- | |||
- | ===== Apache Zertifikate hinterlegen ===== | ||
- | |||
- | In Apache benötigt man bei Startssl 4 Zertifikate. | ||
- | |||
- | ==== StartCom Certification Authority (am längsten gültig ca. 2040) ==== | ||
- | |||
- | | ||
- | ## Certificate Authority (CA): | ||
- | # Set the CA certificate verification path where to find CA certificates | ||
- | # for client authentication or alternatively one huge file containing all | ||
- | # of them (file must be PEM encoded). | ||
- | # Note: Inside SSLCACertificatePath you need hash symlinks to point to the | ||
- | # certificate files. Use the provided Makefile to update the hash symlinks | ||
- | # after changes. | ||
- | SSLCACertificateFile / | ||
- | |||
- | Heist auch oft ca_root_startTLS.pem | ||
- | |||
- | |||
- | ==== StartCom Class 1 Primary Intermediate Server CA ==== | ||
- | |||
- | | ||
- | ## Server Certificate Chain: | ||
- | # Point SSLCertificateChainFile at a file containing the concatenation of | ||
- | # PEM encoded CA certificates which form the certificate chain for the | ||
- | # server certificate. Alternatively the referenced file can be the same as | ||
- | # SSLCertificateFile when the CA certificates are directly appended to the | ||
- | # server certificate for convinience. | ||
- | SSLCertificateChainFile / | ||
- | |||
- | Heist auch oft startTLSCAcert.pem | ||
- | |||
- | |||
- | ==== Private Key entschlüsselt ==== | ||
- | |||
- | | ||
- | ## Server Private Key: | ||
- | # If the key is not combined with the certificate, | ||
- | # point at the key file. Keep in mind that if you've both a RSA and a DSA | ||
- | # private key you can configure both in parallel (to also allow the use of | ||
- | # DSA ciphers, etc.) | ||
- | SSLCertificateKeyFile / | ||
- | |||
- | |||
- | ==== Zertifikat ==== | ||
- | |||
- | | ||
- | ## Server Certificate: | ||
- | # Point SSLCertificateFile at a PEM encoded certificate. If the certificate | ||
- | # is encrypted, then you will be prompted for a pass phrase. Note that a | ||
- | # kill -HUP will prompt again. Keep in mind that if you have both an RSA | ||
- | # and a DSA certificate you can configure both in parallel (to also allow | ||
- | # the use of DSA ciphers, etc.) | ||
- | SSLCertificateFile / | ||
- | |||
- | |||
- | Um nach Einrichtung alles zu überprüfen bedient man sich openssl am localhost: | ||
- | | ||
- | openssl s_client -connect localhost: | ||
- | |||
- | Das Ergebnis sollte dann ca. so aussehen: | ||
- | | ||
- | CONNECTED(00000003) | ||
- | SSL_connect: | ||
- | SSL_connect: | ||
- | SSL3 alert read: | ||
- | SSL_connect: | ||
- | 140679657948816: | ||
- | 140679657948816: | ||
- | --- | ||
- | no peer certificate available | ||
- | --- | ||
- | No client certificate CA names sent | ||
- | --- | ||
- | SSL handshake has read 7 bytes and written 0 bytes | ||
- | --- | ||
- | New, (NONE), Cipher is (NONE) | ||
- | Secure Renegotiation IS NOT supported | ||
- | Compression: | ||
- | Expansion: NONE | ||
- | No ALPN negotiated | ||
- | SSL-Session: | ||
- | Protocol | ||
- | Cipher | ||
- | Session-ID: | ||
- | Session-ID-ctx: | ||
- | Master-Key: | ||
- | Key-Arg | ||
- | PSK identity: None | ||
- | PSK identity hint: None | ||
- | SRP username: None | ||
- | Start Time: 1453931519 | ||
- | Timeout | ||
- | Verify return code: 0 (ok) | ||
- | |||