Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.
Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung | |||
server_und_serverdienste:tls_zertifikate_und_deren_verwendung_unter_ubuntu_und_gentoo [2017/04/01 18:41] – gelöscht admin | server_und_serverdienste:tls_zertifikate_und_deren_verwendung_unter_ubuntu_und_gentoo [2017/04/01 19:00] (aktuell) – angelegt admin | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== TLS Zertifikate und deren Verwendung unter Ubuntu und Gentoo ====== | ||
+ | |||
+ | Zuerst besorgt man sich mal ein kostenloses Zertifikat bei Startssl: https:// | ||
+ | |||
+ | ===== Pfade ===== | ||
+ | |||
+ | |||
+ | Hier kann man die Pfade hinterlegen: | ||
+ | | ||
+ | ## Gentoo | ||
+ | nano / | ||
+ | | ||
+ | ## Ubuntu | ||
+ | nano / | ||
+ | |||
+ | |||
+ | |||
+ | ===== CSR erstellen ===== | ||
+ | |||
+ | | ||
+ | openssl req -new -key ssl.key -out cert.csr | ||
+ | |||
+ | |||
+ | |||
+ | ===== Apache Zertifikate hinterlegen ===== | ||
+ | |||
+ | In Apache benötigt man bei Startssl 4 Zertifikate. | ||
+ | |||
+ | ==== StartCom Certification Authority (am längsten gültig ca. 2040) ==== | ||
+ | |||
+ | | ||
+ | ## Certificate Authority (CA): | ||
+ | # Set the CA certificate verification path where to find CA certificates | ||
+ | # for client authentication or alternatively one huge file containing all | ||
+ | # of them (file must be PEM encoded). | ||
+ | # Note: Inside SSLCACertificatePath you need hash symlinks to point to the | ||
+ | # certificate files. Use the provided Makefile to update the hash symlinks | ||
+ | # after changes. | ||
+ | SSLCACertificateFile / | ||
+ | |||
+ | Heist auch oft ca_root_startTLS.pem | ||
+ | |||
+ | |||
+ | ==== StartCom Class 1 Primary Intermediate Server CA ==== | ||
+ | |||
+ | | ||
+ | ## Server Certificate Chain: | ||
+ | # Point SSLCertificateChainFile at a file containing the concatenation of | ||
+ | # PEM encoded CA certificates which form the certificate chain for the | ||
+ | # server certificate. Alternatively the referenced file can be the same as | ||
+ | # SSLCertificateFile when the CA certificates are directly appended to the | ||
+ | # server certificate for convinience. | ||
+ | SSLCertificateChainFile / | ||
+ | |||
+ | Heist auch oft startTLSCAcert.pem | ||
+ | |||
+ | |||
+ | ==== Private Key entschlüsselt ==== | ||
+ | |||
+ | | ||
+ | ## Server Private Key: | ||
+ | # If the key is not combined with the certificate, | ||
+ | # point at the key file. Keep in mind that if you've both a RSA and a DSA | ||
+ | # private key you can configure both in parallel (to also allow the use of | ||
+ | # DSA ciphers, etc.) | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | |||
+ | ==== Zertifikat ==== | ||
+ | |||
+ | | ||
+ | ## Server Certificate: | ||
+ | # Point SSLCertificateFile at a PEM encoded certificate. If the certificate | ||
+ | # is encrypted, then you will be prompted for a pass phrase. Note that a | ||
+ | # kill -HUP will prompt again. Keep in mind that if you have both an RSA | ||
+ | # and a DSA certificate you can configure both in parallel (to also allow | ||
+ | # the use of DSA ciphers, etc.) | ||
+ | SSLCertificateFile / | ||
+ | |||
+ | |||
+ | Um nach Einrichtung alles zu überprüfen bedient man sich openssl am localhost: | ||
+ | | ||
+ | openssl s_client -connect localhost: | ||
+ | |||
+ | Das Ergebnis sollte dann ca. so aussehen: | ||
+ | | ||
+ | CONNECTED(00000003) | ||
+ | SSL_connect: | ||
+ | SSL_connect: | ||
+ | SSL3 alert read: | ||
+ | SSL_connect: | ||
+ | 140679657948816: | ||
+ | 140679657948816: | ||
+ | --- | ||
+ | no peer certificate available | ||
+ | --- | ||
+ | No client certificate CA names sent | ||
+ | --- | ||
+ | SSL handshake has read 7 bytes and written 0 bytes | ||
+ | --- | ||
+ | New, (NONE), Cipher is (NONE) | ||
+ | Secure Renegotiation IS NOT supported | ||
+ | Compression: | ||
+ | Expansion: NONE | ||
+ | No ALPN negotiated | ||
+ | SSL-Session: | ||
+ | Protocol | ||
+ | Cipher | ||
+ | Session-ID: | ||
+ | Session-ID-ctx: | ||
+ | Master-Key: | ||
+ | Key-Arg | ||
+ | PSK identity: None | ||
+ | PSK identity hint: None | ||
+ | SRP username: None | ||
+ | Start Time: 1453931519 | ||
+ | Timeout | ||
+ | Verify return code: 0 (ok) | ||
+ | |||