Setting up a Secure Server
Introduction
This document gives instructions for ourshack members on setting up a secure server.
I created 2 certificate authorities, ourshack.org and andywardley.com. You can't sign a server certificate with a CA from the same domain, hence I used andywardley.com CA to sign the ourshack.org server certificate, and vice versa.The ourshack.org CA is now the default. You can do this to create a new server certificate signing request:
$ cd ~apache $ bin/mkcsr
It will prompt you to enter the pass phrase for the ourshack.org Certificate Authority. Ask abw for this. When it prompts you for the Common Name, put your domain, e.g. template-toolkit.org.
This creates a server.key
and server.csr
in
~apache/ssl
Then:
$ cd ~apache/ssl $ sh sign.sh server.csr
This creates a server.crt
which is certificate signed by
the ourshack.org Certificate Authority. Now you need to install the
certificate and server key into the right place in the apache
configuration directory. You should give them names appropriate to
the domain, e.g.
$ sudo cp server.crt ~apache/stable/conf/ssl.crt/template-toolkit.crt $ sudo cp server.key ~apache/stable/conf/ssl.key/template-toolkit.key
You also need to rebuild the certificate index like so:
$ cd ~apache/stable/conf/ssl.crt $ sudo make
Then you need to modify your vhosts file to include an HTTPS configuration for your domain. For example:
<IfDefine SSL> #-- https://template-toolkit.org -- <VirtualHost 212.74.28.150:443> ServerName template-toolkit.org ServerAlias www.template-toolkit.org ServerAdmin abw@andywardley.com DocumentRoot /usr/www/www.template-toolkit.org/ # ...plus any other config values... SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /home/apache/stable/conf/ssl.crt/template-toolkit.crt SSLCertificateKeyFile /home/apache/stable/conf/ssl.key/template-toolkit.key SSLCACertificatePath /home/apache/stable/conf/ssl.crt SSLCACertificateFile /home/apache/stable/conf/ssl.crt/ca-bundle.crt CustomLog /home/apache/stable/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine>
NOTE: the value for ServerName
must match the
Common Name you specified when you created the CSR, above.
You now need to restart the server:
$ cd ~apache/stable/bin $ sudo ./apachectl configtest Syntax OK $ sudo ./apachectl stop $ sudo ./apachectl startssl
Check everything is looking good:
$ tail -f ~apache/stable/logs/error_log