July 8, 2008
SSL + Cert + Apache = https ??
sebelum nih aku tak pernah lagi la setup manually benda nih, slalu dok pakai klik2 ja dlm WHM/CPANEL utk create SSL site.
atas tugasan yg diterima so aku dimintak utk up kan apache + openssl + cert yang mana cert yang akan aku buat nih adalah cert sndiri bikin yg tidak diiktiraf oleh mana2 badan bertanggungjawab tak kiralah ianya NGO mahupun Gomen.
ok saya anggap anda telah tersedia dengan apache yang telah dicompile bersama2 openssl.
1. kita buat sijil palsu dulu.. langkah2 dia
buat directory nama sslcert .. tak kisah sebenaqnya boh pi la nama apa yg anda suka.
mkdir sslcert
chmod kat dia dengan
chmod 0700 sslcert
lepaih tu buat subfolder dlm dia mcm nih
mkdir certs private
2. kemudian kita buat database file utk nanti2 leh keep track sijil2 yang kita buat
echo '100001' >serial
touch certindex.txt
3. lepaih tu bukak sebarang editor contoh vim ka nano ka.. buat file nama openssl.cnf dan copy paste benda ni
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
3. lepas tu kita buat root cert dengan arahan dibawah
openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
nota: fungsi \ selepas keyout tuh sebenaqnya utk pendekkan command yg terlalu panjang..so just copy selebihnya dan enter
selepas ja taip tu nanti dia akan mintak passwd so silalah simpan passwd itu baik2
lepaih tu dia akan tanya pasal nama company, nama server , email dan etc. kalu nak mohong tulih pun harap dpt ingat apa yg anda tulih sebab lepaih nih ada skali lagik proses mcm nih yang akan tanya soklan yang sama so jawapan pun mesti kena sama.. tidak nnanti sijil anda tak sah.
4. Ok lepaih tu kita install cert nih dalam apache plak
5. ok kita buat kunci dan signing punya request pulak
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
lepaih taip ja command nih dia akan tanya soklan2 pasai nama kompeni dan sebagainya macam yg mola2 td.. so pastikan jawapan sama cam yg mola2 td. Dan dia akan create dua file nih
name-req.pem - fail request
name-key.pem - fail kunci dia dok dlm private
6. lepaih tu kita sign the request dengan command ni
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem
so akan ter create lah fail2 berikut
name-cert.pem - inilah fail sijil tersebut
7. kemudia kita copy file2 kunci dan sijil td ke tampat yg sepatutnya
cp name-key.pem /etc/httpd/conf/ssl.key/
cp name-cert.pem /etc/httpd/conf/ssl.crt/
kalu folder ssl.key ngan ssl.crt tuh tak wujud so gunalah command sense anda.
8. lepaih tu langkah yg terakhir cari fail httpd.conf anda dan taruk lah spt coding dibawah dan diubah mengikut citara masing2.
DocumentRoot /var/www/html
ServerName 192.168.1.98
ServerAdmin someone@your.domain
ErrorLog /etc/httpd/logs/ssl_error_log
TransferLog /etc/httpd/logs/ssl_access_log
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/name-cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/name-key.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /etc/httpd/logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Rujukan : http://www.flatmtn.com/
