Create a “.htaccess” file:
htpasswd2 -c passwordfile username
Example:
htpasswd2 -c .htaccess testuser
Put into the httpd.conf between the “<Directory>” tag the following code:
AuthType Basic AuthName "Testlogin" AuthUserFile /etc/apache2/.htaccess Require user testuser testuser1 testuser2
1. Create keyfile:
cat /dev/random > /tmp/random
2. Generate key:
openssl genrsa -des3 -out /tmp/server.key -rand /tmp/random 2048
3. Generate certificate:
openssl req -new -x509 -key /tmp/server.key -out /tmp/server.crt
or
openssl req -new -x509 -key /tmp/server.key -nodes -days 365 -sha256 -out /tmp/server.crt
Info:
CN = portal.test.de OU = Rechenzentrum O = Portal Test GmbH L = MYCity S = Baden-Wuerttemberg C = DE
4. Copy:
cp /tmp/server.key /etc/apache2/ssl.key/. cp /tmp/server.crt /etc/apache2/ssl.crt/.
Optionally: Remove Passphrase from Key
cp server.key server.key.org openssl rsa -in server.key.org -out server.key
All at once:
openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout domain.key \ -x509 -days 1000 -out domain.crt -subj "/C=DE/ST=BW/L=MyCity/O=tmade/OU=Datacenter/CN=hostname.local/emailAddress=mymail@domain.com"
openssl x509 -noout -text -in server.crt
5. Edit “/etc/apache2/httpd.conf” (or default-server.conf) file (outside the “<Directory>” block):
SSLEngine on #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLHonorCipherOrder on SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP' #SSLProtocol TLSv1.2 SSLProtocol All -SSLv2 -SSLv3 -TLSv1 SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key #SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt #Load intermediate-certificate #SSLCACertificateFile /etc/apache2/ssl.crt/intermediate.crt #Load intermediate-certificate
6. Edit /etc/sysconfig/apache2 and change
APACHE_START_TIMEOUT="2"
to
APACHE_START_TIMEOUT="10"
and
APACHE_SERVER_FLAGS=""
to
APACHE_SERVER_FLAGS="SSL"
7. Restart Apache:
rcapache2 restart
To start apache2 with passphrase for SSL edit file “/etc/apache2/ssl-global.conf”:
Default:
#SSLPassPhraseDialog builtin
Add:
SSLPassPhraseDialog |/etc/apache2/script_passphrase
or
SSLPassPhraseDialog exec:/etc/apache2/script_passphrase
script_passphrase:
#!/bin/sh echo "passphrase"
openssl pkcs12 -in mybackup.pfx -nocerts -out mykey.key openssl pkcs12 -in mybackup.pfx -nokeys -out mycert.crt
Optionally: Remove Passphrase from Key
cp mykey.key mykey.key.bak openssl rsa -in mykey.key -out mykey-without-pp.key
openssl pkcs12 -export -inkey mykey.key -in mycert.crt -out mybackup.pfx
cat server.crt server.key > server.pem
openssl x509 -outform der -in yourPemFilename.pem -out certfileOutName.crt openssl rsa -in yourPemFilename.pem -out keyfileOutName.key
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
or
keytool -importkeystore -srckeystore mypfxfile.pfx -destkeystore my.jks -deststoretype pkcs12
openssl pkcs12 -export -in my.pem -inkey my.pem -out my.jks -name myalias
#!/bin/bash NAME='tomcatSSL' PASS='password' # Save the file you received from UMLS as $NAME.jks # Uncomment the 3 lines below on the first run # wget 'http://www.source-code.biz/snippets/java/Base64Coder.java.txt' -O 'Base64Coder.java' # wget 'http://mark.foster.cc/pub/java/ExportPriv.old.java' -O 'ExportPriv.java' # the new version doesn't wrap lines at 64 characters # javac Base64Coder.java ExportPriv.java # list certificates in the keystore: # keytool -list -v -keystore $NAME.jks -storepass $PASS # export certificate as DER: keytool -export -alias $NAME -keystore $NAME.jks -storepass $PASS -file $NAME.crt.der # convert DER certificate to PEM: openssl x509 -in $NAME.crt.der -inform DER -out $NAME.crt.pem -outform PEM # export key as PKCS8: java ExportPriv $NAME.jks $NAME $PASS > $NAME.pkcs8 # convert binary PKCS8 key to ASCII RSA: openssl pkcs8 -nocrypt -in $NAME.pkcs8 -inform PEM -out $NAME.rsa -outform PEM # combine DER certificate and RSA key into PEM : cat $NAME.crt.pem $NAME.rsa > $NAME.pem echo "Saved key/certificate pair as $NAME.pem" # clean up: # rm $NAME.crt.der # rm $NAME.crt.pem # rm $NAME.pkcs8 # rm $NAME.rsa
cat your_domain_name.crt intermediate.crt >> bundle.crt
To create a certificate with 2048 Bit and sha256
openssl req -nodes -sha256 -newkey rsa:4096 -keyout ssl.key -out ssl-request.csr
Content:
CN = www.123.org OU = Department O = Company-Name L = City S = Region C = DE
Check output:
openssl req -noout -text -in ssl-request.csr
1. First you need to create a privkey.pem such as:
1.1 RSA KEY
openssl genrsa -des3 -out privkey.key 4096 openssl genrsa -out privkey.key 4096 #Without password
1.2 DSA Key (two steps)
openssl dsaparam -out dsaparam.key 1024 openssl gendsa -des3 -out privkey.key dsaparam.pem
With this variants, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above.
2. Afterwards you can create the certificate request:
openssl req -new -key privkey.key -out cert.csr
Content:
CN = www.123.org OU = Department O = Company-Name L = City S = Region C = DE
3. Check output:
openssl req -noout -text -in cert.csr
See also:
Redirect e. g. http to https (below “DocumentRoot” directive):
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Note: “rewrite_module” has to be installed/ loaded!
Proxypass:
<VirtualHost mydomain.com:443>
.
.
.
<Location />
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
Order deny,allow
Allow from all
</Location>
</VirtualHost>
apachectl -t -D DUMP_MODULES #dump active modules apachectl -t #check syntax