Инсталиране на SSL сертификат на Debian
Като за начало е нужно да проверим дали е инсталиран следния пакет openssl и да инсталираме ssl модула за apache:
root@~# dpkg --list | grep openssl ii openssl 0.9.8o-4squeeze1
root@debain-icn:~# a2enmod ssl
Enabling module ssl. Run '/etc/init.d/apache2 restart' to activate new configuration!
След проверката и инсталацията на ssl модула създаваме една директория ssl в директорията на уеб сървъра /etc/apache2/. В тази директория ще генерираме домейн ключа както и csr-a, след което ще заложим сертификата и ca-bandle:
[root@/]# mkdir /etc/apache2/ssl
[root@/]# cd /etc/apache2/ssl
Създали сме директория ssl и сме в нея, време е да генерираме домейн ключа и csr-a:
root@:/etc/apache2/ssl# openssl genrsa -out www.domain.com.pem 2048
Пример:
Generating RSA private key, 2048 bit long modulus .........................+++ ......+++ e is 65537 (0x10001)
root@:/etc/apache2/ssl# openssl req -new -key www.domain.com.pem -out www.domain.com.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BG
State or Province Name (full name) [Some-State]:Sofia
Locality Name (eg, city) []:Sofia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ICN.Bg
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:admin@domain.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Моля обърнете внимание на „Common Name“ много е важно какъв hostname ще подадете, тъй като сертификатът няма да работи коректно, ако е грешен. Може да не подавате „challenge password“. Разполагаме с домейн ключа и csr-a можем вече да закупим своя сертификат, за което е нужно да подадете на доставчика csr-a, за да Ви предостави сертификата. След като Ви е предоставен сертификата и ca-bandle трябва да ги копирате на сървъра.
Добавяме сертификатът на сървъра, използвайките текстов редактор:
root@:/etc/apache2/ssl# pico www.domain.com.crt
Пример:
-----BEGIN CERTIFICATE-----
MIIHjDCCBnSgAwIBAgIDA0CqMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTEwNDAyMTMxODU3 WhcNMTIwNDAyMTUzMjExWjCBtjEgMB4GA1UEDRMXMzk1MTgyLWh0UzA4RWZaNDI0 dTQxMVcxCzAJBgNVBAYTAkJHMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxpZGF0 ZWQxKTAnBgNVBAsTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMRYw FAYDVQQDEw13d3cuZmlrb3YuY29tMSIwIAYJKoZIhvcNAQkBFhN3ZWJtYXN0ZXJA Zmlrb3YuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvu2G1vLb GWMIwrMTACepTshGliZZ6MWDD05jhpmlVPJ+ocQ7CppC3PBfk/lGEftCjXEhVOSV S1dgpflEe/iYTTxjduXx9ALvcaJeaP4C8y5efyZXKC2mdwkCSqOvx1mvkYIv0xC3 u4mR/Yhb56qBGPiIQeeSEbIVyCP4LB1NJcW2mEe6QvYJeS35mA9tNc9Bn0tQAhPX FwzppvQPeg+Zh+C4+sPMKb+DfbbDKA87JxsDXJ67wMdpsinRDLj5YatWXvIQusOF ehNXApjvenAEyknj02DG1M9LlK+2mqN7JB49Zte0VAW+jXl78kpSy//60XOTFZkU 1IDH0mrM9LyXCdS1ibCyBMC+Ml5q8ibdq5Z5u2kaZQywrduIZRceinaICBtRFHHx w0oxq4yOrGYApuJFFChOf4ppyTHIqkrWKK2g72nOrCN/YxAy+8cNZg0lcIlxo/Cp /ZJv69+BcAAl1vzXozWx097njCkaDiNlmGSyndL47EqeufTE9jh7E4gSgWsHeMdE x3H1n2UCjTd5FcRWiQYjB0VcwvfPDEczKtAsFcnL0T9G/KC1nh8D+dZbgcKQBC/D cezUR3ypak3oQ1hJIyxX35ZskbCDQe/Q1LW66D+ZDBC2F4WloY16rPH1jNPewZrf zmYKs4cv0DCl+O21dIa+YRl7NFOkUWTVOrcCAwEAAaOCAskwggLFMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTQ TJZVX80Yebhlkz4Z8sBVxI/InDAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu 7w4sRTAjBgNVHREEHDAagg13d3cuZmlrb3YuY29tgglmaWtvdi5jb20wggFCBgNV HSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAuBggrBgEFBQcCARYiaHR0 cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0 cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUH AgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHks IHNlZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29t IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0 cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA1BgNVHR8ELjAsMCqgKKAm hiRodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5jcmwwgY4GCCsGAQUF BwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9z dWIvY2xhc3MxL3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFy dHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5zZXJ2ZXIuY2EuY3J0MCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEA ZBmk5S1AzwmOMkQH1cPota1/YC2uNBQCUQQCh5wP0+hmFTkr8Acq8qN8M0wUkONf lFeghsMulk9+XSK5x0IDLlNtABSAVJpLwietL8KdFcbujmMbsNoWDM2cZhS56NBB jg4a46OIm+t3Wdf5A02uHpCa3JTM8393DbX2ts43hYHn0zpp1a/v4RqSMHU8u4Du gKaUs+/Wo+2wQ7gQVj9hecoivtkvr6OEy+RzQr+Lf1dJ/v2bZKkjHnDWb8t1ZoXT
3Vkb5i8IpRHllHLboAEZMzmQ3q4F+yqPkD/1izs/Adu5wkwoC8yy2gLpi3wUX2Zg
Q4Z9hYzAqNmC0jutbwvaLA==
-----END CERTIFICATE-----
След като сме добавили сертификата добавяме и cabandle отново с текстов редактор:
root@:/etc/apache2/ssl# pico www.domain.com.cabundle
Пример:
-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w +2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+ Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3 Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ 9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8 jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1 ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
-----END CERTIFICATE-----
Сега е нужно да проверим в настройките на apache2, първо дали порта 443 е отворен:
root@:/etc/apache2/ssl# pico /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz NameVirtualHost *:80 Listen 80
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP. Listen 443 Listen 443
Забелязваме, че всичко е коректно сега е нужно да добавим виртуалния хост като в него опишем домейн ключа, сертификата и cabandle:
След като сме създали /etc/apache2/ssl директорията и сме създали файловете с описани cabundle, crt, pem и csr е нужно да създадем Vhost-a в директорията
/etc/apache2/sites-available
Там файла трябва да се казва
domaina.com-ssl
root@:/etc/apache2/ssl# pico /etc/apache2/sites-available/domaina.com-ssl
Пример:
<VirtualHost 192.168.1.101:443> --- като 192.168.1.101 е IP на което рабтои уеб сървъра Ви
ServerAdmin webmaster@domain.com
DocumentRoot /var/www
ServerName domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/httpd/ssl/domain.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain.com.pem
SSLCACertificateFile /etc/httpd/ssl/domain.com.cabundle
SSLEngine on
</VirtualHost>
След това е необходимо да се изпълни следната команда:
a2ensite domaina.com-ssl
като заменяте домейна с домейн името за сертификата, както сте кръстили файла. Тази команда създава symlink от sites-available към sites-enabled.
Може да направите проверка на инсталирания сертификат като отворите адреса https://domaina.com. Ако той пренасочва към http://domaina.com, създайте един файл с phpinfo фунцкията в директорията на сайта:
:#pico info.php
<?php phpinfo(); ?>
и отворете https://domaina.com/info.php, за да видите дали info.php ще се отвори с ssl. Ако се отвори, това означава че приложението не е конфигурирано да работи с ssl.
След като сме добавили виртуалния хост, в който сме описали сертфиката, ключа и cabandle-a е нужно само да рестартираме уеб сървъра, за да приеме новите настройки.
| 
