Saturday, June 11, 2016

setup https web server using apache2 and easy-rsa

***setup information***
- name: www.web.ssl
- document root: DocumentRoot /var/www/html

1- install easy-rsa package
$ sudo apt-get install easy-rsa

2- edit variable parameters in file /usr/share/easy-rsa/vars and the most important is KEY_CN, the value must be the same as your https virtualhost name
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
export KEY_CN="www.web.ssl"


3- start create ca
$ cd /usr/share/easy-rsa
$ mkdir key
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca

after than if will create to two
/usr/share/easy-rsa/keys/ca.crt
/usr/share/easy-rsa/keys/ca.key

4- enable apache2 https vritualhost by create file /etc/apache2/sites-enabled/webssl.conf with the following contents
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ServerName www.web.ssl
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile    "/usr/share/easy-rsa/keys/ca.crt"
        SSLCertificateKeyFile "/usr/share/easy-rsa/keys/ca.key"
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
    </VirtualHost>
</IfModule>




-note
you need to update you name server to point the record www.web.ssl to the server ip address

5- restart apache2 service to finalize the step
$ sudo /etc/init.d/apache2 restart

- screenshot  of accessing the https, there is an exclamation mark, because it is self-generation certificate



No comments:

Post a Comment