Create OpenSSL certificate for Apache (SSL with Apache2)

make-ssl-cert generate-default-snakeoil --force-overwrite 
a2enmod ssl
a2ensite default-ssl
service apache2 restart
 
 
# install packages
apt-get install openssl
# apache2 apache2.2-common php5
 
# enable ssl in apache
a2enmod ssl
a2ensite default-ssl
 
 
# default
make-ssl-cert generate-default-snakeoil --force-overwrite
 
# customized
openssl \
    req \
    -x509 \
    -newkey rsa:2048 \
    -sha256 \
    -nodes \
    -days 365 \
    -keyout /etc/ssl/private/$(hostname -f).key \
    -out /etc/ssl/certs/$(hostname -f).pem \
    -subj "/C=DE/ST=NRW/L=Bonn/O=Example Inc/OU=IT/CN=www.example.com/emailAddress=info@www.example.com"
 
sed -i "s|SSLCertificateFile .*$|SSLCertificateFile /etc/ssl/certs/$(hostname -f).pem|g" /etc/apache2/sites-enabled/default
sed -i "s|SSLCertificateKeyFile .*$|SSLCertificateKeyFile /etc/ssl/private/$(hostname -f).key|g" /etc/apache2/sites-enabled/default
 
chown root:root /etc/ssl/certs/www.example.com.pem
chmod 644 /etc/ssl/certs/www.example.com.pem
 
chown root:ssl-cert /etc/ssl/private/www.example.com.key
chmod 640 /etc/ssl/private/www.example.com.key
 
 
# view supported protocols
cat /etc/apache2/mods-available/ssl.conf | grep SSLProtocol
 
 
# creating an RSA key (use -des3 to create a password protected key file)
openssl genrsa -out key.pem 1024
 
# creating a certificate request
openssl req -new -nodes -x509 -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key -days 365 -subj "/C=DE/ST=NRW/L=Cologne/O=Your Company/OU=IT/CN=www.YOUR_SERVER.com/emailAddress=you@YOUR_SERVER.com"
 
 
 
 
 
 
# restart apache
service apache2 restart
 
 
 
# v2
 
openssl x509 -req -days 365 -in dns.server.com.csr -signkey dns.server.com.key -out dns.server.com.crt
openssl req -new -nodes -x509 -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
 
cp /etc/ssl/private/dns.server.com.crt /etc/ssl/certs/
 
 
# view certificate info
openssl req -noout -text -in dns.server.com.csr
 
cat /etc/apache2/sites-enabled/default-ssl | grep SSLCertificateFile
cat /etc/apache2/sites-enabled/default-ssl | grep SSLCertificateKeyFile
 
 
mv /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem.org
mv /etc/ssl/private/ssl-cert-snakeoil.key  /etc/ssl/private/ssl-cert-snakeoil.key.org
 
cp /etc/ssl/certs/dns.server.com.crt /etc/ssl/certs/ssl-cert-snakeoil.pem
cp /etc/ssl/private/dns.server.com.key  /etc/ssl/private/ssl-cert-snakeoil.key
 
/etc/init.d/apache2 restart
 
 
 
 
 
# v3 #
# fix hostname
echo "$(ifconfig eth0| grep "inet addr" | cut -d ":" -f2 | cut -d" " -f1)     $(hostname).$(cat /etc/resolv.conf | grep domain | cut -d" " -f2) $(hostname)" >> /etc/hosts
 
# generate certificate with snakeoil
sudo make-ssl-cert generate-default-snakeoil --force-overwrite 
/etc/init.d/apache2 restart
 
 
# check certificate expiration
openssl x509 -noout -enddate -in /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 
# disable SSLv2 and SSLv3
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
 
# Links
http://www.heise.de/security/artikel/SSL-fuer-lau-880221.html
http://www.docs.hp.com/en/5991-1159/ch01s07.html
http://wiki.ubuntuusers.de/ssl-cert
http://www.schirmacher.de/display/INFO/Apache+SSL+Zertifikat+erstellen+und+installieren
http://www.panticz.de/Ubuntu
http://www.curtis-lamasters.com/2008/07/30/apache2-on-ubuntu-openssl-csr-self-signed-cert/
 
http://spin.atomicobject.com/2014/05/12/openssl-commands/