[[http://tmade.de|Home tmade.de]]

[[http://wiki.tmade.de|Home Wiki]]

===== Apache =====

==== User Authentification ====

Create a ".htaccess" file:
  
  htpasswd2 -c passwordfile username
Example:
  htpasswd2 -c .htaccess testuser

Put into the httpd.conf between the "<Directory>" tag the following code:

<code>
AuthType        Basic
AuthName        "Testlogin"
AuthUserFile    /etc/apache2/.htaccess
Require user 	testuser testuser1 testuser2
</code>

==== SSL Authentification ====

1. Create keyfile: 	
  cat /dev/random > /tmp/random

2. Generate key: 		
  openssl genrsa -des3 -out /tmp/server.key -rand /tmp/random 2048


3. Generate certificate: 		

  openssl req -new -x509 -key /tmp/server.key -out /tmp/server.crt
or
  openssl req -new -x509 -key /tmp/server.key -nodes -days 365 -sha256 -out /tmp/server.crt
  
Info:

  CN = portal.test.de
  OU = Rechenzentrum
   O = Portal Test GmbH
   L = MYCity
   S = Baden-Wuerttemberg
   C = DE
  
4. Copy: 			
  cp /tmp/server.key /etc/apache2/ssl.key/.
  cp /tmp/server.crt /etc/apache2/ssl.crt/.
  
Optionally: Remove Passphrase from Key

  cp server.key server.key.org
  openssl rsa -in server.key.org -out server.key
  
All at once:
  
  openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout domain.key \
  -x509 -days 1000 -out domain.crt -subj "/C=DE/ST=BW/L=MyCity/O=tmade/OU=Datacenter/CN=hostname.local/emailAddress=mymail@domain.com"
  
===Check===

  openssl x509 -noout -text -in server.crt

5. Edit "/etc/apache2/httpd.conf" (or default-server.conf) file (outside the "<Directory>" block):
<code>
SSLEngine on      
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'  
#SSLProtocol TLSv1.2 
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 
SSLCertificateFile /etc/apache2/ssl.crt/server.crt   
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt                                #Load intermediate-certificate
#SSLCACertificateFile /etc/apache2/ssl.crt/intermediate.crt                                   #Load intermediate-certificate
</code>
  
6. Edit /etc/sysconfig/apache2 and change

  APACHE_START_TIMEOUT="2"

to

  APACHE_START_TIMEOUT="10"

and 

  APACHE_SERVER_FLAGS=""

to

  APACHE_SERVER_FLAGS="SSL"

7. Restart Apache:

  rcapache2 restart
  
==== SSLPassPhraseDialog ====
To start apache2 with passphrase for SSL edit file "/etc/apache2/ssl-global.conf":

Default:
  #SSLPassPhraseDialog builtin

Add:
  SSLPassPhraseDialog |/etc/apache2/script_passphrase
or
  SSLPassPhraseDialog exec:/etc/apache2/script_passphrase
  
script_passphrase:
<code>
#!/bin/sh
echo "passphrase"
</code>

  
==== Convert Certificate ====

=== Convert pfx to *key and *crt === 

  openssl pkcs12 -in mybackup.pfx -nocerts -out mykey.key 
  openssl pkcs12 -in mybackup.pfx -nokeys -out mycert.crt  
  
Optionally: Remove Passphrase from Key

  cp mykey.key mykey.key.bak
  openssl rsa -in mykey.key -out mykey-without-pp.key

=== Convert key, crt to pfx ===

  openssl pkcs12 -export -inkey mykey.key -in mycert.crt -out mybackup.pfx 
  
=== Convert key, crt to pem ===
  
  cat server.crt server.key > server.pem

=== Convert pem to crt, key ===

  openssl x509 -outform der -in yourPemFilename.pem -out certfileOutName.crt 
  openssl rsa -in yourPemFilename.pem -out keyfileOutName.key

=== Convert pfx to jks ===

  keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
or
  keytool -importkeystore -srckeystore mypfxfile.pfx -destkeystore my.jks -deststoretype pkcs12
  
=== PEM to JKS ===

  openssl pkcs12 -export -in my.pem -inkey my.pem -out my.jks -name myalias

=== Extracting a certificate/key pair from a Java keystore ===

<code>
#!/bin/bash
NAME='tomcatSSL'
PASS='password'
# Save the file you received from UMLS as $NAME.jks
# Uncomment the 3 lines below on the first run
# wget 'http://www.source-code.biz/snippets/java/Base64Coder.java.txt' -O 'Base64Coder.java'
# wget 'http://mark.foster.cc/pub/java/ExportPriv.old.java' -O 'ExportPriv.java' # the new version doesn't wrap lines at 64 characters
# javac Base64Coder.java ExportPriv.java
# list certificates in the keystore:
# keytool -list -v -keystore $NAME.jks -storepass $PASS
# export certificate as DER:
keytool -export -alias $NAME -keystore $NAME.jks -storepass $PASS -file $NAME.crt.der
# convert DER certificate to PEM:
openssl x509 -in $NAME.crt.der -inform DER -out $NAME.crt.pem -outform PEM
# export key as PKCS8:
java ExportPriv $NAME.jks $NAME $PASS > $NAME.pkcs8
# convert binary PKCS8 key to ASCII RSA:
openssl pkcs8 -nocrypt -in $NAME.pkcs8 -inform PEM -out $NAME.rsa -outform PEM
# combine DER certificate and RSA key into PEM :
cat $NAME.crt.pem $NAME.rsa > $NAME.pem
echo "Saved key/certificate pair as $NAME.pem"
# clean up:
# rm $NAME.crt.der
# rm $NAME.crt.pem
# rm $NAME.pkcs8
# rm $NAME.rsa
</code>

===Concatenate the primary and intermediate certificates===

  cat your_domain_name.crt intermediate.crt >> bundle.crt               


  
==== Creating a certificate request ====

To create a certificate with 2048 Bit and sha256 

  openssl req -nodes -sha256 -newkey rsa:4096 -keyout ssl.key -out ssl-request.csr
  
Content:
  
  CN = www.123.org
  OU = Department
   O = Company-Name
   L = City
   S = Region
   C = DE

Check output:

  openssl req -noout -text -in ssl-request.csr
  

  
==== Creating a certificate request (RSA or DSA) ====

1. First you need to create a privkey.pem such as:

1.1 RSA KEY

  openssl genrsa -des3 -out privkey.key 4096
  openssl genrsa -out privkey.key 4096          #Without password

1.2 DSA Key (two steps)

  openssl dsaparam -out dsaparam.key 1024
  openssl gendsa -des3 -out privkey.key dsaparam.pem

With this variants, you will be prompted for a protecting password.  
If you don't want your key to be protected by a password, remove the flag
'-des3' from the command line above.
  
2. Afterwards you can create the certificate request:

  openssl req -new -key privkey.key -out cert.csr
  
Content:
  
  CN = www.123.org
  OU = Department
   O = Company-Name
   L = City
   S = Region
   C = DE

3. Check output:

  openssl req -noout -text -in cert.csr
  
See also:

http://www.openssl.org/docs/HOWTO/keys.txt

http://www.openssl.org/docs/HOWTO/certificates.txt

==== Redirect ====
Redirect e. g. http to https (below "DocumentRoot" directive):

  RewriteEngine   On
  RewriteCond     %{HTTPS} !=on
  RewriteRule     ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  
**Note:** "rewrite_module" has to be installed/ loaded!

Proxypass:

<code>
<VirtualHost mydomain.com:443>
.
.
.
        <Location />
                ProxyPass http://localhost:8080/
                ProxyPassReverse http://localhost:8080/
                Order deny,allow
                Allow from all
        </Location>
</VirtualHost>
</code>

====Test====

  apachectl -t -D DUMP_MODULES                    #dump active modules
  apachectl -t                                    #check syntax