Table of Contents

Home tmade.de

Home Wiki

Apache

User Authentification

Create a “.htaccess” file:

htpasswd2 -c passwordfile username

Example:

htpasswd2 -c .htaccess testuser

Put into the httpd.conf between the “<Directory>” tag the following code:

AuthType        Basic
AuthName        "Testlogin"
AuthUserFile    /etc/apache2/.htaccess
Require user 	testuser testuser1 testuser2

SSL Authentification

1. Create keyfile:

cat /dev/random > /tmp/random

2. Generate key:

openssl genrsa -des3 -out /tmp/server.key -rand /tmp/random 2048

3. Generate certificate:

openssl req -new -x509 -key /tmp/server.key -out /tmp/server.crt

or

openssl req -new -x509 -key /tmp/server.key -nodes -days 365 -sha256 -out /tmp/server.crt

Info:

CN = portal.test.de
OU = Rechenzentrum
 O = Portal Test GmbH
 L = MYCity
 S = Baden-Wuerttemberg
 C = DE

4. Copy:

cp /tmp/server.key /etc/apache2/ssl.key/.
cp /tmp/server.crt /etc/apache2/ssl.crt/.

Optionally: Remove Passphrase from Key

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

All at once:

openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout domain.key \
-x509 -days 1000 -out domain.crt -subj "/C=DE/ST=BW/L=MyCity/O=tmade/OU=Datacenter/CN=hostname.local/emailAddress=mymail@domain.com"

Check

openssl x509 -noout -text -in server.crt

5. Edit “/etc/apache2/httpd.conf” (or default-server.conf) file (outside the “<Directory>” block):

SSLEngine on      
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'  
#SSLProtocol TLSv1.2 
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 
SSLCertificateFile /etc/apache2/ssl.crt/server.crt   
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt                                #Load intermediate-certificate
#SSLCACertificateFile /etc/apache2/ssl.crt/intermediate.crt                                   #Load intermediate-certificate

6. Edit /etc/sysconfig/apache2 and change

APACHE_START_TIMEOUT="2"

to

APACHE_START_TIMEOUT="10"

and

APACHE_SERVER_FLAGS=""

to

APACHE_SERVER_FLAGS="SSL"

7. Restart Apache:

rcapache2 restart

SSLPassPhraseDialog

To start apache2 with passphrase for SSL edit file “/etc/apache2/ssl-global.conf”:

Default:

#SSLPassPhraseDialog builtin

Add:

SSLPassPhraseDialog |/etc/apache2/script_passphrase

or

SSLPassPhraseDialog exec:/etc/apache2/script_passphrase

script_passphrase:

#!/bin/sh
echo "passphrase"

Convert Certificate

Convert pfx to *key and *crt

openssl pkcs12 -in mybackup.pfx -nocerts -out mykey.key 
openssl pkcs12 -in mybackup.pfx -nokeys -out mycert.crt  

Optionally: Remove Passphrase from Key

cp mykey.key mykey.key.bak
openssl rsa -in mykey.key -out mykey-without-pp.key

Convert key, crt to pfx

openssl pkcs12 -export -inkey mykey.key -in mycert.crt -out mybackup.pfx 

Convert key, crt to pem

cat server.crt server.key > server.pem

Convert pem to crt, key

openssl x509 -outform der -in yourPemFilename.pem -out certfileOutName.crt 
openssl rsa -in yourPemFilename.pem -out keyfileOutName.key

Convert pfx to jks

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS

or

keytool -importkeystore -srckeystore mypfxfile.pfx -destkeystore my.jks -deststoretype pkcs12

PEM to JKS

openssl pkcs12 -export -in my.pem -inkey my.pem -out my.jks -name myalias

Extracting a certificate/key pair from a Java keystore

#!/bin/bash
NAME='tomcatSSL'
PASS='password'
# Save the file you received from UMLS as $NAME.jks
# Uncomment the 3 lines below on the first run
# wget 'http://www.source-code.biz/snippets/java/Base64Coder.java.txt' -O 'Base64Coder.java'
# wget 'http://mark.foster.cc/pub/java/ExportPriv.old.java' -O 'ExportPriv.java' # the new version doesn't wrap lines at 64 characters
# javac Base64Coder.java ExportPriv.java
# list certificates in the keystore:
# keytool -list -v -keystore $NAME.jks -storepass $PASS
# export certificate as DER:
keytool -export -alias $NAME -keystore $NAME.jks -storepass $PASS -file $NAME.crt.der
# convert DER certificate to PEM:
openssl x509 -in $NAME.crt.der -inform DER -out $NAME.crt.pem -outform PEM
# export key as PKCS8:
java ExportPriv $NAME.jks $NAME $PASS > $NAME.pkcs8
# convert binary PKCS8 key to ASCII RSA:
openssl pkcs8 -nocrypt -in $NAME.pkcs8 -inform PEM -out $NAME.rsa -outform PEM
# combine DER certificate and RSA key into PEM :
cat $NAME.crt.pem $NAME.rsa > $NAME.pem
echo "Saved key/certificate pair as $NAME.pem"
# clean up:
# rm $NAME.crt.der
# rm $NAME.crt.pem
# rm $NAME.pkcs8
# rm $NAME.rsa

Concatenate the primary and intermediate certificates

cat your_domain_name.crt intermediate.crt >> bundle.crt               

Creating a certificate request

To create a certificate with 2048 Bit and sha256

openssl req -nodes -sha256 -newkey rsa:4096 -keyout ssl.key -out ssl-request.csr

Content:

CN = www.123.org
OU = Department
 O = Company-Name
 L = City
 S = Region
 C = DE

Check output:

openssl req -noout -text -in ssl-request.csr

Creating a certificate request (RSA or DSA)

1. First you need to create a privkey.pem such as:

1.1 RSA KEY

openssl genrsa -des3 -out privkey.key 4096
openssl genrsa -out privkey.key 4096          #Without password

1.2 DSA Key (two steps)

openssl dsaparam -out dsaparam.key 1024
openssl gendsa -des3 -out privkey.key dsaparam.pem

With this variants, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above.

2. Afterwards you can create the certificate request:

openssl req -new -key privkey.key -out cert.csr

Content:

CN = www.123.org
OU = Department
 O = Company-Name
 L = City
 S = Region
 C = DE

3. Check output:

openssl req -noout -text -in cert.csr

See also:

http://www.openssl.org/docs/HOWTO/keys.txt

http://www.openssl.org/docs/HOWTO/certificates.txt

Redirect

Redirect e. g. http to https (below “DocumentRoot” directive):

RewriteEngine   On
RewriteCond     %{HTTPS} !=on
RewriteRule     ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Note: “rewrite_module” has to be installed/ loaded!

Proxypass:

<VirtualHost mydomain.com:443>
.
.
.
        <Location />
                ProxyPass http://localhost:8080/
                ProxyPassReverse http://localhost:8080/
                Order deny,allow
                Allow from all
        </Location>
</VirtualHost>

Test

apachectl -t -D DUMP_MODULES                    #dump active modules
apachectl -t                                    #check syntax