httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Dobák <erik.do...@gmail.com>
Subject Re: [users@httpd] How to enable 443 on apache2 using provided key files
Date Thu, 02 Feb 2017 19:26:56 GMT
well i am still unsure abut the full encryption. i don't like that. if
there is a problem the overheads grow to analyze the situation. what about
just signing the messages? i mean if you have messages for all why do you
want to hide them?

E

On 2 February 2017 at 17:54, <rich.greder@hushmail.com> wrote:

> Hello,
>
> There is a freshly installed (from Ubuntu 16.04 package) apache server
> running in a large institution that needs to have port 443 traffic
> enabled.  I am helping a friend of mine configure this server and, at the
> same time, writing a document for reproducing the installation procedure
> that will be published online.  The server has it's own subdomain and the
> system administrator generated encryption keys to be used for this server.
> The administrator is talented, but seems to be inexperienced in open-source
> solutions, so outside help is needed.  As a courtesy to my friend, whom I'm
> helping set this up, I've anonymized the TLD from the filename, but the
> files are as follows:
>
> _.example.com.p12
> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-primary.txt
> SSL Certificate - .example.com.txt
>
> I personally do not have easy access to these files, but I can request
> actions to be performed on them.  I had not previously been acquainted with
> P12 files until now.  I found a website that seems to be able to help me
> export data from the P12 file into a data format that apache can readily
> use:
>
> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+
> SSL+certificate+in+apache+ubuntu+server
>
> After reading through this website, I proposed these steps:
>
> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out
> /vault/private.pem
> sudo openssl rsa -in private.pem -out /vault/key.pem
> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -nokeys -out
> /vault/cert.pem
> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -out
> /vault/CAchain.pem
>
> And then modify ./sites-available/site-443.conf with the lines:
>
> SSLCertificateFile /vault/cert.pem
> SSLCertificateKeyFile /vault/keys.pem
> SSLCertificateChainFile /vault/CAchain.pem
> SSLCACertificateFile /vault/Intermediate-GeoTrust-True
> BusinessID-RSA-SHA2-SHA1Root-primary.txt
>
>
> We tried some of the openssl commands in that document, but we don't have
> the password.  The file named "SSL Certificate - .example.com.txt" is
> unused, and that does concern me that I'm either neglecting a critical file
> or needlessly duplicating it.  Before asking the administrator for a
> password, we have questioned whether we are making this needlessly
> difficult and were curious if there is a solution where these files can be
> used directly by apache.
>
> As you can guess, I'm no expert at encryption.  Getting keys, for the
> purpose of self-education is very expensive.  The extent of my experience
> is limited to creating self-signed certificates back in the good old days
> before the web-browser people decided that was to be forbidden practice,
> and more recently, letsencrypt.org, which operates in a magical smoke and
> mirrors method.  I would like to know if this would be the best practice
> for my friend encrypting his server's traffic.  I am very grateful for any
> feedback.
>
> Thank you very much!
>
> Rich
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message