Embedded Files
Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP
SSL Certificate (Self Signed)
SSL Certificate (Self Signed)
# apt-get install apache2 openssl -y
# vi /etc/ssl/openssl.cnf
#**add to last line**#[ worldcm.net ]subjectAltName = DNS:mail.worldcm.net
# cd /etc/ssl/private
# openssl ecparam -name prime256v1 -genkey -out server.key# openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]: BD # country codeState or Province Name (full name) [Some-State]: Dhaka # stateLocality Name (eg, city) []: Dhaka # cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: World Communication # companyOrganizational Unit Name (eg, section) []: WC # departmentCommon Name (e.g. server FQDN or YOUR name) []: mail.worldcm.net # server's FQDNEmail Address []: root@worldcm.net # admin email address
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: 123456An optional company name []: WC
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl/openssl.cnf -extensions worldcm.net -days 3650
root@:/etc/ssl/private# chmod 600 server.keyroot@:/etc/ssl/private# ll server.*
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
# vi /etc/postfix/main.cf
##SSLsmtpd_use_tls = yessmtpd_tls_cert_file = /etc/ssl/private/server.crtsmtpd_tls_key_file = /etc/ssl/private/server.keysmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
vi /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/private/server.crtssl_key = </etc/ssl/private/server.key
# systemctl restart saslauthd
# systemctl restart postfix && systemctl restart dovecot
-----------------------------------
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ -subj "/C=BD/ST=Dhaka/L=City/O=Organization/CN=mail.worldcm.net" \ -keyout /etc/ssl/private/server.key \ -out /etc/ssl/certs/server.pem
# vi main cf
smtpd_tls_cert_file=/etc/ssl/certs/server.pemsmtpd_tls_key_file=/etc/ssl/private/server.keysmtpd_use_tls=yessmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
ServerAdmin sample_email@example.com
DocumentRoot /var/www/html
ServerAdmin root@worlcm.netServerName 192.0.2.1DocumentRoot /var/www/html
SSLCertificateFile /etc/ssl/certs/server.crt
<VirtualHost *:80>...
Redirect "/" "https://192.0.2.1/"
ServerAdmin webmaster@localhostDocumentRoot /var/www/html
...
# vi /etc/ssl/openssl.cnf
#**add to last line**#[ worldcm.net ]subjectAltName = DNS:mail.worldcm.net
# cd /etc/ssl/private
# openssl ecparam -name prime256v1 -genkey -out server.key# openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]: BD # country codeState or Province Name (full name) [Some-State]: Dhaka # stateLocality Name (eg, city) []: Dhaka # cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: World Communication # companyOrganizational Unit Name (eg, section) []: WC # departmentCommon Name (e.g. server FQDN or YOUR name) []: mail.worldcm.net # server's FQDNEmail Address []: root@worldcm.net # admin email address
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: 123456An optional company name []: WC
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl/openssl.cnf -extensions worldcm.net -days 3650
root@:/etc/ssl/private# chmod 600 server.keyroot@:/etc/ssl/private# ll server.*
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
# vi /etc/postfix/main.cf
##SSLsmtpd_use_tls = yessmtpd_tls_cert_file = /etc/ssl/private/server.crtsmtpd_tls_key_file = /etc/ssl/private/server.keysmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
vi /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/private/server.crtssl_key = </etc/ssl/private/server.key
# systemctl restart saslauthd
# systemctl restart postfix && systemctl restart dovecot
-----------------------------------
Create SSL Certificates
Create SSL Certificates
For secure communication, generate SSL certificates:
# mkdir -p /etc/ssl/privateopenssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ -subj "/C=BD/ST=Dhaka/L=City/O=Organization/CN=mail.worldcm.net" \ -keyout /etc/ssl/private/server.key \ -out /etc/ssl/certs/server.pem
# vi main cf
smtpd_tls_cert_file=/etc/ssl/certs/server.pemsmtpd_tls_key_file=/etc/ssl/private/server.keysmtpd_use_tls=yessmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Enable SSL on the Virtual Host File
Enable SSL on the Virtual Host File
Apache maintains a default virtual host file to handle SSL traffic under the /etc/apache2/sites-available directory named default-ssl.conf. In order for the webserver to encrypt data with your certificate, you'll make some configuration changes in this file.
Use nano text editor to open the /etc/apache2/sites-available/default-ssl.conf file.
$ vi /etc/apache2/sites-available/default-ssl.conf
In this file, locate the line ServerAdmin sample_email@example.com as shown below.
...ServerAdmin sample_email@example.com
DocumentRoot /var/www/html
...
Under the above line, add the ServerName name directive followed by your domain name or the public IP address of your server as shown below.
...ServerAdmin root@worlcm.netServerName 192.0.2.1DocumentRoot /var/www/html
...
Then, still in the same file, locate the SSL settings below.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pemSSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Specify the full file paths of your certificate (/etc/ssl/certs/apache.crt) and private key (/etc/ssl/private/apache.key). The two lines should look as follows after editing.
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
Save and close the file when you're done with editing. Next, use the Apache a2enmod command to enable the ssl module.
# a2enmod ssl
Then, use the a2ensite to enable the default-ssl.conf virtual host file.
# a2ensite default-ssl.conf
Restart the Apache webserver to load the new changes.
$ systemctl restart apache2
Your apache web server is now ready to serve encrypted content. However, before you test the new settings, you'll configure your firewall to allow secure connections through port 443.
Test the New Configuration
Test the New Configuration
Visit the URL below in a web browser and replace 192.0.2.1 with the correct public IP address or domain name. Make sure you're using the https:// protocol.
Redirect HTTP Traffic to HTTPS (Optional)
Redirect HTTP Traffic to HTTPS (Optional)
Once you've generated, set up, and tested your SSL/TLS certificate, you can optionally redirect any HTTP traffic to HTTPS by editing the /etc/apache2/sites-available/000-default.conf file. Use nano to open the file.
$ vi /etc/apache2/sites-available/000-default.conf
Then, enter the line Redirect "/" "https://192.0.2.1/" just below the <VirtualHost *:80> opening tags. Again, replace 192.0.2.1 with your domain name or server's public IP address.
<VirtualHost *:80>...
Redirect "/" "https://192.0.2.1/"
ServerAdmin webmaster@localhostDocumentRoot /var/www/html
...
</VirtualHost>
Save and close the file. Next restart the Apache webserver to load the new configuration settings.
$ systemctl restart apache2
Visit the HTTP URL below on a web browser. You should now be redirected to the HTTPS version of the web page.
Your SSL/TLS certificate a
Page updated
Google Sites
Report abuse