sebelum nih aku tak pernah lagi la setup manually benda nih, slalu dok pakai klik2 ja dlm WHM\/CPANEL utk create SSL site.<\/p>\n
atas tugasan yg diterima so aku dimintak utk up kan apache + openssl + cert yang mana cert yang akan aku buat nih adalah cert sndiri bikin yg tidak diiktiraf oleh mana2 badan bertanggungjawab tak kiralah ianya NGO mahupun Gomen.<\/p>\n
ok saya anggap anda telah tersedia dengan apache yang telah dicompile bersama2 openssl.<\/p>\n
1. kita buat sijil palsu dulu.. langkah2 dia<\/p>\n
buat directory nama sslcert .. tak kisah sebenaqnya boh pi la nama apa yg anda suka.<\/p>\n
[i]mkdir sslcert[\/i]<\/p>\n
chmod kat dia dengan <\/p>\n
[i]chmod 0700 sslcert[\/i]<\/p>\n
lepaih tu buat subfolder dlm dia mcm nih<\/p>\n
[i]mkdir certs private[\/i]<\/p>\n
2. kemudian kita buat database file utk nanti2 leh keep track sijil2 yang kita buat<\/p>\n
[i]echo ‘100001’ >serial
\ntouch certindex.txt[\/i]<\/p>\n
3. lepaih tu bukak sebarang editor contoh vim ka nano ka.. buat file nama openssl.cnf dan copy paste benda ni<\/p>\n
[quote]
\n#
\n# OpenSSL configuration file.
\n#<\/p>\n
# Establish working directory.<\/p>\n
dir\t\t\t\t= .<\/p>\n
[ ca ]
\ndefault_ca\t\t\t= CA_default<\/p>\n
[ CA_default ]
\nserial\t\t\t\t= $dir\/serial
\ndatabase\t\t\t\t= $dir\/certindex.txt
\nnew_certs_dir\t\t\t= $dir\/certs
\ncertificate\t\t\t\t= $dir\/cacert.pem
\nprivate_key\t\t\t= $dir\/private\/cakey.pem
\ndefault_days\t\t\t= 365
\ndefault_md\t\t\t= md5
\npreserve\t\t\t\t= no
\nemail_in_dn\t\t\t= no
\nnameopt\t\t\t\t= default_ca
\ncertopt\t\t\t\t= default_ca
\npolicy\t\t\t\t= policy_match<\/p>\n
[ policy_match ]
\ncountryName\t\t\t= match
\nstateOrProvinceName\t\t= match
\norganizationName\t\t\t= match
\norganizationalUnitName\t\t= optional
\ncommonName\t\t\t= supplied
\nemailAddress\t\t\t= optional<\/p>\n
[ req ]
\ndefault_bits\t\t\t= 1024\t\t\t# Size of keys
\ndefault_keyfile\t\t\t= key.pem\t\t# name of generated keys
\ndefault_md\t\t\t= md5\t\t\t# message digest algorithm
\nstring_mask\t\t\t= nombstr\t\t# permitted characters
\ndistinguished_name\t\t\t= req_distinguished_name
\nreq_extensions\t\t\t= v3_req<\/p>\n
[ req_distinguished_name ]
\n# Variable name\t\t\t\tPrompt string
\n#————————-\t ———————————-
\n0.organizationName\t\t\t= Organization Name (company)
\norganizationalUnitName\t\t= Organizational Unit Name (department, division)
\nemailAddress\t\t\t= Email Address
\nemailAddress_max\t\t\t= 40
\nlocalityName\t\t\t= Locality Name (city, district)
\nstateOrProvinceName\t\t= State or Province Name (full name)
\ncountryName\t\t\t= Country Name (2 letter code)
\ncountryName_min\t\t\t= 2
\ncountryName_max\t\t\t= 2
\ncommonName\t\t\t= Common Name (hostname, IP, or your name)
\ncommonName_max\t\t\t= 64<\/p>\n
# Default values for the above, for consistency and less typing.
\n# Variable name\t\t\tValue
\n#————————\t ——————————
\n0.organizationName_default\t\t= My Company
\nlocalityName_default\t\t= My Town
\nstateOrProvinceName_default\t\t= State or Providence
\ncountryName_default\t\t= US<\/p>\n
[ v3_ca ]
\nbasicConstraints\t\t\t= CA:TRUE
\nsubjectKeyIdentifier\t\t\t= hash
\nauthorityKeyIdentifier\t\t= keyid:always,issuer:always<\/p>\n
[ v3_req ]
\nbasicConstraints\t\t\t= CA:FALSE
\nsubjectKeyIdentifier\t\t\t= hash
\n[\/quote]<\/p>\n
3. lepas tu kita buat root cert dengan arahan dibawah<\/p>\n
[i]openssl req -new -x509 -extensions v3_ca -keyout \\
\nprivate\/cakey.pem -out cacert.pem -days 365 -config .\/openssl.cnf[\/i]<\/p>\n
[b]nota: fungsi \\ selepas keyout tuh sebenaqnya utk pendekkan command yg terlalu panjang..so just copy selebihnya dan enter[\/b]<\/p>\n
selepas ja taip tu nanti dia akan mintak passwd so silalah simpan passwd itu baik2
\nlepaih tu dia akan tanya pasal nama company, nama server , email dan etc. kalu nak mohong tulih pun harap dpt ingat apa yg anda tulih sebab lepaih nih ada skali lagik proses mcm nih yang akan tanya soklan yang sama so jawapan pun mesti kena sama.. tidak nnanti sijil anda tak sah.<\/p>\n
4. Ok lepaih tu kita install cert nih dalam apache plak<\/p>\n
5. ok kita buat kunci dan signing punya request pulak<\/p>\n
[i]openssl req -new -nodes -out name-req.pem -keyout private\/name-key.pem -config .\/openssl.cnf[\/i]<\/p>\n
lepaih taip ja command nih dia akan tanya soklan2 pasai nama kompeni dan sebagainya macam yg mola2 td.. so pastikan jawapan sama cam yg mola2 td. Dan dia akan create dua file nih<\/p>\n
name-req.pem – fail request
\nname-key.pem – fail kunci dia dok dlm private<\/p>\n
6. lepaih tu kita sign the request dengan command ni<\/p>\n
[i]openssl ca -out name-cert.pem -config .\/openssl.cnf -infiles name-req.pem[\/i]<\/p>\n
so akan ter create lah fail2 berikut<\/p>\n
name-cert.pem – inilah fail sijil tersebut 7. kemudia kita copy file2 kunci dan sijil td ke tampat yg sepatutnya<\/p>\n [i]cp name-key.pem \/etc\/httpd\/conf\/ssl.key\/<\/p>\n cp name-cert.pem \/etc\/httpd\/conf\/ssl.crt\/[\/i]<\/p>\n kalu folder ssl.key ngan ssl.crt tuh tak wujud so gunalah command sense anda.<\/p>\n 8. lepaih tu langkah yg terakhir cari fail httpd.conf anda dan taruk lah spt coding dibawah dan diubah mengikut citara masing2.<\/p>\n [quote] Rujukan : http:\/\/www.flatmtn.com\/<\/p>\n","protected":false},"excerpt":{"rendered":" sebelum nih aku tak pernah lagi la setup manually benda nih, slalu dok pakai klik2 ja dlm WHM\/CPANEL utk create … More SSL + Cert + Apache = https ??<\/span>
\n
\n
\n DocumentRoot \/var\/www\/html
\n ServerName 192.168.1.98
\n ServerAdmin someone@your.domain
\n ErrorLog \/etc\/httpd\/logs\/ssl_error_log
\n TransferLog \/etc\/httpd\/logs\/ssl_access_log
\n SSLEngine On
\n SSLCertificateFile \/etc\/httpd\/conf\/ssl.crt\/name-cert.pem
\n SSLCertificateKeyFile \/etc\/httpd\/conf\/ssl.key\/name-key.pem
\n
\n SSLOptions +StdEnvVars
\n <\/Files>
\n
\n SSLOptions +StdEnvVars
\n <\/Directory>
\n SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
\n CustomLog \/etc\/httpd\/logs\/ssl_request_log \\
\n “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”
\n<\/VirtualHost>
\n[\/quote]<\/p>\n