12
edits
Changes
From Amahi Wiki
m
sudo openssl req -new -sha256 -nodes -out /etc/httpd/ssl.crt/server.csr -newkey rsa:2048 -keyout /etc/httpd/ssl.crt/server.key -config <( cat /etc/httpd/server.csr.cnf )sudo openssl x509 -req -in /etc/httpd/ssl.crt/server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out /etc/httpd/ssl.crt/server.crt -days 3650 -sha256 -extfile v3.ext</n
57. Copy your newly created server.key to the ssl.key directory.
→Generate your own certificates
[[User:Sag47|Sag47]] 00:38, 15 June 2011 (PDT). Updates and clarifications [[User:Spaceman|spaceman]] 15:23, 27 March 2017 (BST).
[[User:Tamorgen|Tamorgen]] 09:15, 31 Oct 2018 (EST). Made changes for Subject Alternative Name.
'''NOTE:''' This may interfere with [[Hosting_a_website|Hosting a Website]] tutorial.
== Generate your own certificates ==
'''NOTE:''' Leaving defaults will not make your server less secure. Make sure that you change "asecretpassword" in the commands below to something else. Otherwise any commands which don't have "asecretpassword" in it can be copied and pasted. This has to do with the challenge password for the private key. If you don't understand what I mean then you should read about [http://en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which is essentially what SSL uses.
As of Chrome version 58, the Chrome browser requires SSL certificates to use SAN (Subject Alternative Name) and has removed Common Name (CN). Using a CN will produce an error within the Security Overview section of the certificate, telling the user that the SAN is missing. A new method of creating the certificate is required.
</nowiki></pre>
2. Create a new file createselfsignedcertificatecreateRootCA.sh using vi, nano, or your favorite text editor.
<pre><nowiki>
mkdir /etc/httpd/ssl.crt
mkdir /etc/httpd/ssl.key
</nowiki></pre>
4. Create the configuration file server.csr.snfcnf.
<pre><nowiki>
C=US
ST=Maryland
L=AnapolisAnnapolis
O=Home Administrator
OU=HDA Domain
[alt_names]
DNS.1 = localhost
DNS.2 = ''hostname.yourdomain''
DNS.2 = hda
DNS.3 = hda.''yourdomain''DNS.4 = cockpit.''yourdomain''
</nowiki></pre>
</nowiki></pre>
<pre><nowiki>
cp /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
chmod 400 /etc/httpd/ssl.key/server.key</nowiki></pre>
8. Copy your rootCA.pem certificate to a network share, so you may import it to your favorite browser, to eliminate the untrusted certificate warning.
<pre><nowiki>
cd ~/ssl/
cp rootCA.pem /var/hda/files/docs/.
</nowiki></pre>
9. Import rootCA into your browser. For Chrome, Settings --> Advanced --> Manage Certificates --> Authorities --> Import. Select your root certificate from a locally accessible resource, either directly from, or after copying it from your share.
== Modify apache initialization ==
Restart your server to apply the changes you've made. If you did everything right you shouldn't receive any warnings when restarting the server.
systemctl restart httpd
== Bonus ==
Fedora 27/Amahi 11 provides [http://www.amahi.org/apps/cockpit Cockpit], a powerful browser-based server administration portal. To eliminate the SSL warning on this page, you need to create a .cert file using files previously created in this walkthrough. The .cert file consists of the contents of the server.crt and server.key. To create the file, run the following commands. This will automatically place the file in the correct directory.
<pre><nowiki>
cat /etc/httpd/ssl.crt/server.crt > /etc/cockpit/ws-certs.d/01-self-signed.cert
cat /etc/httpd/ssl.crt/server.key >> /etc/cockpit/ws-certs.d/01-self-signed.cert
</nowiki></pre>
= Finished =
Now that you're done go ahead and visit '''<nowiki>http://hda</nowiki>''' and watch it turn into '''<nowiki>https://hda</nowiki>'''! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception.
= Troubleshooting =
