Certificat SSL

From Tuxunix
Jump to: navigation, search

Certificat SSL autocertifié

  • openssl genrsa -out server.key 1024
03:51 root@tuxedo /tmp $ openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
  • openssl req -new -x509 -days 365 -key server.key -out server.crt
03:51 root@tuxedo /tmp $ openssl req -new -x509 -days 365 -key server.key -out server.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [FR]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Vicheres
Organization Name (eg, company) [Internet Widgits Pty Ltd]:No company
Organizational Unit Name (eg, section) []:No section
Common Name (eg, YOUR name) []:*.tuxedo.fr
Email Address []:pierre@tuxedo.fr

Configuration Apache2

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key


Modifier le virtualhost en précisent les lignes en gras :

SSLEngine On
SSLProtocol -all +SSLv3 +TLSv1
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Vérification SSL V3

#> openssl s_client -connect localhost:443
SSL handshake has read 1495 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1EC1ED86D7F363E15D7A0CE8297B2F5B1358A6CFCAEE9BEF5848406A04090679
    Master-Key:  CE1133258E0B99B14AF0141E239A818095A6E7A27A74C5E102B6D9338F8B155E1A25056F28249D8627AC97B87A6F25A0 
    Key-Arg   : None
    Start Time: 1280849648
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

Certificat autosigné

Generating a CSR :

$ openssl req -new -key server.key -batch -out server.csr

Lastly we're going to sign our CSR and generate a new certificate.

Signing our CSR

$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=FR/ST=Some-State/O=XXXX XX

Getting Private key

Certificat LetsEncrypt (Renouvellement automatisé) ACME

Preparation de la configuration

git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
mkdir /var/www/letsencrypt
mkdir /etc/nginx/certs

Vhost (Nginx)

Ex vhost munin :

server {
 listen 80;
 server_name test.toto.fr;

 location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
 location / {
    return 301 https://test.toto.fr$request_uri;

server {
 listen 443 ssl;
 server_name test.toto.fr;
 ssl_certificate     /etc/nginx/certs/toto.fr.crt;
 ssl_certificate_key /etc/nginx/certs/toto.fr.key;

Création du certificat

#> acme.sh --issue -d test.toto.fr -w /var/www/letsencrypt/ --fullchain-file /etc/nginx/certs/toto.fr.crt --key-file /etc/nginx/certs/toto.fr.key

Renouvellement automatique

  • Script renouvellement automatique :

#@Name          renewCerts.sh
#@Fonction      renew letsencrypt certificate
#@Depends       acme.sh
#@Version       0.1
#@Authors       SYSTEM DYNAMICS
#@Modify by     XXXX


/usr/local/scripts/acme.sh/acme.sh --issue -d ${subDomain1} -d ${subDomain2} -w /var/www/letsencrypt/ --fullchain-file /etc/nginx/certs/${domain}.crt \
--key-file /etc/nginx/certs/${domain}.key --reloadcmd '/etc/init.d/nginx reload' --force >& /usr/local/scripts/renewCerts.log

  • Cron
00 03 1 */2 * /usr/local/scripts/renewCerts.sh >/dev/null 2>&1