Web hosting
Ver »
Páginas Web
Ver »
Soporte UNIX
Ver »
Ver »

SSL Certificate Configuration for Apache2 on Solaris 10

  1. Enable SSL Service Property if necessary. Log in as root and issue the following command:
     web# svcprop -p httpd/ssl svc:network/http:apache2
    If the response is "false", issue these three commands:
     web# svccfg -s http:apache2 setprop httpd/ssl=true
    web# svcadm refresh http:apache2
    web# svcprop -p httpd/ssl svc:network/http:apache2
    If the response is "true", continue to the next step.
  2. Create a Certificate Directory and a Key Directory.
     web# mkdir /etc/apache2/ssl.crt
    web# mkdir /etc/apache2/ssl.key
  3. Generate a RSA Key.
     web# /usr/sfw/bin/openssl genrsa -des3 1024 > /etc/apache2/ssl.key/server.key
    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
    Enter pass phrase: ********
    Verifying - Enter pass phrase: ********
  4. Generate a Certificate Request.
    web# /usr/sfw/bin/openssl req -new -key /etc/apache2/ssl.key/server.key > \
    > /etc/apache2/ssl.crt/server.csr
    Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [US]::US
    State or Province Name (full name) [Some-State]:OR
    Locality Name (eg, city) []:Blodgett
    Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, YOUR name) []:Big Cheese
    Email Address []

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []: ********
    An optional company name []: Live Free or Die
  5. Install a Self-Signed Certificate. If you are going to install a certificate from an authoritative source, follow their instructions and skip this step.
    web# /usr/sfw/bin/openssl req -x509 -days 3650 -key \
    > /etc/apache2/ssl.key/server.key \
    > -in /etc/apache2/ssl.crt/server.csr > \
    > /etc/apache2/ssl.crt/server.crt
    Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
  6. Modify the ssl.conf file to use your certificate.
    web# cd /etc/apache2
    web# ls -l
    total 334
    -rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance-std.conf
    -rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance.conf
    -rw-r--r-- 1 root bin 37519 Jan 6 21:10 httpd-std.conf
    -rw-r--r-- 1 root root 37660 Jan 18 21:49 httpd.conf
    -rw-r--r-- 1 root bin 37661 Jul 20 2005 httpd.conf-example
    -rw-r--r-- 1 root bin 12959 Jan 6 21:10 magic
    -rw-r--r-- 1 root bin 15020 Jan 6 21:10 mime.types
    -rw-r--r-- 1 root bin 10759 Jan 6 21:10 ssl-std.conf
    -rw-r--r-- 1 root bin 10996 Jan 6 21:10 ssl.conf
    drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt
    drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key

    Edit the ssl.conf and change the line that begins with "ServerAdmin" to reflect an email address or alias for the Server's Administrator.

  7. Test the SSL Certificate with Apache2
    • If Apache2 is enabled, disable it during testing.
       web# svcs | grep -i apache2
      online 3:29:01 svc:/network/http:apache2
      web# svcadm disable apache2
    • Use the legacy script to manually test start Apache2 with SSL.
      web# /usr/apache2/bin/apachectl startssl
      Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
      Some of your private key files are encrypted for security reasons.
      In order to read them you have to provide us with the pass phrases.

      Server (RSA)
      Enter pass phrase: ********

      Ok: Pass Phrase Dialog successful.

      If this test fails with an error similar to 'vhost.c:232 assertion "rv == APR_SUCCESS" failed on startssl', your server may not be configured to use DNS to resolve host names. This failure is due to a known bug in Apache2 2.0.nn. A quick fix is be to edit the hosts line in your server's /etc/nsswitch.conf to look like the following:

      hosts: files dns

      More information about this issue may be found at:
      After editing /etc/nsswitch.conf or otherwise resolving the issue, repeat the test until you are able to manually start and stop Apache2 using your SSL Certificate and Pass Phrase.
      web# ps -ef | grep httpd
      root 1392 575 0 03:45:16 ? 0:01 /usr/apache2/bin/httpd -k start -DSSL
      root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd
      webservd 1393 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1397 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1396 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1395 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1394 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
    • If your results are similar to the one above, use the legacy script to conclude the test. You may also want to verify that a client browser can access your site using https before continuing. Accept the self-signed Certificate if necessary.
       web# /usr/apache2/bin/apachectl stop
  8. Enable Apache2 with SSL to be started automatically as a service.
     web# cd /etc/apache2/ssl.key
    web# cp server.key
    web# /usr/sfw/bin/openssl rsa -in -out server.key
    Enter pass phrase for ********
    writing RSA key
    web# chmod 400 server.key
    web# svcadm enable apache2
    web# svcs | grep -i apache2
    online 4:29:01 svc:/network/http:apache2

Random TIPS


* For certain classes of bug exploits
set noexec_user_stack = 1
* Log attempted exploits
set noexec_user_stack_log = 1

* File Descriptor parameter set for SAP
set rlim_fd_cur=2048
set rlim_fd_max=2048

* ZFS arch cache to 128G RAM
set zfs:zfs_arc_max=4294967296

free counters