Pages

Friday, January 18, 2013

Installing wildcard cert for new subdomain

Depending on your version of apache and your method of install your files may live in different locations. By default in RH4 your apache configuration files will live in /etc/httpd/conf and /etc/http/conf.d.

 

1. Back Up your ssl.conf file.
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date +%F`
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.working

2. Copy cert file into
cd /etc/tls/pki/certs
vi domain.crt

Copy the cert data into this file

3. Copy the key file from directory it was created in into the private keys directory
cp ~/.<domain>.key /etc/pki/tls/private/

4.Copy the cert intermediate chain into the cert directory
cd /etc/tls/pki/certs
vi <company-chain>.crt

Copy the intermediate chain cert to this file.

5. Add a listen directive to listen to the virtual hosts ip.

vi /etc/httpd/conf.d/ssl.conf.working

Listen <virtualip>:443

6. Add a new virtual host bucket to your ssl.conf

vi /etc/httpd/conf.d/ssl.conf.working

<VirtualHost <virtualip>:443>
DocumentRoot "/var/www/html/<domain>"
ServerName <domain>:443
SSLCertificateChainFile /etc/pki/tls/certs/<company-chain>.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/<domain>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<domain>.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

7. Copy the working ssl.conf file over the current ssl file
cp /etc/httpd/conf.d/ssl.conf.working /etc/httpd/conf.d/ssl.conf

8. Restart the web server
service httpd restart

9. Rollback if errors occur
review error message
/etc/httpd/conf.d/ssl.conf.`date +%F` /etc/httpd/conf.d/ssl.conf

service httpd restart

4 comments: