# Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule>par
# Secure (SSL/TLS) connections # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin Include conf/extra/httpd-ssl.conf </IfModule>De cette manière, le fichier conf/extra/httpd-ssl.conf ne sera chargé que si le module ssl_module est activé
# # This is the Apache server configuration file providing SSL support. # When we also provide SSL we have to listen to the # standard HTTP port and to the HTTPS port # Listen 0.0.0.0:443 https Listen [::0]:443 https # SSL Cipher Suite: SSLCipherSuite HIGH:!RSA:!RC4:!3DES:!DES:!IDEA:!MD5:!aNULL:!eNULL:!EXP SSLHonorCipherOrder on SSLCompression off SSLSessionTickets on # SSL Protocol support: SSLProtocol all -SSLv2 -TLSv1 -TLSv1.1 -SSLv3 # Pass Phrase Dialog: SSLPassPhraseDialog builtin # Inter-Process Session Cache: SSLSessionCache "shmcb:${INSTALL_DIR}/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 ## ## SSL Virtual Host Context ## <VirtualHost *:443> ServerName MYSITEname DocumentRoot "${INSTALL_DIR}/www/MYSITEdir" ServerAdmin webmaster@MYSITEname.net ErrorLog "${INSTALL_DIR}/logs/error.log" TransferLog "${INSTALL_DIR}/logs/access.log" SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCertificateFile "${SRVROOT}/conf/Certs/Site/MYSITEname.crt" SSLCertificateKeyFile "${SRVROOT}/conf/Certs/Site/MYSITEname.key" SSLCACertificateFile "${SRVROOT}/conf/Certs/Cacerts/Certificat.crt" # SSLVerifyClient none SSLVerifyDepth 10 <Directory "${INSTALL_DIR}/www/MYSITEdir/"> Options +Indexes +Includes +FollowSymLinks +MultiViews AllowOverride all Require local </Directory> <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog "${INSTALL_DIR}/logs/custom.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>Le VirtualHost doit déjà exister et être valide en http port 80, donc exister dans le fichier :
#============ openssl.cnf =============# [ ca ] default_ca = CA_default [ CA_default ] dir = ./Certs certs = $dir/Cacerts new_certs_dir = $dir/NewCerts private_dir = $dir/Private database = $dir/Other/index.txt serial = $dir/Other/serial.txt certificate = $certs/Certificat.crt private_key = $private_dir/Certificat.key RANDFILE = $private_dir/Certificat.rnd default_days = 1830 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes #===========================# [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Ile de France localityName = Locality Name (eg, city) localityName_default = Paris 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Otomatic & Cie organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = commonName = Common Name (eg, your website’s domain name) commonName_max = 64 emailAddress = Email Address emailAddress_default = webmaster@aviatechno.net emailAddress_max = 40 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 #===========================# [ x509v3_extensions ] basicConstraints=CA:TRUE nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer #===========================# [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #===========================# [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true
Rem Variables d'installation de Wampserver Rem À modifier suivant votre installation set installdir=e:\wamp set apachever=2.4.41 Rem Rem Vérification et création éventuelle des dossiers cd /D %installdir%\bin\apache\apache%apachever%\conf if not exist Certs md Certs cd Certs if not exist Private md Private if not exist Cacerts md Cacerts if not exist Server md Server if not exist Site md Site cd.. cd.. cd bin
Rem Rem On est dans le dossier %installdir%\bin\apache\apache%apachever%\bin Rem Déclaration des variables - Impératif set openssl_conf=%installdir%\bin\apache\apache%apachever%\conf\openssl.cnf set DIRCERTS=%installdir%\bin\apache\apache%apachever%\conf\Certs Rem +-+-+-+-+ Création du certificat auto-signé +-+-+-+-+ Rem 1- Génération d'un nombre aléatoire. (La graîne 1358 peut être remplacée) openssl rand -out %DIRCERTS%/Private/Certificat.rnd -base64 1358 Rem 2- Clé RSA privée. openssl genrsa -out %DIRCERTS%/Private/Certificat.key -rand %DIRCERTS%/Private/Certificat.rnd 4096 Rem 3- Demande de signature. Rem /C=FR : Pays -- /ST=Ile de France : État ou région -- /L=Paris : Ville Rem /O=Otomatic & Cie : Organisation -- /CN=Otomatic & Cie : Division openssl req -new -sha256 -key %DIRCERTS%/Private/Certificat.key -out %DIRCERTS%/Cacerts/Certificat.csr -subj "/C=FR/ST=Ile de France/L=Paris/O=Otomatic & Cie/CN=Otomatic & Cie" Rem 4- Certificat auto-signé. openssl x509 -req -days 1830 -sha256 -in %DIRCERTS%/Cacerts/Certificat.csr -signkey %DIRCERTS%/Private/Certificat.key -out %DIRCERTS%/Cacerts/Certificat.crt Rem 5- Extraction clé publique. openssl rsa -in %DIRCERTS%/Private/Certificat.key -pubout -out %DIRCERTS%/Private/Certificat.pbc Rem +-+-+-+-+ Fin de la création du certificat auto-signé +-+-+-+-+
Rem +-+-+-+-+ Certificats et clés serveur pour un site local +-+-+-+-+ Rem 6- ServerName du site local pour lequel on veut les clés set SERVLOCAL=aviatechno Rem 7- Nombre aléatoire (Graîne différente) openssl rand -out %DIRCERTS%/Server/Server.rnd -base64 1677 Rem 8- Clé RSA privée. openssl genrsa -out %DIRCERTS%/Server/Server.key -rand %DIRCERTS%/Server/Server.rnd 4096 Rem 9- Demande de signature pour certificat ServerName Rem /C=FR : Pays -- /ST=Ile de France : État ou région -- /L=Paris : Ville Rem /O=Otomatic & Cie : Organisation -- /CN=nom du site local openssl req -new -sha256 -key %DIRCERTS%/Server/Server.key -out %DIRCERTS%/Server/Server.csr -subj "/C=FR/ST=Ile de France/L=Paris/O=Otomatic & Cie/CN=%SERVLOCAL%" Rem 10- Demande de signature pour certificat serveur. openssl x509 -req -days 4383 -sha256 -in %DIRCERTS%/Server/Server.csr -CA %DIRCERTS%/Cacerts/Certificat.crt -CAkey %DIRCERTS%/Private/Certificat.key -CAcreateserial -out %DIRCERTS%/Server/Server.crt Rem 11- Certificat client. Rem Nota : Un mot de passe sera demandé sauf si option finale -password pass:MyPass openssl pkcs12 -nodes -export -in %DIRCERTS%/Server/Server.crt -inkey %DIRCERTS%/Server/Server.key -out %DIRCERTS%/Server/Server.pfx -clcerts -descert -name "Client %SERVLOCAL% Certificate" -password pass:MyPass Rem 12- Copies des clés copy %DIRCERTS%\Server\Server.crt %DIRCERTS%\Site\%SERVLOCAL%.crt del %DIRCERTS%\Server\Server.crt copy %DIRCERTS%\Server\Server.key %DIRCERTS%\Site\%SERVLOCAL%.key del %DIRCERTS%\Server\Server.key
set installdir=e:\wamp set apachever=2.4.41 set openssl_conf=%installdir%\bin\apache\apache%apachever%\conf\openssl.cnf set DIRCERTS=%installdir%\bin\apache\apache%apachever%\conf\Certs