#Include conf/extra/httpd-ssl.confpour obtenir :
Include conf/extra/httpd-ssl.confPour activer https SSL, il faut dans httpd.conf charger les deux modules :
# # This is the Apache server configuration file providing SSL support. # When we also provide SSL we have to listen to the # standard HTTP port and to the HTTPS port # Listen 0.0.0.0:443 https Listen [::0]:443 https # Where the certificates are Define CERTIFS ${INSTALL_DIR}/bin/Certs Protocols h2 h2c http/1.1 <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; preload" </IfModule> SSLSessionCache shmcb:${INSTALL_DIR}/tmp/ssl_gcache_data(512000) SSLOptions +StrictRequire +StdEnvVars -ExportCertData # SSL Protocol support: SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCompression Off SSLHonorCipherOrder On # SSL Cipher Suite: SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 # Encryptions TLSv1.3 SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 SSLOpenSSLConfCmd ECDHParameters secp521r1 SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1 ## ## SSL Virtual Host Context Define SERVERNAMEVHOSTSSL MYSITE_ServerName Define DOCUMENTROOTVHOSTSSL MYSITE_DocumentRoot <VirtualHost *:443> ServerName ${SERVERNAMEVHOSTSSL} DocumentRoot "${DOCUMENTROOTVHOSTSSL}" SSLEngine on SSLCertificateFile "${CERTIFS}/Site/${SERVERNAMEVHOSTSSL}.crt" SSLCertificateKeyFile "${CERTIFS}/Site/${SERVERNAMEVHOSTSSL}.key" <Directory "${DOCUMENTROOTVHOSTSSL}/"> Options +Indexes +Includes +FollowSymLinks +MultiViews AllowOverride all Require local </Directory> CustomLog "${INSTALL_DIR}/logs/custom.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> # End of SSL Virtual Host Context - To be repeated for another SSL VirtualHost # Do not remove these lines UnDefine UnDefine SERVERNAMEVHOSTSSL UnDefine DOCUMENTROOTVHOSTSSLLe VirtualHost doit déjà exister et être valide en http port 80, donc exister dans le fichier :
#============ openssl.cnf =============# [ca] default_ca = CA_default [CA_default] dir = ../../../Certs cacerts_dir = $dir/Cacerts certificate = $cacerts_dir/Certificat.crt new_certs_dir = $dir/Newcerts private_dir = $cacerts_dir private_key = $private_dir/Certificat.key RANDFILE = $private_dir/Certificat.rnd other_dir = $dir/Other database = $other_dir/index.txt serial = $other_dir/serial.txt default_crl_days = 14610 default_days = 14610 default_md = sha512 x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default preserve = no policy = policy_match [policy_match] countryName = match stateOrProvinceName = match localityName = match organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [usr_cert] basicConstraints = CA:FALSE nsCertType = client keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ocsp] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning [req] default_bits = 4096 default_keyfile = ../../../Certs/Cacerts/Certificat.pem encrypt_key = no default_md = sha512 string_mask = utf8only prompt = no utf8 = yes distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_ca [req_distinguished_name] countryName_default = FR stateOrProvinceName_default = Paris localityName_default = Paris 0.organizationName_default = Otomatic & Cie organizationalUnitName_default = Wampserver commonName = Common Name (eg, your website’s domain name) commonName_max = 64 emailAddress_default = otomatic@otomatic.net emailAddress_max = 40 [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [v3_ca] # Extensions to use when signing a CA basicConstraints = critical, CA:true keyUsage = keyCertSign, cRLSign nsCertType = sslCA, emailCA nsComment = "SSL ROOT CA" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always subjectAltName = @alt_names [alt_names] DNS.1 = IP:127.0.0.1 DNS.2 = localhost [alt_names] DNS.1 = IP:127.0.0.1 DNS.2 = localhost
Rem Variables d'installation de Wampserver Rem À modifier suivant votre installation set installdir=e:\wamp64 set apachever=2.4.57 Rem Rem Vérification et création éventuelle des dossiers cd /D %installdir%\bin Rem Suppression des certificats éventuellement présents if exist Certs rmdir /S /Q Certs if not exist Certs md Certs cd Certs if not exist Other md Other if not exist Cacerts md Cacerts if not exist Server md Server if not exist Site md Site Rem Informations à créer copy nul .\Other\Index.txt @echo 01> .\Other\Serial.txt Rem MyPass peut être remplacé par votre propre mot de passe (4 à 20 caractères) @echo MyPass> .\Other\Password.txt set /P PASSWORD= <.\Other\Password.txt Rem cd..
Rem Rem On est dans le dossier %installdir%\bin Rem On va dans apache utilisé/bin cd apache\apache%apachever%\bin Rem Déclaration des variables - Impératif set OPENSSL_CONF=%installdir%\bin\apache\apache%apachever%\conf\openssl.cnf set DIRCERTS=%installdir%\bin\Certs Rem +-+-+-+-+ Création du certificat auto-signé +-+-+-+-+ Rem 1- Génération d'un nombre aléatoire. (La graîne 1358 peut être remplacée) openssl rand -out %DIRCERTS%/Cacerts/Certificat.rnd -base64 1358 Rem 2- Clé RSA privée. openssl genrsa -out %DIRCERTS%/Cacerts/Certificat.key -rand %DIRCERTS%/Cacerts/Certificat.rnd 4096 Rem 3- Demande de signature. Rem /C=FR : Pays -- /ST=Paris : État ou région -- /L=Paris : Ville Rem /O=Otomatic & Cie : Organisation -- /CN=Otomatic & Cie : Division openssl req -new -sha256 -key %DIRCERTS%/Cacerts/Certificat.key -out %DIRCERTS%/Cacerts/Certificat.csr -subj "/C=FR/ST=Paris/L=Paris/O=Otomatic & Cie/CN=Otomatic & Cie" Rem 4- Certificat auto-signé. openssl x509 -req -days 1830 -sha256 -in %DIRCERTS%/Cacerts/Certificat.csr -signkey %DIRCERTS%/Cacerts/Certificat.key -out %DIRCERTS%/Cacerts/Certificat.crt openssl x509 -in %DIRCERTS%/Cacerts/Certificat.crt -outform der -out %DIRCERTS%/Cacerts/Certificat.der openssl x509 -in %DIRCERTS%/Cacerts/Certificat.crt -outform pem -out %DIRCERTS%/Cacerts/Certificat.pem Rem 5- Extraction clé publique Plaintext Block Chaining openssl rsa -in %DIRCERTS%/Cacerts/Certificat.key -pubout -out %DIRCERTS%/Cacerts/Certificat.pbc Rem +-+-+-+-+ Fin de la création du certificat auto-signé +-+-+-+-+
Rem +-+-+-+-+ Certificats et clés serveur pour un site local +-+-+-+-+ Rem 6- ServerName du site local pour lequel on veut les clés set SERVLOCAL=aviatechno Rem 7- Nombre aléatoire (Graîne différente) if exist %DIRCERTS%\Server\Server.rnd del %DIRCERTS%\Server\Server.rnd openssl rand -out %DIRCERTS%/Server/Server.rnd -base64 1677 Rem 8- Clé RSA privée. if exist %DIRCERTS%\Server\Server.key del %DIRCERTS%\Server\Server.key openssl genrsa -out %DIRCERTS%\Server\Server.key -rand %DIRCERTS%\Server\Server.rnd 4096 Rem 9- Demande de signature pour certificat Rem /C=FR : Pays -- /ST=Paris : État ou région -- /L=Paris : Ville Rem /O=Otomatic & Cie : Organisation -- /CN=nom du site local if exist %DIRCERTS%\Server\Server.csr del %DIRCERTS%\Server\Server.csr openssl req -new -sha256 -key %DIRCERTS%/Server/Server.key -out %DIRCERTS%/Server/Server.csr -subj "/C=FR/ST=Paris/L=Paris/O=Otomatic & Cie/OU=Wampserver/CN=%SERVLOCAL%" Rem 10- Demande de signature pour certificat serveur. if exist %DIRCERTS%\Server\Server.crt del %DIRCERTS%\Server\Server.crt openssl x509 -req -days 4383 -sha256 -in %DIRCERTS%/Server/Server.csr -CA %DIRCERTS%/Cacerts/Certificat.crt -CAkey %DIRCERTS%/Cacerts/Certificat.key -CAcreateserial -out %DIRCERTS%/Server/Server.crt openssl x509 -outform der -in %DIRCERTS%/Server/Server.crt -out %DIRCERTS%/Server/Server.der openssl x509 -inform DER -outform PEM -in %DIRCERTS%/Server/Server.der -out %DIRCERTS%/Server/Server.pem openssl crl2pkcs7 -nocrl -certfile %DIRCERTS%/Cacerts/Certificat.crt -certfile %DIRCERTS%/Server/Server.crt -out %DIRCERTS%/Server/%SERVLOCAL%.p7b if exist %DIRCERTS%\Server\%SERVLOCAL%.pfx del %DIRCERTS%\Server\%SERVLOCAL%.pfx openssl pkcs12 -export -nodes -in %DIRCERTS%/Cacerts/Certificat.crt -inkey %DIRCERTS%/Server/Server.key-out %DIRCERTS%/Server/%SERVLOCAL%.pfx -descert -name "%SERVLOCAL%" -password pass:%PASSWORD% Rem Rem 11- Certificat client. Rem Nota : Un mot de passe sera demandé sauf si option finale -password pass:MyPass openssl pkcs12 -nodes -export -in %DIRCERTS%/Server/Server.crt -inkey %DIRCERTS%/Server/Server.key -out %DIRCERTS%/Site/%SERVLOCAL%.pfx -clcerts -descert -name "Client %SERVLOCAL% Certificate" -password pass:%PASSWORD% Rem 12- Copies des clés copy /Y %DIRCERTS%\Server\Server.crt %DIRCERTS%\Site\%SERVLOCAL%.crt copy /Y %DIRCERTS%\Server\Server.key %DIRCERTS%\Site\%SERVLOCAL%.key
set installdir=e:\wamp64 set apachever=2.4.57 set OPENSSL_CONF=%installdir%\bin\apache\apache%apachever%\conf\openssl.cnf set DIRCERTS=%installdir%\bin\Certs cd /D %installdir%\bin\apache\apache%apachever%\bin set /P PASSWORD= <..\..\..\Certs\Other\Password.txt
<VirtualHost *:80> ServerName monsite <IfModule ssl_module> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ 'https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]' </IfModule> DocumentRoot "G:/www/mondossier" <Directory "G:/www/mondossier/"> ....Nota : ne pas mettre les apostrophes autour de 'https://%HTTP.....]'. Elles sont là pour éviter la transformation en lien cliquable.