well i am still unsure abut the full encryption. i don't like that. if there is a problem the overheads grow to analyze the situation. what about just signing the messages? i mean if you have messages for all why do you want to hide them?
E On 2 February 2017 at 17:54, <rich.gre...@hushmail.com> wrote: > Hello, > > There is a freshly installed (from Ubuntu 16.04 package) apache server > running in a large institution that needs to have port 443 traffic > enabled. I am helping a friend of mine configure this server and, at the > same time, writing a document for reproducing the installation procedure > that will be published online. The server has it's own subdomain and the > system administrator generated encryption keys to be used for this server. > The administrator is talented, but seems to be inexperienced in open-source > solutions, so outside help is needed. As a courtesy to my friend, whom I'm > helping set this up, I've anonymized the TLD from the filename, but the > files are as follows: > > _.example.com.p12 > Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-primary.txt > SSL Certificate - .example.com.txt > > I personally do not have easy access to these files, but I can request > actions to be performed on them. I had not previously been acquainted with > P12 files until now. I found a website that seems to be able to help me > export data from the P12 file into a data format that apache can readily > use: > > http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+ > SSL+certificate+in+apache+ubuntu+server > > After reading through this website, I proposed these steps: > > sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out > /vault/private.pem > sudo openssl rsa -in private.pem -out /vault/key.pem > sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -nokeys -out > /vault/cert.pem > sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -out > /vault/CAchain.pem > > And then modify ./sites-available/site-443.conf with the lines: > > SSLCertificateFile /vault/cert.pem > SSLCertificateKeyFile /vault/keys.pem > SSLCertificateChainFile /vault/CAchain.pem > SSLCACertificateFile /vault/Intermediate-GeoTrust-True > BusinessID-RSA-SHA2-SHA1Root-primary.txt > > > We tried some of the openssl commands in that document, but we don't have > the password. The file named "SSL Certificate - .example.com.txt" is > unused, and that does concern me that I'm either neglecting a critical file > or needlessly duplicating it. Before asking the administrator for a > password, we have questioned whether we are making this needlessly > difficult and were curious if there is a solution where these files can be > used directly by apache. > > As you can guess, I'm no expert at encryption. Getting keys, for the > purpose of self-education is very expensive. The extent of my experience > is limited to creating self-signed certificates back in the good old days > before the web-browser people decided that was to be forbidden practice, > and more recently, letsencrypt.org, which operates in a magical smoke and > mirrors method. I would like to know if this would be the best practice > for my friend encrypting his server's traffic. I am very grateful for any > feedback. > > Thank you very much! > > Rich > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
