TLS Certificates in Debian and Apache

Adding TLS configurations in Apache:

cat > /etc/ssl/private/myserver.key
chmod 0640 /etc/ssl/private/myserver.key
chgrp ssl-cert /etc/ssl/private/myserver.key
cat > /etc/ssl/certs/myserver.crt

cd /etc/apache2/sites-available
cp default-ssl.conf myserver-ssl.conf
vi myserver-ssl.conf
- add ServerName if needed
- RedirectMatch ^/$ https://myserver.mydomain.com/appname (if needed)
- edit SSLCertificateFile and SSLCertificateKeyFile
a2ensite myserver-ssl
a2enmod ssl

vi 000-default.conf
- add ServerName if needed
- Redirect / https://myserver.mydomain.com/

vi /etc/apache2/mods-available/ssl.conf
- SSLHonorCipherOrder on
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
ECDHE-RSA-AES128-SHA256

service apache2 restart

If internal CA needs to be added in the system (for curl etc):

cat > /usr/local/share/ca-certificates/myCA.crt
update-ca-certificates

Disclaimer: Don’t trust my ability to create a protected web server.

Ciphersuites source: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

Updated: January 1, 2018 — 14:13

Leave a Reply