政府憑證管理中心(GCA) Apache SSL憑證請求檔製作與憑證安裝手冊 · 2 Linux Apache SSL 憑證請求檔製作手冊一、產生憑證請求檔 (1) 產生憑證請求檔（Certificate

1

(GCA)

Apache SSL

GCA SSL

Apache Server SSL

Apache 2.2.29 Apache 2.4.39

Web Server SSL

SSL

Linux Apache SSL .................................................................... 2

Linux Apache SSL ( 2019/09/02) ....................... 5

Linux Apache SSL ( 2019/09/02) ....................... 8

Windows Apache SSL ............................................................ 11

Windows Apache SSL ( 2019/09/02) ................ 15

Windows Apache SSL ( 2019/09/02) ................ 20

SSL ................................................................. 25

SSLv3.0TLS 1.0 TLS 1.1 ......................................................... 26

2

Linux Apache SSL

(1) Certificate Signing Request file, CSR

OpenSSL /usr/local/ssl/bin ( $

find / -name openssl -print )

(2) OpenSSL Heartbleed Bug

OpenSSLHeartbleed

Bug

$ openssl version

1.0.1 ~ 1.0.1f / 1.0.2-beta ~ 1.0.2-beta1

1.0.1g / 1.0.2-beta2

(3) 3-DESPEM( RSA 2048)

openssl

$ openssl genrsa -des3 -out server.key 2048

SSL

server.key

RSA 2048()

(4) server.key

(pass phrase)

Enter PEM pass phase:

TLS

(5) server.key

(6)

$ openssl req -new -key server.key -out certreq.txt

certreq.txt

3

GCA SSL

GCA

Country NameTW

State or Province Name enter

Locality Name(Taipei)

Organization Name(CHT)

Organizational Unit Name(:Information)

Common name(www.abc.com.tw

)

Email address (:[email protected])

challenge password enter

optional company name enter

(7)

$openssl req -noout -text -in certreq.txt

:

4

GCA(http://gca.nat.gov.tw) SSL

5

Linux Apache SSL

( 2019/09/02)

eCA GTLSCA

GCA SSL

SSL

Apache Server SSL

(1) GTLSCAPEM

https://gtlsca.nat.gov.tw/download/eCA1_GTLSCA.zip

(2) eCA1_GTLSCA.zipeCA1_GTLSCA.crt

eCA GTLSCA SSL

(1) SSL(*.cer)

SSL server.cer

(2) SSLDERPEM

$ openssl x509 -in server.cer -inform DER -out server.crt

PEM

6

DER

(3) Apache < 2.4.8

httpd-ssl.conf

\conf\extra\

SSLCertificateFile(*.crt)

SSLCertificateKeyFile

SSLCertificateChainFileeCA1_GTLSCA.crt

7

SSL Server

Certificate Signing Request, CSR

SSL

(4) Apache >= 2.4.8

cat server.crt eCA1_GTLSCA.crt > server-chain.crt

mv server-chain.crt server.crt ( crt

)

httpd-ssl.conf

\conf\extra\

2



SSL Server


SSL

(5) Apache

(6) https port

(7) https SSL

8

Linux Apache SSL

( 2019/09/02)

GRCA GCA

GCA SSL

SSL GRCA GCA

Apache Server GRCA GCA

SSL

(1) GCAPEM

http://gca.nat.gov.tw/download/GRCA1_5_GCA2.zip

(2) GRCA1_5_GCA2.zipGRCA1_5_GCA2.crt

GRCA GCA SSL

(1) SSL(*.cer)

SSL server.cer

(2) SSLDERPEM


PEM

9

DER

(3) Apache < 2.4.8

httpd-ssl.conf

\conf\extra\



SSLCertificateChainFileGRCA1_5_GCA2.crt

10

SSL Server


SSL

(4) Apache >= 2.4.8

cat server.crt GRCA1_5_GCA2.crt > server-chain.crt

mv server-chain.crt server.crt ( crt

)

httpd-ssl.conf

\conf\extra\

2



SSL Server


SSL

(5) Apache

(6) https port

(7) https SSL

11

Windows Apache SSL

(1) Certificate Signing Request file, CSR

OpenSSL /bin

openssl.exe

(2) OpenSSL Heartbleed Bug

OpenSSL Heartbleed

Bug

$ openssl version

1.0.1 ~ 1.0.1f / 1.0.2-beta ~ 1.0.2-beta1

1.0.1g / 1.0.2-beta2

(3) Windows Apache

PEM( RSA 2048)

openssl

$ openssl genrsa -out 2048

12

SSL

server.key

RSA 2048()

(4) server.key

(5)

$ openssl req -new -key -out

WARNING: cant open config file

Apache openssl.cnf

set OPENSSL_CONF=

GCA SSL

GCA

Country NameTW

State or Province Name enter

Locality Name(Taipei)

Organization Name(CHT)

Organizational Unit Name(:Information)

13

Common name(www.abc.com.tw

)

Email address (:[email protected])

A challenge password enter

An optional company name enter

(6)

$openssl req -noout -text -in

:

14

GCA(http://gca.nat.gov.tw) SSL

15

Windows Apache SSL

( 2019/09/02)

eCA GTLSCA

GCA SSL

SSL

Apache Server SSL

(1) GTLSCAPEM

https://gtlsca.nat.gov.tw/download/eCA1_GTLSCA.zip

(2) eCA1_GTLSCA.zipeCA1_GTLSCA.crt

eCA GTLSCA SSL

(1) SSL(*.cer)

SSL server.cer

(2) SSLDER PEM


PEM

16

DER

(3) Apache < 2.4.8

httpd-ssl.conf

\conf\extra\



SSLCertificateChainFileeCA1_GTLSCA.crt

17

SSL Server


SSL

(4) Apache >= 2.4.8

eCA1_GTLSCA.crt

SSL

SSL(1)

18

SSL server.crt SSL

httpd-ssl.conf

\conf\extra\

2



SSL Server


SSL

19

(5) Apache

(6) https port

(7) https SSL

20

Windows Apache SSL

( 2019/09/02)

GRCA GCA

GCA SSL

SSL GRCA GCA

Apache Server GRCA GCA

SSL

(1) GCAPEM

https://gca.nat.gov.tw/download/GRCA1_5_GCA2.zip

(2) GRCA1_5_GCA2.zipGRCA1_5_GCA2.crt

GRCA GCA SSL

(1) SSL(*.cer)

SSL server.cer

(2) SSLDER PEM


PEM

21

DER

(3) Apache < 2.4.8

httpd-ssl.conf

\conf\extra\



SSLCertificateChainFileGRCA1_5_GCA2.crt

22

SSL Server


SSL

(4) Apache >= 2.4.8

GRCA1_5_GCA2.crt

SSL

SSL(1)

23

SSL server.crt SSL

httpd-ssl.conf

\conf\extra\

2



SSL Server


SSL

24

(5) Apache

(6) https port

(7) https SSL

25

SSL

Apache OpenSSL Apache

http.conf http-ssl.conf SSLCipherSuite

HIGH:MEDIUM:!aNULL:!MD5(HIGH

encryption cipher suites AES 256 bit) (MEDIUM encryption

cipher suites AES 128 bit) OpenSSL AES 256

bit AES 256bit

OpenSSL

SSLCipherSuite

26

SSLv3.0TLS 1.0 TLS 1.1

SSL( httpd-ssl.conf) SSLProtocol

SSLProtocol All -SSLv2 -SSLv3 TLSv1 TLSv1.1 Apache

1

1:

http://www.icst.org.tw/NewInfoDetail.aspx?seq=1436&lang=zh

SSL

(1) TestSSLServerhttp://www.bolet.org/TestSSLServer/

(2) QUALYS SSL LABS SSL Server Test

(https://www.ssllabs.com/ssltest/index.html, CA/Browser Forum

) 2014 10

SSLv3 CVE-2014-3566

(POODLE) SSL V3 TLS
http://www.icst.org.tw/NewInfoDetail.aspx?seq=1436&lang=zhhttp://www.bolet.org/TestSSLServer/https://www.ssllabs.com/ssltest/index.html

Documents

政府憑證管理中心(GCA) Apache SSL憑證請求檔製作與憑證安裝手冊 · 2 Linux Apache SSL 憑證請求檔製作手冊 一、產生憑證請求檔 (1) 產生憑證請求檔（Certificate

政府憑證管理中心(GCA) Apache SSL憑證請求檔製作與憑證安裝手冊 · 2 Linux Apache SSL 憑證請求檔製作手冊一、產生憑證請求檔 (1) 產生憑證請求檔（Certificate