{"id":125,"date":"2012-03-11T10:48:24","date_gmt":"2012-03-11T10:48:24","guid":{"rendered":"http:\/\/trindade.myphotos.cc\/ri\/?p=125"},"modified":"2012-03-11T10:48:24","modified_gmt":"2012-03-11T10:48:24","slug":"multiplos-virtual-hosts-com-ssl-em-apache","status":"publish","type":"post","link":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/","title":{"rendered":"M\u00faltiplos virtual hosts com <span class=\"caps\">SSL<\/span> em Apache"},"content":{"rendered":"<p>Con\u00adfig\u00adu\u00adrar um servi\u00addor <span class=\"caps\">HTTP<\/span> para <span class=\"caps\">HTTPS<\/span> nun\u00adca foi uma tare\u00adfa t\u00e3o f\u00e1cil como con\u00adfig\u00adur\u00e1-lo para ape\u00adnas <span class=\"caps\">HTTP<\/span>. Al\u00e9m das con\u00adfig\u00adu\u00adra\u00e7\u00f5es b\u00e1si\u00adcas temos tam\u00adb\u00e9m de nos pre\u00adocu\u00adpar com cer\u00adti\u00adfi\u00adca\u00addos, chaves pri\u00advadas e afins. Al\u00e9m de mais, uti\u00adlizan\u00addo o tradi\u00adcional <code>mod_ssl<\/code> pre\u00adcisamos de um endere\u00e7o <span class=\"caps\">IP<\/span> difer\u00adente para cada <em>vir\u00adtu\u00adal host<\/em>, o que nem sem\u00adpre \u00e9 poss\u00edvel.<\/p>\n<p>Mas ago\u00adra temos o <a href=\"http:\/\/tools.ietf.org\/html\/rfc3546\"><span class=\"caps\">RFC<\/span> 3546<\/a> (<em>Trans\u00adport Lay\u00ader Secu\u00adri\u00adty (<span class=\"caps\">TLS<\/span>) Exten\u00adsions<\/em>). Este <span class=\"caps\">RFC<\/span> define exten\u00ads\u00f5es ao <span class=\"caps\">TLS<\/span> (<em>Trans\u00adport Lay\u00ader Secu\u00adri\u00adty<\/em>) que per\u00admite uti\u00adlizar <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;em <span class=\"caps\">SSL<\/span> sem neces\u00adsi\u00addade de v\u00e1rios endere\u00e7os <span class=\"caps\">IP<\/span>.<\/p>\n<p><!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class><span class=\"eztoc-hide\" style=\"display:none;\">Tog\u00adgle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\" \/><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\" \/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1 \"><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/#O_problema_com_o_mod_ssl\">O prob\u00adle\u00adma com o mod_ssl<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/#O_cenario\">O cen\u00e1rio<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/#Criacao_dos_certificados\">Cri\u00ada\u00e7\u00e3o dos certificados<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/#Certificado_da_CA_Certificate_Authority\">Cer\u00adti\u00adfi\u00adca\u00addo da <span class=\"caps\">CA<\/span> (Cer\u00adtifi\u00adcate Authority)<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/#Criacao_dos_certificados_para_os_virtual_hosts\">Cri\u00ada\u00e7\u00e3o dos cer\u00adti\u00adfi\u00adca\u00addos para os vir\u00adtu\u00adal&nbsp;hosts<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/#Configuracao_do_Apache\">Con\u00adfig\u00adu\u00adra\u00e7\u00e3o do Apache<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"O_problema_com_o_mod_ssl\"><\/span>O problema com o <code>mod_ssl<\/code><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>O prob\u00adle\u00adma com o <code>mod_ssl<\/code> e <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;\u00e9 sim\u00adples de explicar: n\u00e3o se pode uti\u00adlizar <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;basea\u00add\u00ados em nome. Isto por que este tipo de <em>vir\u00adtu\u00adal host<\/em>&nbsp;depende de infor\u00adma\u00e7\u00e3o pre\u00adsente no pedi\u00addo <span class=\"caps\">HTTP<\/span>. Ora, o cabe\u00e7al\u00adho do pedi\u00addo <span class=\"caps\">HTTP<\/span> est\u00e1 encrip\u00adta\u00addo numa lig\u00ada\u00e7\u00e3o <span class=\"caps\">HTTPS<\/span> e \u00e9 necess\u00e1rio saber qual o <em>vir\u00adtu\u00adal host<\/em>&nbsp;para se con\u00adseguir obter a chave de descod\u00adi\u00adfi\u00adca\u00e7\u00e3o do pr\u00f3prio cabe\u00e7alho.<\/p>\n<p>Neste momen\u00adto o <code>mod_ssl<\/code> n\u00e3o supor\u00adta o <span class=\"caps\">RFC<\/span> 3546, mas, feliz\u00admente, existe uma alter\u00adna\u00adti\u00adva: o <code>mod_gnutls<\/code>.<\/p>\n<p>Com este m\u00f3du\u00adlo \u00e9 pos\u00ads\u00edv\u00adel uti\u00adlizar <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;basea\u00add\u00ados em nome com um \u00fani\u00adco endere\u00e7o <span class=\"caps\">IP<\/span>.<\/p>\n<p>Nas lin\u00adhas seguintes, expli\u00adcarei como con\u00adfig\u00adu\u00adrar dois <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;com <span class=\"caps\">SSL<\/span>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"O_cenario\"><\/span>O cen\u00e1rio<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Quero con\u00adfig\u00adu\u00adrar dois <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;com <span class=\"caps\">SSL<\/span>: <code>www.darklair.homeunix.net<\/code> e <code>trindade.myphotos.cc<\/code>. Estes dois servi\u00addores vir\u00adtu\u00adais est\u00e3o alo\u00adja\u00addos no mes\u00admo servi\u00addor f\u00edsi\u00adco e dis\u00adp\u00f5em ape\u00adnas de um endere\u00e7o <span class=\"caps\">IP<\/span> externo.<\/p>\n<p>Para con\u00adfig\u00adu\u00adrar o mod_gnutls para este cen\u00e1rio, v\u00e3o ser pre\u00adcisos, no m\u00edn\u00adi\u00admo, dois cer\u00adti\u00adfi\u00adca\u00addos <span class=\"caps\">SSL<\/span> e mod\u00adi\u00adfi\u00adca\u00e7\u00f5es nos ficheiros de con\u00adfig\u00adu\u00adra\u00e7\u00e3o do Apache.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Criacao_dos_certificados\"><\/span>Cria\u00e7\u00e3o dos certificados<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Ter\u00ade\u00admos que cri\u00adar um cer\u00adti\u00adfi\u00adca\u00addo assi\u00adna\u00addo por cada servi\u00addor vir\u00adtu\u00adal que quer\u00ade\u00admos con\u00adfig\u00adu\u00adrar. Podemos optar por cri\u00adar cer\u00adti\u00adfi\u00adca\u00addos auto-assi\u00adna\u00addos <em>(self-signed cer\u00adtifi\u00adcates<\/em>), ou podemos uti\u00adlizar o cer\u00adti\u00adfi\u00adca\u00addo de uma <span class=\"caps\">CA<\/span> (<em>Cer\u00adtifi\u00adcate Author\u00adi\u00adty<\/em>) para assi\u00adnar os cer\u00adti\u00adfi\u00adca\u00addos. Estes cer\u00adti\u00adfi\u00adca\u00addos n\u00e3o ser\u00e3o con\u00adfi\u00ada\u00addos pelo <em>brows\u00ader<\/em>&nbsp;a n\u00e3o ser que se com\u00adprem a uma <span class=\"caps\">CA<\/span> ofi\u00adcial, o que impli\u00adca gas\u00adtar cer\u00adca de \u20ac200 por ano (pre\u00e7o basea\u00addo no pre\u00e7o dos cer\u00adti\u00adfi\u00adca\u00addos emi\u00adti\u00addos pela Thawte). De qual\u00adquer for\u00adma, s\u00e3o per\u00adfeita\u00admente fun\u00adcionais. Bas\u00adta que o uti\u00adlizador con\u00adfirme que o cer\u00adti\u00adfi\u00adca\u00addo \u00e9 v\u00e1li\u00addo para que ele funcione.<\/p>\n<p>O cer\u00adti\u00adfi\u00adca\u00addo de um servi\u00addor <span class=\"caps\">HTTP<\/span> servir\u00e1 igual\u00admente para encrip\u00adtar a comu\u00adni\u00adca\u00e7\u00e3o entre o <em>brows\u00ader<\/em>&nbsp;e o servidor.<\/p>\n<h3>Certificado da <span class=\"caps\">CA<\/span> (Certificate Authority)<\/h3>\n<p>Para con\u00adsti\u00adtuir a nos\u00adsa pr\u00f3pria <span class=\"caps\">CA<\/span> ter\u00ade\u00admos que cri\u00adar uma chave sec\u00adre\u00adta para o cer\u00adti\u00adfi\u00adca\u00addo e o cer\u00adti\u00adfi\u00adca\u00addo pro\u00adpri\u00ada\u00admente&nbsp;dito:<\/p>\n<pre>$ certtool --generate-privkey --outfile myca.key\nGenerating a 2432 bit RSA private key...\n$ certtool --generate-self-signed --load-privkey myca.key --outfile myca.pem\nGenerating a self signed certificate...\nPlease enter the details of the certificate's distinguished name. Just press enter to ignore a field.\nCountry name (2 chars): PT\nOrganization name: Antonio Trindade\nOrganizational unit name: CA\nLocality name: Coimbra\nState or province name: Beira Litoral\nCommon name: MyCA\nUID: trindade\nThis field should not be used in new certificates.\nE-mail: Antonio.Trindade@gmail.com\nEnter the certificate's serial number in decimal (default: 1331422737): \n\nActivation\/Expiration time.\nThe certificate will expire in (days): 3650\n\nExtensions.\nDoes the certificate belong to an authority? (y\/N): y\nPath length constraint (decimal, -1 for no constraint): -1\nIs this a TLS web client certificate? (y\/N):\nWill the certificate be used for IPsec IKE operations? (y\/N):\nIs this also a TLS web server certificate? (y\/N):\nEnter the e-mail of the subject of the certificate: Antonio.Trindade@gmail.com\nWill the certificate be used to sign other certificates? (y\/N): y\nWill the certificate be used to sign CRLs? (y\/N): y\nWill the certificate be used to sign code? (y\/N):\nWill the certificate be used to sign OCSP requests? (y\/N):\nWill the certificate be used for time stamping? (y\/N):\nEnter the URI of the CRL distribution point:\nX.509 Certificate Information:\n\tVersion: 3\n\tSerial Number (hex): 4f5be611\n\tValidity:\n\t\tNot Before: Sat Mar 10 23:38:58 UTC 2012\n\t\tNot After: Tue Mar 08 23:39:01 UTC 2022\n\tSubject: C=PT,O=Antonio Trindade,OU=CA,L=Coimbra,ST=Beira Litoral,CN=MyCA,UID=trindade,EMAIL=Antonio.Trindade@gmail.com\n\tSubject Public Key Algorithm: RSA\n\tCertificate Security Level: Normal\n\t\tModulus (bits 2432):\n\t\t\t.\n\t\t\t.\n\t\t\t.\n\t\tExponent (bits 24):\n\t\t\t01:00:01\n\tExtensions:\n\t\tBasic Constraints (critical):\n\t\t\tCertificate Authority (CA): TRUE\n\t\tSubject Alternative Name (not critical):\n\t\t\tRFC822name: Antonio.Trindade@gmail.com\n\t\tKey Usage (critical):\n\t\t\tCertificate signing.\n\t\t\tCRL signing.\n\t\tSubject Key Identifier (not critical):\n\t\t\t604d874c172a52e02047ab47d7277d53113572b7\nOther Information:\n\tPublic Key Id:\n\t\t604d874c172a52e02047ab47d7277d53113572b7\n\nIs the above information ok? (y\/N): y\n\nSigning certificate...\n<\/pre>\n<p>A chave sec\u00adre\u00adta fica guarda\u00adda no ficheiro <code>myca.key<\/code> e o cer\u00adti\u00adfi\u00adca\u00addo no ficheiro <code>myca.pem<\/code>. A chave sec\u00adre\u00adta dev\u00ader\u00e1 ser guarda\u00adda com per\u00admis\u00ads\u00f5es restri\u00adti\u00advas para que nen\u00adhum uti\u00adlizador, excep\u00adto o super-uti\u00adlizador (<code>root<\/code>), pos\u00adsam ler o ficheiro.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Criacao_dos_certificados_para_os_virtual_hosts\"><\/span>Cria\u00e7\u00e3o dos certificados para os <em>virtual hosts<\/em><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>De segui\u00adda, cri\u00adar as chaves sec\u00adre\u00adtas e os <span class=\"caps\">CSR<\/span> (<em>Cer\u00adtifi\u00adcate Sign\u00ading Request<\/em>) para os <em>vir\u00adtu\u00adal hosts<\/em>.<\/p>\n<pre>$ certtool --generate-privkey --outfile www.key\nGenerating a 2432 bit RSA private key...\n$ certtool --generate-privkey --outfile trindade_myphotos_cc.key\nGenerating a 2432 bit RSA private key...\n$ certtool --generate-request --load-privkey trindade_myphotos_cc.key --outfile trindade_myphotos_cc.csr\nGenerating a PKCS #10 certificate request...\nCountry name (2 chars): PT\nOrganization name: Antonio Trindade\nOrganizational unit name: Servidor www.darklair.homeunix.net\nLocality name: Coimbra\nState or province name: Beira Litoral\nCommon name: www.darklair.homeunix.net\nUID: trindade\nEnter a dnsName of the subject of the certificate: www.darklair.homeunix.net\nEnter a dnsName of the subject of the certificate:\nEnter the IP address of the subject of the certificate: 10.0.0.1\nEnter the e-mail of the subject of the certificate: Antonio.Trindade@gmail.com\nEnter a challenge password:Does the certificate belong to an authority? (y\/N):\nWill the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y\/N):\nWill the certificate be used for encryption (RSA ciphersuites)? (y\/N):\nIs this a TLS web client certificate? (y\/N):\nIs this also a TLS web server certificate? (y\/N): y\n$ certtool --generate-request --load-privkey www.key --outfile www.csr\nGenerating a PKCS #10 certificate request...\nCountry name (2 chars): PT\nOrganization name: Antonio Trindade\nOrganizational unit name: Servidor www.darklair.homeunix.net\nLocality name: Coimbra\nState or province name: Beira Litoral\nCommon name: trindade.myphotos.cc\nUID: trindade\nEnter a dnsName of the subject of the certificate: trindade.myphotos.cc\nEnter a dnsName of the subject of the certificate:\nEnter the IP address of the subject of the certificate: 10.0.0.1\nEnter the e-mail of the subject of the certificate: Antonio.Trindade@gmail.com\nEnter a challenge password:\nDoes the certificate belong to an authority? (y\/N):\nWill the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y\/N):\nWill the certificate be used for encryption (RSA ciphersuites)? (y\/N):\nIs this a TLS web client certificate? (y\/N):\nIs this also a TLS web server certificate? (y\/N): y\n<\/pre>\n<p>Todos os par\u00e2met\u00adros s\u00e3o opcionais, excep\u00adto os <code>common name<\/code>, <code>dnsName<\/code> e <code>IP address<\/code>. Estes tr\u00eas cam\u00adpos devem cor\u00adre\u00adspon\u00adder ao nome do <em>vir\u00adtu\u00adal host<\/em>&nbsp;e ao endere\u00e7o <span class=\"caps\">IP<\/span> do servidor.<\/p>\n<p>Final\u00admente, assi\u00adnar os <span class=\"caps\">CSR<\/span> com o cer\u00adti\u00adfi\u00adca\u00addo da <span class=\"caps\">CA<\/span> cri\u00ada\u00adda anteriormente.<\/p>\n<pre>$ certtool --generate-certificate --load-request trindade_myphotos_cc.csr --load-ca-certificate myca.pem --load-ca-privkey myca.key --outfile trindade_myphotos_cc.pem\nGenerating a signed certificate...\nEnter the certificate's serial number in decimal (default: 1331424281):\n\nActivation\/Expiration time.The certificate will expire in (days): 3650\n\nExtensions.\nDo you want to honour the extensions from the request? (y\/N): y\nDoes the certificate belong to an authority? (y\/N):\nIs this a TLS web client certificate? (y\/N):\nWill the certificate be used for IPsec IKE operations? (y\/N):\nIs this also a TLS web server certificate? (y\/N): y\nEnter a dnsName of the subject of the certificate: trindade.myphotos.cc\nEnter a dnsName of the subject of the certificate:\nEnter the IP address of the subject of the certificate: 10.0.0.1\nWill the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y\/N):\nWill the certificate be used for encryption (RSA ciphersuites)? (y\/N):\nX.509 Certificate Information:\n        Version: 3\n        Serial Number (hex): 4f5bec19\n        Validity:\n                Not Before: Sun Mar 11 00:04:42 UTC 2012\n                Not After: Wed Mar 09 00:04:44 UTC 2022\n        Subject: C=PT,O=Antonio Trindade,OU=Servidor trindade.myphotos.cc,L=Coimbra,ST=Beira Litoral,CN=trindade.myphotos.cc,UID=trindade\n        Subject Public Key Algorithm: RSA\n        Certificate Security Level: Normal\n        Modulus (bits 2432):\n                .\n                .\n                .\n        Exponent (bits 24):\n                01:00:01\n        Extensions:\n        Subject Alternative Name (not critical):\n                DNSname: trindade.myphotos.cc\n                IPAddress: 10.0.0.1\n                RFC822name: Antonio.Trindade@gmail.com\n                DNSname: trindade.myphotos.cc\n                IPAddress: 10.0.0.1\n        Basic Constraints (critical):\n                Certificate Authority (CA): FALSE\n        Key Usage (critical):\n                Digital signature.\n        Key Purpose (not critical):\n                TLS WWW Server.\n                TLS WWW Server.\n        Subject Key Identifier (not critical):\n                736bc20732546e794a859bbd9448809579c9fa69\n        Authority Key Identifier (not critical):\n                604d874c172a52e02047ab47d7277d53113572b7\nOther Information:\n        Public Key Id:\n                736bc20732546e794a859bbd9448809579c9fa69\nIs the above information ok? (y\/N): y\nSigning certificate...\n$ certtool --generate-certificate --load-request www.csr --load-ca-certificate myca.pem --load-ca-privkey myca.key --outfile www.pem\nGenerating a signed certificate...\nEnter the certificate's serial number in decimal (default: 1331424281):\n\nActivation\/Expiration time.\nThe certificate will expire in (days): 3650\n\nExtensions.\nDo you want to honour the extensions from the request? (y\/N): y\nDoes the certificate belong to an authority? (y\/N):\nIs this a TLS web client certificate? (y\/N):\nWill the certificate be used for IPsec IKE operations? (y\/N):\nIs this also a TLS web server certificate? (y\/N): y\nEnter a dnsName of the subject of the certificate: www.darklair.homeunix.net\nEnter a dnsName of the subject of the certificate:\nEnter the IP address of the subject of the certificate: 10.0.0.1\nWill the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y\/N):\nWill the certificate be used for encryption (RSA ciphersuites)? (y\/N):\nX.509 Certificate Information:\n        Version: 3\n        Serial Number (hex): 4f5bec19\n        Validity:\n                Not Before: Sun Mar 11 00:04:42 UTC 2012\n                Not After: Wed Mar 09 00:04:44 UTC 2022\n        Subject: C=PT,O=Antonio Trindade,OU=Servidor www.darklair.homeunix.net,L=Coimbra,ST=Beira Litoral,CN=www.darklair.homeunix.net,UID=trindade\n        Subject Public Key Algorithm: RSA\n        Certificate Security Level: Normal\n        Modulus (bits 2432):\n                .\n                .\n                .\n        Exponent (bits 24):\n                01:00:01\n        Extensions:\n        Subject Alternative Name (not critical):\n                DNSname: www.darklair.homeunix.net\n                IPAddress: 10.0.0.1\n                RFC822name: Antonio.Trindade@gmail.com\n                DNSname: www.darklair.homeunix.net\n                IPAddress: 10.0.0.1\n        Basic Constraints (critical):\n                Certificate Authority (CA): FALSE\n        Key Usage (critical):\n                Digital signature.\n        Key Purpose (not critical):\n                TLS WWW Server.\n                TLS WWW Server.\n        Subject Key Identifier (not critical):\n                894e5399ec41a924542d8a762d4d1e37e762abd6\n        Authority Key Identifier (not critical):\n                604d874c172a52e02047ab47d7277d53113572b7\nOther Information:\n        Public Key Id:\n                894e5399ec41a924542d8a762d4d1e37e762abd6\nIs the above information ok? (y\/N): y\nSigning certificate...\n<\/pre>\n<p>Ficare\u00admos assim com 8 ficheiros no nos\u00adso direc\u00adt\u00f3rio de trabalho:<\/p>\n<ul style=\"list-style-type: disc\">\n<li><code>myca.key<\/code><\/li>\n<li><code>myca.pem<\/code><\/li>\n<li><code>www.key<\/code><\/li>\n<li><code>www.csr<\/code><\/li>\n<li><code>www.pem<\/code><\/li>\n<li><code>trindade_myphotos_cc.key<\/code><\/li>\n<li><code>trindade_myphotos_cc.csr<\/code><\/li>\n<li><code>trindade_myphotos_cc.pem<\/code><\/li>\n<\/ul>\n<p>Os ficheiros csr podem ser apa\u00adga\u00addos, pois n\u00e3o s\u00e3o mais necess\u00e1rios. Tam\u00adb\u00e9m se podem cri\u00adar os cer\u00adti\u00adfi\u00adca\u00addos sem ter que os assi\u00adnar com a nos\u00adsa <span class=\"caps\">CA<\/span>, elim\u00adi\u00adnan\u00addo assim dois pas\u00adsos: a cri\u00ada\u00e7\u00e3o da <span class=\"caps\">CA<\/span> e a cri\u00ada\u00e7\u00e3o dos <span class=\"caps\">CSR<\/span>. O m\u00e9to\u00addo \u00e9 semel\u00adhante \u00e0 cri\u00ada\u00e7\u00e3o do cer\u00adti\u00adfi\u00adca\u00addo da <span class=\"caps\">CA<\/span>. Ape\u00adnas se responde de for\u00adma difer\u00adente \u00e0s per\u00adgun\u00adtas finais, especi\u00adf\u00adi\u00adcan\u00addo que se quer cri\u00adar um <em><span class=\"caps\">TLS<\/span> web serv\u00ader cer\u00adtifi\u00adcate<\/em>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Configuracao_do_Apache\"><\/span>Configura\u00e7\u00e3o do Apache<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Copi\u00adar os ficheiros key e pem para o direc\u00adto\u00adrio onde se encon\u00adtra a con\u00adfig\u00adu\u00adra\u00e7\u00e3o do Apache.<\/p>\n<p>Depois de insta\u00adlar o mod_gnutls, Bas\u00adta acres\u00adcen\u00adtar as seguintes lin\u00adhas ao ficheiro prin\u00adci\u00adpal de con\u00adfig\u00adu\u00adra\u00e7\u00e3o (nor\u00admal\u00admente httpd.conf):<\/p>\n<pre>Listen 443\nNameVirtualHost 10.0.0.1:443\n<\/pre>\n<p>Depois, em cada <em>vir\u00adtu\u00adal host<\/em>:<\/p>\n<pre>\n\n  GnuTLSEnable on\n  GnuTLSCertificateFile \/usr\/local\/etc\/apache22\/www.pem\n  GnuTLSKeyFile \/usr\/local\/etc\/apache22\/www.key\n  GnuTLSPriorities NORMAL\n  ServerAdmin webmaster@www.darklair.homeunix.net\n  DocumentRoot \/home\/www\/www\n  ServerName www.darklair.homeunix.net\n  ServerAlias 10.0.0.1\n  .\n  .\n  .\n\n<\/pre>\n<p>Depois destes pas\u00adsos todos (ufff!!!) ter\u00ade\u00admos dois <em>vir\u00adtu\u00adal hosts<\/em>&nbsp;com <span class=\"caps\">SSL<\/span> num \u00fani\u00adco endere\u00e7o <span class=\"caps\">IP<\/span>.<\/p>\n<p>Em caso de d\u00favi\u00addas, n\u00e3o hes\u00adite em con\u00adtac\u00adtar-me. No entan\u00adto, pos\u00adso garan\u00adtir que foi assim que con\u00adsegui a con\u00adfig\u00adu\u00adra\u00e7\u00e3o pro\u00adpos\u00adta e funciona!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Con\u00adfig\u00adu\u00adrar um servi\u00addor <span class=\"caps\">HTTP<\/span> para <span class=\"caps\">HTTPS<\/span> nun\u00adca foi uma tare\u00adfa t\u00e3o f\u00e1cil como con\u00ad\u00adfig\u00adur\u00e1-lo para ape\u00adnas <span class=\"caps\">HTTP<\/span>. Al\u00e9m das con\u00adfig\u00adu\u00adra\u00e7\u00f5es b\u00e1si\u00adcas temos tam\u00adb\u00e9m de nos pre\u00adocu\u00adpar com cer\u00adti\u00adfi\u00adca\u00addos, chaves pri\u00advadas e afins. Al\u00e9m de mais, uti\u00adlizan\u00addo o tradi\u00adcional mod_ssl pre\u00adcisamos \u2026 <a href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2012\/03\/11\/multiplos-virtual-hosts-com-ssl-em-apache\/\">Con\u00adtin\u00aduar a ler <span class=\"meta-nav\">\u2192<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[3],"tags":[15,19,20,21,22,23],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-configuracao","tag-apache","tag-mod_gnutls","tag-mod_ssl","tag-ssl","tag-tls","tag-virtual-host"],"_links":{"self":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":0,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"wp:attachment":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}