Task:
Recertify the E.F.A anti-spam appliance's self-certification certificates and keys. In addition, update the SSL configuration to only allow stronger encryption ciphers.
Note:
This ciphers list is obsolete as new ciphers are available for better security in 2020. These steps are still good, but update the list to what is secure for the current year.
Solution:
1. Copy the current keys:
# sudo su -
# cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.old
# cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.old
2. Create the new self-certifying keys:
(Note: This is prompt you to enter the location information. Abbreviate US. Spell out the State and City. Use the FQDN when you get to the server's name. )
# openssl req -new -newkey rsa:2048 -sha256 -x509 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
If you want to create a signing request instead, you can generate a new key and generate request in one statement:
# openssl req -new -nodes -newkey rsa:2048 -sha256 -keyout myserver.mindwatering.com.key -out myserver.mindwatering.com.csr
3. Restart Apache (httpd) and confirm the new certificate is working:
# service httpd restart
(Open up Firefox / Chrome / Safari and view the certificate details of the browser lock icon.)
3. Update the SSL ssl.conf file's configuration for Apache / httpd with additional options:
# vi /etc/httpd/conf.d/ssl.conf
3a. Update the SSL Protocol Support lines:
(Add -SSLv3 and the cipher order line below it.)
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
3b. Update the SSL Cipher Suites supported:
(Comment out the old SSLCipherSuite entries and add a specific list like below.)
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
3c. Save the update file.
<esc> --> :wq
4. Restart Apache again and view the certificate details of which ciphers are being used in the various web browsers.
# service httpd restart
previous page
|