Difference between revisions of "SSL server"

(Created page with "SSL: Cryptography & authentication =Principle and law disclaimer= Reminder An Authority of Certification is required to ensure your certificates. Theses one provides: * ...")
 
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Linux]]
 +
 
SSL: Cryptography & authentication
 
SSL: Cryptography & authentication
 +
  
  
Line 6: Line 9:
  
  
Reminder
+
'''Reminder'''
An Authority of Certification is required to ensure your certificates. Theses one provides:
+
 
 +
An Authority of Certification is required to ensure your certificates.  
 +
 
 +
Theses one provides:
 
* Confidentiality
 
* Confidentiality
 
* Integrity
 
* Integrity
 
* Authentication
 
* Authentication
 +
 +
 +
'''Usages'''
  
  
Line 16: Line 25:
 
* You can ''create your own'' Authority of Certification ;
 
* You can ''create your own'' Authority of Certification ;
 
* Use a ''trusted Authority of Certification'' (commercial). Unfortunately, it's very expansive to use such ones ;
 
* Use a ''trusted Authority of Certification'' (commercial). Unfortunately, it's very expansive to use such ones ;
* Use an ''Open Source Authority of Certification'': www.cacert.orgLegal aspects
+
* Use an ''Open Source Authority of Certification'': www.cacert.org
  
 +
 +
'''Legal aspects'''
  
  
 
You are not allowed to use any cryptography. '''The maximum cryptographic level is set by the law'''.
 
You are not allowed to use any cryptography. '''The maximum cryptographic level is set by the law'''.
  
 
+
{| class="wikitable"
French law:
+
|-
http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html
+
! Country | Region !! Law
 +
|-
 +
| France || http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html
 +
|-
 +
| Sweden || to be done
 +
|-
 +
| European Union || to be done
 +
|}
  
  
Line 41: Line 59:
 
==Prep folders==
 
==Prep folders==
  
Create working directory
+
===Create working directory===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 49: Line 67:
  
  
==Create ssl structure==
+
===Create ssl structure===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
mkdir certs crl newcerts private export
 
mkdir certs crl newcerts private export
<syntaxhighlight lang="bash">
+
</syntaxhighlight>
 +
 
 +
 
 +
===Initialize values===
  
Initialize values
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
echo 01 > serial
 
echo 01 > serial
 
touch index.txt
 
touch index.txt
cp /usr/lib/ssl/openssl.cnf .Configuration
+
cp /usr/lib/ssl/openssl.cnf .
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
 
 +
=OpenSSL root configuration=
 +
 
 +
During the process you’ll have to enter the same data many times:
 +
 
 +
>> You should edit the default values
 +
 
 +
 
 +
==Adjust default values==
 +
 
 +
Edit openssl.cnf:
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /srv/ssl/openssl.cnf
 +
</syntaxhighlight>
 +
 
 +
Set the working directory:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 +
dir = /srv/ssl                            # Where everything is kept  [line 42]
  
During the process you’ll have to enter the same data many times.
 
 You should edit the default values
 
Adjust default values
 
Edit openssl.cnf
 
# vim /srv/ssl/openssl.cnf
 
Set the working directory
 
dir = /srv/ssl
 
# Where everything is kept
 
→ Line 42
 
Adjust [req_distinguished_name] section (~ line 127):
 
 
[ req_distinguished_name ]
 
[ req_distinguished_name ]
countryName
+
countryName_default             = SE                       # [line 128] 
countryName_default
+
stateOrProvinceName_default     = Västra Götaland          # [line 134]
countryName_min
+
localityName_default           = Goteborg                  # [line 137]
countryName_max
+
0.organizationName_default     = Daxiongmao.eu             # [line 140]
= Country Name (2 letter code)
+
emailAddress_default           = guillaume@qin-diaz.com   # [line 154]
= SE
+
</syntaxhighlight>
= 2
+
 
= 2
+
 
stateOrProvinceName
+
 
= State or Province Name (full name)
+
 
stateOrProvinceName_default = SWEDEN
+
=Authority of Certification (CA)=
localityName
+
 
localityName_default = Locality Name (eg, city)
+
 
= Göteborg
+
==Difference between local / commercial Authority of Certification [CA]==
0.organizationName
+
 
0.organizationName_default = Organization Name (eg, company) ~Domain name
+
Either you create your own Authority of Certification or you can use a commercial one.
= Daxiongmao.eu
+
 
emailAddress
 
emailAddress_default
 
emailAddress_max
 
= Email Address
 
= admin@domain.com
 
= 64Certificate Authority / Domain root server
 
Difference between local CA / commercial CA
 
Either you create your own certificate authority or you can use a commercial one.
 
 
Main differences:
 
Main differences:
Price
+
 
Validity
+
{| class="wikitable"
Browser alerts
+
|-
Can be used for e-commerce
+
!  !! Personal !! Commercial
Personal C.A
+
|-
free
+
| Price || free || from 50$ / year (Go Daddy)
you choose
+
|-
Yes 
+
| Validity || you choose || Usually 1 or 2 year
No
+
|-
Commercial C.A
+
| Browser alerts ||  Yes || No
from 50$ / year (Go Daddy)
+
|-
Usually 1 or 2 year
+
| Can be used for e-commerce || No || Yes
No
+
|}
Yes
+
 
 +
* July 2013: "Go Daddy" seems to be the cheapest authority.
 +
 
 +
 
 
Choose an authority of certification and subscribe to a wildcard domain certification.
 
Choose an authority of certification and subscribe to a wildcard domain certification.
On July 2013, Go Daddy seems to be the cheapest authority.
+
 
 +
 
 
In either case you need to:
 
In either case you need to:
Create a private key
+
* Create a private key
Generate a request (that will slightly change)
+
* Generate a request (that will slightly change)
Create CA private key
+
 
Generate a RSA private key (4096 bits length) for the CA and protect it with AES256
+
 
encryption
+
==Create CA private key==
# openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096
+
 
 +
Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096
 +
</syntaxhighlight>
 +
 
 
You have to enter a password.
 
You have to enter a password.
This password will be required to perform all next operations
+
 
Create a Certificate Authority or Domain root certificate
+
!! This password will be required to perform all next operations
1 st option: create a personal Certificate Authority
+
 
 +
 
 +
==Create a personal CA [or Domain root certificate]==
 +
 
 
Auto-sign your Certification Authority for 10 years
 
Auto-sign your Certification Authority for 10 years
# openssl req -config openssl.cnf \
+
 
 +
<syntaxhighlight lang="bash">
 +
openssl req -config openssl.cnf \
 
-new -x509 -sha256 -nodes \
 
-new -x509 -sha256 -nodes \
-key private/cakey.pem \
+
-key private/cakey.key \
 
-out cacerts.pem \
 
-out cacerts.pem \
 
-days 3600
 
-days 3600
 +
</syntaxhighlight>
 +
 +
 
Answer the questions:
 
Answer the questions:
Country Name (2 letter code) [SE]:
+
* Country Name (2 letter code) [SE]:
State or Province Name (full name) [Sweden]:
+
* State or Province Name (full name) [Västra Götaland]:
Locality Name (eg, city) [Göteborg]:
+
* Locality Name (eg, city) [Göteborg]:
Organization Name (eg, company) [Daxiongmao.eu]:
+
* Organization Name (eg, company) [Daxiongmao.eu]:
Organizational Unit Name (eg, section) []:
+
* Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao CA
+
* Common Name (e.g. server FQDN or YOUR name) []: '''Daxiongmao.eu CA'''
Email Address [guillaume@qin-diaz.com]:Some explanations:
+
* Email Address [guillaume@qin-diaz.com]:
Parameter
+
 
meaning
+
 
-config openssl.cnf to use the local OpenSSL configuration file
+
Some explanations:
-new to request a new certificate
+
 
-x509 auto-sign this certificate
+
{| class="wikitable"
-sha256 hash algorithm to use
+
|-
-key certificate private key
+
! Header text !! Header text
-out Target output file to create
+
|-
-days Certificate validity time (in days)
+
| Parameter || meaning
 +
|-
 +
| -config openssl.cnf || to use the local OpenSSL configuration file
 +
|-
 +
| -new || to request a new certificate
 +
|-
 +
| -x509 || auto-sign this certificate
 +
|-
 +
| -sha256 || hash algorithm to use
 +
|-
 +
| -key ||  certificate private key
 +
|-
 +
| -out || Target output file to create
 +
|-
 +
| -days || Certificate validity time (in days)
 +
|}
 +
 
 +
 
 
You can check result by:
 
You can check result by:
# openssl x509 -in cacerts.pem -text –noout
+
 
2 nd option: request for a domain root certificate
+
<syntaxhighlight lang="bash">
 +
openssl x509 -in cacerts.pem -text -noout
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==[Alternative] Request for a domain root certificate==
 +
 
 
Create a new server certificate request for target CA.
 
Create a new server certificate request for target CA.
See process below to generate server’s certificate requestServer certificate
+
* See process below to generate server’s certificate ''requestServer'' certificate
Go to the working directory
+
 
# cd /srv/ssl
+
 
Create server private key
+
 
Generate encrypt private key
+
 
# openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096
+
=Server certificate=
The ServerName must match the server FQDN.
+
 
 +
Go to the working directory:
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /srv/ssl
 +
</syntaxhighlight>
 +
 
 +
 
 +
==Create server private key==
 +
 
 +
 
 +
===Generate encrypt private key===
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096
 +
</syntaxhighlight>
 +
 
 +
'''ServerName must match the server FQDN'''.  
 +
 
 +
 
 
Ex: dev.daxiongmao.eu
 
Ex: dev.daxiongmao.eu
Unencrypt private key
+
 
If your key is encrypt, then you have to manually give the password each and every time a service
+
<syntaxhighlight lang="bash">
starts.
+
openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096
= if private key is encrypt then it cannot be used at startup.
+
</syntaxhighlight>
So, for services like Apache2, you have to unencrypt the key:
+
 
# openssl rsa -in private/serverName.key -out private/serverName.nopass.key
+
 
Create server’s certificate request
+
===Decipher private key===
# openssl req -config openssl.cnf \
+
 
 +
If your key is encrypted, then you have to manually give the password each and every time a service starts.
 +
 
 +
 
 +
!! If your private key is encrypt then it cannot be used at startup !!
 +
 
 +
 
 +
 
 +
So, for services like Apache2, you have to decipher the key:
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl rsa -in private/serverName.key -out private/serverName.nopass.key
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==Create server’s certificate request==
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl req -config openssl.cnf \
 
-new -nodes \
 
-new -nodes \
 
-key private/serverName.key \
 
-key private/serverName.key \
 
-out certs/serverName.req
 
-out certs/serverName.req
 +
</syntaxhighlight>
 +
 
Answer the questions:
 
Answer the questions:
Country Name (2 letter code) [SE]:
+
 
State or Province Name (full name) [Sweden]:
+
* Country Name (2 letter code) [SE]:
Locality Name (eg, city) [Göteborg]:
+
* State or Province Name (full name) [Västra Götaland]:
Organization Name (eg, company) [Daxiongmao.eu]:
+
* Locality Name (eg, city) [Göteborg]:
Organizational Unit Name (eg, section) []:
+
* Organization Name (eg, company) [Daxiongmao.eu]:
Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
+
* Organizational Unit Name (eg, section) []:
Email Address [guillaume@qin-diaz.com]:
+
* Common Name (e.g. server FQDN or YOUR name) []: '''dev.daxiongmao.eu'''
Do not use a challenge password
+
* Email Address [guillaume@qin-diaz.com]:
1 st option: sign the request with your own CA
+
 
# openssl ca -config openssl.cnf \
+
 
 +
!! '''Do not use a challenge password''' !!
 +
 
 +
 
 +
 
 +
==Sign the server request==
 +
 
 +
 
 +
===Auto-sign - using your personal CA===
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl ca -config openssl.cnf \
 
-in certs/serverName.req \
 
-in certs/serverName.req \
 
-out certs/serverName.cert.pem \
 
-out certs/serverName.cert.pem \
 
-cert cacerts.pem \
 
-cert cacerts.pem \
-days 3600Some explanations:
+
-days 3600
Parameter
+
</syntaxhighlight>
meaning
+
 
-config openssl.cnf to use the local OpenSSL configuration file
+
 
-in Incoming certificate request
+
Some explanations:
-out
+
{| class="wikitable"
Target certificate file
+
|-
-cert CA certificate to use
+
! Parameter !! meaning
-days Certificate validity time (in days)
+
|-
 +
| -config || the local OpenSSL configuration file
 +
|-
 +
| -in || Incoming certificate request. = previous '''.req file'''
 +
|-
 +
| -out || Target certificate file
 +
|-
 +
| -cert || CA certificate to use
 +
|-
 +
| -days || Certificate validity time (in days)
 +
|}
 +
 
 +
 
 +
 
 
You can check result by:
 
You can check result by:
# cat /srv/ssl/certs/serverName.cert.pem
+
 
2 nd option: send the request to the CA
+
<syntaxhighlight lang="bash">
You have to send the “.req” file to the CA. They will send you back the certificate.Export certificate – PKCS12
+
cat /srv/ssl/certs/serverName.cert.pem
# cd /srv/ssl
+
</syntaxhighlight>
 +
 
 +
 
 +
===[Alternate] Send the request to the CA===
 +
 
 +
You have to send the “.req” file to the CA. They will send you back the certificate.
 +
 
 +
 
 +
 
 +
==Export certificate==
 +
 
 
To export a certificate, it must be in PKCS12 format.
 
To export a certificate, it must be in PKCS12 format.
You have to perform the following for each and every certificate you’d like to export.
+
 
# openssl pkcs12 -export \
+
You have to perform the following for each and every certificate you’d like to export.
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /srv/ssl
 +
</syntaxhighlight>
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl pkcs12 -export \
 
-descert -inkey private/serverName.key \
 
-descert -inkey private/serverName.key \
 
-in certs/serverName.cert.pem \
 
-in certs/serverName.cert.pem \
Line 208: Line 357:
 
-name "Certicate name" \
 
-name "Certicate name" \
 
-out export/serverName.p12
 
-out export/serverName.p12
Do not put an export password.
+
</syntaxhighlight>
You can also use the non-protected keySetup website to send local CA and server certificates
+
 
This required to have a web server up and running
+
* Do not put an export password.
Create dedicated folder
+
* You should use the non-protected key if you want to use that export with some Linux services.
# mkdir -p /var/www/ssl/certs
+
 
# touch /var/www/ssl/certs/index.html
+
 
Web page
+
Example:
<html>
+
 
<head>
+
<syntaxhighlight lang="bash">
<title>Certificates list</title>
+
openssl pkcs12 -export \
</head>
+
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
<body>
+
-in certs/dev.daxiongmao.eu.cert.pem \
<h1>Certificates list</h1>
+
-certfile cacerts.pem \
<hr/>
+
-name "Certicate dev.daxiongmao.eu development server" \
<h2>Certification Authority</h2>
+
-out export/dev.daxiongmao.eu.p12
<p>
+
</syntaxhighlight>
Authority of certification:
+
 
<a href="https://serverURL/certs/cacerts.pem ">root certificate</a>
+
 
</p>
+
 
<h2>Servers certificates</h2>
+
=Distribute the certificate with Apache2=
<p>Click on the following links to download sub-servers certificates</p>
+
 
<ul>
+
see [[Apache 2 - SSL certificates page]]
<li>
 
<a href=" https://serverURL/certs/serverName.p12">my server</a>
 
</li>
 
</ul>
 
</body>
 
</html>
 
Copy files
 
# cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
 
# cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12
 
Update rights
 
# chown -R www-data:www-data /var/www/ssl
 
# chmod 755 -R /var/www/sslInstallation on client computer
 
Go to https://myServer/certs
 
1 st alert
 
You haven’t install the certificate yet... This website is presume to be non-secured.
 
Example of alert on Google chrome (click “proceed anyway”)
 
Then, you will see the following alert on URL:
 
Download file
 
Save file
 
Installation
 
Go to Google Chrome > Settings > Show advanced settings >
 
 
 
Enable “check for server certificate revocation”
 
Click on manage certificates...
 
Certification Authority
 
Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem)
 
 .pem are not displayed by default, but they can be used
 
 Trust the certificates
 
Restart Google Chrome
 
Check result
 
After Google Chrome restart, go back to https://myServer/certs
 
Everything is OK now!
 

Latest revision as of 15:10, 29 January 2015


SSL: Cryptography & authentication



Principle and law disclaimer

Reminder

An Authority of Certification is required to ensure your certificates.

Theses one provides:

  • Confidentiality
  • Integrity
  • Authentication


Usages


There's three options:

  • You can create your own Authority of Certification ;
  • Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
  • Use an Open Source Authority of Certification: www.cacert.org


Legal aspects


You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.

Region Law
France http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html
Sweden to be done
European Union to be done



Installation

Install packages

apt-get install openssl


Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl


Create ssl structure

mkdir certs crl newcerts private export


Initialize values

echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .



OpenSSL root configuration

During the process you’ll have to enter the same data many times:

>> You should edit the default values


Adjust default values

Edit openssl.cnf:

vim /srv/ssl/openssl.cnf

Set the working directory:

dir = /srv/ssl                            # Where everything is kept  [line 42]

[ req_distinguished_name ]
countryName_default             = SE                        # [line 128]   
stateOrProvinceName_default     = Västra Götaland           # [line 134]
localityName_default            = Goteborg                  # [line 137]
0.organizationName_default      = Daxiongmao.eu             # [line 140]
emailAddress_default            = guillaume@qin-diaz.com    # [line 154]



Authority of Certification (CA)

Difference between local / commercial Authority of Certification [CA]

Either you create your own Authority of Certification or you can use a commercial one.

Main differences:

Personal Commercial
Price free from 50$ / year (Go Daddy)
Validity you choose Usually 1 or 2 year
Browser alerts Yes No
Can be used for e-commerce No Yes
  • July 2013: "Go Daddy" seems to be the cheapest authority.


Choose an authority of certification and subscribe to a wildcard domain certification.


In either case you need to:

  • Create a private key
  • Generate a request (that will slightly change)


Create CA private key

Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.

openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096

You have to enter a password.

!! This password will be required to perform all next operations


Create a personal CA [or Domain root certificate]

Auto-sign your Certification Authority for 10 years

openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.key \
-out cacerts.pem \
-days 3600


Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
  • Email Address [guillaume@qin-diaz.com]:


Some explanations:

Header text Header text
Parameter meaning
-config openssl.cnf to use the local OpenSSL configuration file
-new to request a new certificate
-x509 auto-sign this certificate
-sha256 hash algorithm to use
-key certificate private key
-out Target output file to create
-days Certificate validity time (in days)


You can check result by:

openssl x509 -in cacerts.pem -text -noout


[Alternative] Request for a domain root certificate

Create a new server certificate request for target CA.

  • See process below to generate server’s certificate requestServer certificate



Server certificate

Go to the working directory:

cd /srv/ssl


Create server private key

Generate encrypt private key

openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

ServerName must match the server FQDN.


Ex: dev.daxiongmao.eu

openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096


Decipher private key

If your key is encrypted, then you have to manually give the password each and every time a service starts.


!! If your private key is encrypt then it cannot be used at startup !!


So, for services like Apache2, you have to decipher the key:

openssl rsa -in private/serverName.key -out private/serverName.nopass.key


Create server’s certificate request

openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.req

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
  • Email Address [guillaume@qin-diaz.com]:


!! Do not use a challenge password !!


Sign the server request

Auto-sign - using your personal CA

openssl ca -config openssl.cnf \
-in certs/serverName.req \
-out certs/serverName.cert.pem \
-cert cacerts.pem \
-days 3600


Some explanations:

Parameter meaning
-config the local OpenSSL configuration file
-in Incoming certificate request. = previous .req file
-out Target certificate file
-cert CA certificate to use
-days Certificate validity time (in days)


You can check result by:

cat /srv/ssl/certs/serverName.cert.pem


[Alternate] Send the request to the CA

You have to send the “.req” file to the CA. They will send you back the certificate.


Export certificate

To export a certificate, it must be in PKCS12 format.

You have to perform the following for each and every certificate you’d like to export.

cd /srv/ssl


openssl pkcs12 -export \
-descert -inkey private/serverName.key \
-in certs/serverName.cert.pem \
-certfile cacerts.pem \
-name "Certicate name" \
-out export/serverName.p12
  • Do not put an export password.
  • You should use the non-protected key if you want to use that export with some Linux services.


Example:

openssl pkcs12 -export \
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
-in certs/dev.daxiongmao.eu.cert.pem \
-certfile cacerts.pem \
-name "Certicate dev.daxiongmao.eu development server" \
-out export/dev.daxiongmao.eu.p12


Distribute the certificate with Apache2

see Apache 2 - SSL certificates page