Below is showing what the end result will look like and what this article will help you achieve.
Step 1 – Create the folder and set the permissions on it
If the folder you want secured doesn’t exist, go ahead and create it. Then set the correct permissions and owner for the folder. I am using www-data as our folder owner as this is the owner that apache website runs as.
1. cd /var/www/html
2. mkdir secured_folder
3. chmod 744 secured_folder
4. chown www-data.www-data secured_folder
5. cd secured_folder
Step 2 – Create your .htaccess file
Change to the ‘secured_folder’ and create an .htaccess file inside their with the contents below. This will add the username and password security to the folder.
1. AuthUserFile /var/www/.htpasswd
2. AuthGroupFile /dev/null
3. AuthName "My protected files"
4. AuthType Basic
5. <Limit GET>
6. require valid-user
7. </Limit>
Step 3 – Create the username and password for .htpasswd file
Now change to the folder you want your .htpasswd is to be stored in. We specified /var/www/.htpasswd as you can see the above for ‘AuthUserFile’. Then use the htpasswd function in your command line to create the username and password for the folder you want to secure. It is recommended that you leave this file outside of the actual website folder.
1. cd /var/www/
2. htpasswd -c .htpasswd username1
You will be asked to enter a password for ‘username1′.
**
Replace .htpasswd with what you created above. Can be folder specific.
Step 4 – Adding more users to .htpasswd file (optional)
If you would like to add multiple users to the same .htpasswd file then don’t add the ‘-c’ option.
1. cd /var/www
2. htpasswd .htpasswd username2
3. you will be asked to enter a password for 'username2'
4. htpasswd .htpasswd username3
5. you will be asked to enter a password for 'username3'
Now when you go to visit your page, it will prompt you to enter a username and password before you can access the page.
** Replace .htpasswd with what you created above. Can be folder specific.
This should be in your website conf
Alias /library /media/library
<Directory /media/library/>
Order Deny,Allow
AuthName "Rich's Personal Library"
AuthType Basic
AuthUserFile /var/www/lemmermann.tech/.library_htpasswd_file
Require valid-user
</Directory>
This should be similar in /etc/fstab
//192.168.1.77/WebDoc /media/library cifs username=<user>,password=<pass>,defaults 0 0
$ sudo nano /etc/default/grub
Look for “GRUB_CMDLINE_LINUX” and add the following "net.ifnames=0 biosdevname=0"
From:
GRUB_CMDLINE_LINUX=""
To:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
$ sudo grub-mkconfig -o /boot/grub/grub.cfg Generating grub configuration file ... Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported. Found linux image: /boot/vmlinuz-4.4.0-15-generic Found initrd image: /boot/initrd.img-4.4.0-15-generic Found memtest86+ image: /memtest86+.elf Found memtest86+ image: /memtest86+.bin done
This is what the config file should look like. Essentially, you want to match up the appropriate files to the certificates that you're using.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = bestflare.com
DNS.2 = usefulread.com
DNS.3 = chandank.com
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
openssl req -noout -text -in sslcert.csr | grep DNS
[root@Chandan test]# openssl req -noout -text -in sslcert.csr | grep DNS DNS:bestflare.com, DNS:usefulread.com, DNS:chandank.com [root@Chandan test]#
openssl pkcs12 -export -in <CAreply> -inkey private.key -certfile <intermediates.cert.pem> -name "www.lemmermann.tech" -out www.lemmermann.tech.p12
https://support.code42.com/Administrator/6/Configuring/Use_OpenSSL_to_install_a_keystore
https://geekflare.com/san-ssl-certificate/
Create pfx file from CA Response
openssl pkcs12 -export -in www_crouse_org.crt -inkey www_crouse_org.key -name "www.crouse.org" -out www.crouse.org.pfx -certfile <intermediates.cert.pem>
Updated 2020-02-15 with newer instructions that make more sense
# WinSCP the wildcard cert (at time of writing), 2018-19-Wildcard.pfx, to the ~/
# WinSCP the intermediate cert to ~/
# You will need the password for the root combo pfx
# Copy the intermediate to its home (If applicable)
sudo cp ~/intermediate.crt /etc/apache2/ssl/intermediate.crt
# Export public key
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [public.key]
# Copy the public key to its home
sudo cp ~/public.key /etc/apache2/ssl/public.key
# Extract the Private cert from the pfx
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [private-encrypted.key]
# Copy the private key to its home
sudo cp ~/private-encrypted.key /etc/apache2/ssl/private-encrypted.key
# This will remove the key so that Apache2 can start without having to sign in to paste in the key
sudo openssl rsa -in ~/private-encrypted.key -out /etc/apache2/ssl/private.key
# Restart Apache2
sudo /etc/init.d/apache2 restart
https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/
https://stackoverflow.com/questions/15413646/converting-pfx-to-pem-using-openssl
https://serverfault.com/questions/160768/stop-apache-from-asking-for-ssl-password-each-restart
Example with this: snet.crouse.org_password.pfx
openssl pkcs12 -in snet.crouse.org_password.pfx -out snet.crouse.org_2020.pem -nodes
openssl rsa -outform der -in snet.crouse.org_2020.pem -out snet.crouse.org_2020_rsa_private.key
penssl x509 -outform der -in snet.crouse.org_2020.pem -out snet.crouse.org_2020_private.cer
https://discussions.citrix.com/topic/397777-netscaler-ver-121-cannot-import-ssl-pfx-error-no-certificates-present-in-the-certificate-bundle-file-rapidssl-digicert-entrust/
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
openssl pkcs12 -in pfx.pfx -nodes | openssl pkcs12 -export -keypbe NONE -certpbe NONE -out output.pfx
# Use rootups on Windows to download all Trusted Root Authorities
# Select all and export with a key
# SCP to Linux box
# Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it)
sudo openssl pkcs12 -in AllRoots.pfx -out /usr/local/share/ca-certificates/allroots.crt -cacerts
# into /usr/local/share/ca-certificates and name it with a .crt file extension.
sudo update-ca-certificates.
openssl s_client -showcerts -connect www.domain.com:443
openssl pkcs12 -in d:\Temp\cert.pfx -out d:\Temp\cert.pem -nodes
The -nodes removes the password from the created PEM file. If you wish to maintain the password encryption omit the -nodes however this may make it difficult to use the PEM file on your device. You will be prompted to type the password for the pfx file.
https://www.itprotoday.com/windows-78/converting-certificate-files-pfx-format-pem
As you have the openssl tag on your question, you should use:
openssl x509 -inform der -in infile.cer -out outfile.cer
In the reverse direction:
openssl x509 -outform der -in infile.cer -out outfile.cer
.
$ sudo a2enmod rewrite
Put this in your *:80 section of your config
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Example with "google.com":
openssl s_client -showcerts -verify 5 -connect $1:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}";
# mv "${cert}" "${newname}"
done
echo quit | openssl s_client -showcerts -servername $1 -connect $1:443 > cacert.pem
LetsEncrypt Certificate Request
sudo certbot run -a manual -i apache -d cal.lemmermann.tech