StartSSL Certificate SOP
Contact Information
Owner: GNOME Sysadmin Team
Contact: #sysadmin
Persons: AndreaVeri
Purpose: Standardize SSL configuration
Description
The GNOME Infrastructure includes a number of web sites requiring security. The purpose of this document is to define the standard procedure and configuration of SSL for these sites.
Action
Sites should be configured using the following standards:
<VirtualHost subdomain.domain.tld:443> DocumentRoot /srv/httpd/subdomain.domain.tld/html ErrorLog /var/log/httpd/subdomain.domain.tld-error.log TransferLog /var/log/httpd/subdomain.domain.tld-access.log Header set Strict-Transport-Security "max-age=604800" SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/pki/tls/certs/subdomain.domain.tld.crt SSLCertificateKeyFile /etc/pki/tls/private/subdomain.domain.tld.key SSLCertificateChainFile /etc/pki/tls/sub.class2.server.ca.pem SSLCACertificateFile /etc/pki/tls/ca.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </VirtualHost>
note: the ca.pem and sub.class2.server.ca.pem files are available