Using digital IDs in the web server Apache
The Web server Apache needs as PEM files:
the unencrypted private key in
/path/to/key.pemthe server certificate in
/path/to/cert.pemthe intermediate CA certificates in
/path/to/chain.pem
You can give three different files or a single file containg keys and certificates in this order. Names and paths can be chosen freely.
With the configuration statements below can be indicated which files are to be used:
SSLCertificateKeyFile /path/to/key.pem
SSLCertificateFile /path/to/cert.pem
SSLCertificateChainFile /path/to/chain.pem
We furthermore recommend the following settings:
Deactivate insecure SSL/TLS protocols:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Deactivate insecure encryption methods and prefer the best methods[1][3]:
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256"
SSLHonorCipherOrder on
or, even stricter[2][3], according to the recommendation of the DFN-PKI team:
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256"
SSLHonorCipherOrder on
The above line SSLCipherSuite "..." only works for
connections with TLS 1.2 (and older if not deactivated).
Ciphers for connections with TLS 1.3 could be customized with an
additional line SSLCipherSuite TLSv1.3 "..." if
necessary.
Activate OCSP stapling (please use the same path as with SSLSessionCache):
SSLUseStapling on
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/..../..../sslstaplingcache(512000)