GENERATE key pair
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
sudo cp ca.crt /etc/pki/tls/certs/
sudo cp ca.key /etc/pki/tls/private/
sudo cp ca.csr /etc/pki/tls/private/
sudo restorecon -RvF /etc/pki
sudo vim /etc/httpd/conf.d/ssl.conf
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo /sbin/service iptables save
sudo iptables -L -v
FIX SHA-2 (256)
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout ca2.key -out ca2.crt
CONFIG apache with conf.d/web.conf
<Location "/">
AuthType Kerberos
AuthName "foo bar baz"
KrbMethodNegotiate off
KrbVerifyKDC off
KrbAuthRealm foo.com
Krb5Keytab /etc/krb5.keytab
KrbSaveCredentials on
Require valid-user
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</Location>
CONFIG krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = RETE.POSTE
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
RETE.POSTE = {
kdc = 10.208.77.84
kdc = 10.205.73.84
admin_server = 10.208.77.84
default_domain = rete.poste
}
[domain_realm]
.rete.poste = RETE.POSTE
rete.poste = RETE.POSTE
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
MAKE your own keytab
HTTP/10.1.2.3@foo.com
RESTART apache.
ENJOY.