A collection of computer systems and programming tips that you may find useful.
 
Brought to you by Craic Computing LLC, a bioinformatics consulting company.

Wednesday, August 11, 2010

SSL Certificates and Apache2

The process of generating a new or renewal SSL certificate for a web site can appear quite daunting given the terminology involved. In reality it is pretty simple. Here are the steps I used for renewing a Wildcard SSL cert, using rapidssl.com as the vendor.

A wildcard certificate costs more than an single fully qualified domain name, but it lets me secure any FQDN under my main domain.

The basics steps are:
1: Generate a Key
2: Generate a CSR (Certificate Signing Request)
3: Send that the vendor and give them some money
4: Receive an SSL Certificate back via email
5: Paste that into a file on your host
6: Restart Apache and verify operation

In Detail, here are my specific steps:

1: Start the new or renewal certificate process on the vendor's web site

2: Create a SSL Key
You should only need to do this once and then you can reuse it multiple times.
Create a directory in which to create and save your SSL files. For the purposes of this tutorial I'm using 'example.com as the domain. You can put the key into any file but give it one that makes sense, i.e. example.com.key
# openssl genrsa 1024 > example.com.key
Generating RSA private key, 1024 bit long modulus
.................................++++++
.........++++++
e is 65537 (0x10001)
If you want to protect the key with a passphrase then add the -des3 option to the command. If you do then you need to enter the passphrase whenever your server starts up. if you do NOT then set the permissions on your files correctly (see below).

3: Create a CSR (Certificate Signing Request)
This process will ask you several questions, of which the MOST IMPORTANT is the COMMON NAME. This the Domain Name that you want the certificate for. For a single domain this might be www.example.com. For a Wildcard certificate use an asterisk in the name like *.example.com.

The prompt from the openssl program is unclear when it asks for YOUR name - it wants the domain name. Clear on that, right?

It also asks for a challenge password - with rapidssl.com this wasn't used, so don't worry about it. Enter the other info as appropriate for your organization.
# openssl req -new -key ./example.com.key > example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Craic Computing LLC
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.example.com
Email Address []:youraddress@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4: Send the CSR to your Vendor
Cut and paste the contents of the file in full into the Vendor's web form. With rapidssl.com there is a phone verification process that you have to go through after they receive it. Basically an automated call comes through and you have to enter a confirmation code that they put on their web site. Plus you need to do the whole credit card and contact information thing on their site. It all ends with several emails back from them, one of which includes the Certificate.

5: Paste the certificate into a file on your host
Once again, choose an appropriate name, e.g. example.com.crt
Verify the contents of the certificate file with:
# openssl x509 -text -in example.com.crt
You will see all sorts of information.

6: CHANGE THE FILE PERMISSIONS - CHANGE THEM NOW!
# chmod 400 example.com.key
# chmod a-w example.com.crt


7: Setup Apache2
Modify your configuration files so that Apache knows where to find the certificate. In my case I'm using something like this:
<VirtualHost *:443>
ServerName www.example.com
ServerAlias *.example.com
DocumentRoot "/path/to/my/site"
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /mnt/ssl_certs/example.com.crt
SSLCertificateKeyFile /mnt/ssl_certs/example.com.key
</VirtualHost>
You can put the certificate and key in any files you want, you just need to tell Apache where they. Your Apache configuration might be different from this.

Restart apache!

8: Test it out
Go to the site in your browser. You should see a lock icon. Click on that and view the certificate details. It should all be good.

9: COPY THE KEY AND CERTIFICATE FILES TO A BACKUP MACHINE - COPY THEM NOW!

 

5 comments:

Irma Garrish said...
This comment has been removed by the author.
Anonymous said...

I know quite a few webmasters renew their Wildcard SSL certificates, but for me it's easier to just buy new SSL certificates and issue those, as I personally find the process generally easier and quicker, especially when you are doing this with a number of domains.

Unknown said...

Wildcard SSL :
A good number of those things make sense to me.

In today's Web hosting environments, many Webmasters host on servers with ready-made SSL setups and no installation requirements, or with setups on which a control panel handles the heavy configuration work. Whatever the case, it's important to understand just what your SSL options are, and to know how to manage the process manually.

Unknown said...

RapidSSL WildCard:
Ample Amount of Security will definitely increase your web site visitors and as well as your presence at major search engines. But however, advisable web site security can be created through suitable SSL certificates including major process such as installation or set up where need to configuration within control panel.

Understanding SSL certificate types, options, installation process and other major features are being mandatory for web site security.

Unknown said...

togel online
bandar togel terpercaya
agen togel
judi togel

Archive of Tips