Setting up a certificate for your site.
First some background:
An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.
A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.
1) First thing is set the host name. The hostname needs to be what you will be using in the common name (see below) in the certificate.
$ sudo vi /etc/hostname
Once done, check the name with:
$ hostname
It should be the new value. in this case domain.com.
2) Now create your private key file. Change to Apache ssl directory if you want, but do it as root
$ sudo openssl genrsa -des3 -out domain.com.key 2048
Enter a passphrase to keep it safe
3) Create a .csr (Certificate Request) file. This is a certificate request, that will be sent to a CA (GoDaddy) to verify who you are.
$ sudo openssl req -new -key domain.com.key -out domain.com.csr
Fill in the details with whatever you want. The only important part is the common name. This HAS to be the domain name. If you have done this for a single domain, then use “domain.com” and if you get a wildcard domain use “*domain.com”. HEre is an example:
sudo openssl req -new -key http://www.domain.com.key -out http://www.domain.com.csr
Enter pass phrase for http://www.domain.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Domain
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:domain.com
Email Address []:support@domain.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4) Next you need to get your certificates from from your provider (GoDaddy in my case). For goDaddy they will ask you for your CSR (Certificate Request) details. This is the file you generated in step 3 above. Get the certificate request to them as follows:
sudo cat domain.com.csr
Go to the web site. Under certificates, click re-key and paste the detail inclusive of the “—–BEGIN CERTIFICATE…..” and “…. —-END CERTIFICATE REQUEST——” parts.
5) Once provided you can download you Certificate File (CRT) and their bundle file. This comes in a zip file for the particular server you use. In my case Apache2. Download the file locally.
6) Next upload the Godaddy supplied cert zip file to your server. Put it in the /etc/apache2/ssl directory and unzip.
7) Before starting the server, make sure the new certificate lines up with you key’s public identity. In each file the “modulus” needs to match. Check this by comparing the output of these two commands:
sudo openssl rsa -noout -modulus -in domain.com.key
sudo openssl x509 -noout -modulus -in domain.com.crt
The outputted Modulus value needs to be identical!
8)Remove the password on the private key. This is required so that the server can restart without you having to put in the password each time.
sudo cp domain.com.key domain.com.pass.key
sudo openssl rsa -in domain.com.pass.key -out domain.com.key
9) Change the permissions on all these files now to secure them.
sudo chmod 400 *
10)Edit the /etc/apache2/site-enabled/ssl file and change the following:
SSLEngine OnSSLCertificateKeyFile /etc/apache2/ssl/domain.com.keySSLCertificateFile /etc/apache2/ssl/domain.com.crtSSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
sudo /etc/init.d/apache2 restart; tail -20 /var/log/apache2/error.log
