Site Certificate (HTTPS)

Setting up a certificate for your site.

First some background:

An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.

A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

1) First thing is set the host name. The hostname needs to be what you will be using in the common name (see below) in the certificate.

$ sudo vi /etc/hostname

Once done, check the name with:

$ hostname

It should be the new value. in this case domain.com.

2) Now create your private key file. Change to Apache ssl directory if you want, but do it as root

$ sudo openssl genrsa -des3 -out domain.com.key 2048

Enter a passphrase to keep it safe

3) Create a .csr (Certificate Request)  file. This is a certificate request, that will be sent to a CA (GoDaddy) to verify who you are.

$ sudo openssl req -new -key domain.com.key -out domain.com.csr

Fill in the details with whatever you want. The only important part is the common name. This HAS to be the domain name. If you have done this for a single domain, then use “domain.com” and if you get a wildcard domain use “*domain.com”. HEre is an example:

sudo openssl req -new -key http://www.domain.com.key -out http://www.domain.com.csr

Enter pass phrase for http://www.domain.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:NSW

Locality Name (eg, city) []:Sydney

Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Domain

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:domain.com

Email Address []:support@domain.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4) Next you need to get your certificates from from your provider (GoDaddy in my case). For goDaddy they will ask you for your  CSR (Certificate Request) details. This is the file you generated in step 3 above. Get the certificate request to them as follows:

sudo cat domain.com.csr

Go to the web site. Under certificates, click re-key and paste the detail inclusive of  the “—–BEGIN CERTIFICATE…..” and “…. —-END CERTIFICATE REQUEST——” parts.

5) Once provided you can download you Certificate File (CRT) and their bundle file. This comes in a zip file for the particular server you use. In my case Apache2. Download the file locally.

6) Next upload the Godaddy supplied cert zip file to your server. Put it in the /etc/apache2/ssl directory and unzip.

7) Before starting the server, make sure the new certificate lines up with you key’s public identity. In each file the “modulus” needs to match. Check this by comparing the output of these two commands:

sudo openssl rsa -noout -modulus -in domain.com.key

sudo openssl x509 -noout -modulus -in domain.com.crt

The outputted Modulus value needs to be identical!

8)Remove the password on the private key. This is required so that the server can restart without you having to put in the password each time.

sudo cp domain.com.key domain.com.pass.key

sudo openssl rsa -in domain.com.pass.key -out domain.com.key

9) Change the permissions on all these files now to secure them.

sudo chmod 400 *

10)Edit the /etc/apache2/site-enabled/ssl file and change the following:

SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key
SSLCertificateFile /etc/apache2/ssl/domain.com.crt
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
11) Restart your server and check the error log files
sudo /etc/init.d/apache2 restart; tail -20 /var/log/apache2/error.log
If all went well the server should start without any problems.
  • Calendar

    • July 2017
      M T W T F S S
      « Dec    
       12
      3456789
      10111213141516
      17181920212223
      24252627282930
      31  
  • Search