Warning |
---|
I understand the overall process but not the details. Going to document the entire process.This is unfamiliar territory for me so comments on how this article can be made more clear are appreciated. |
Select SSL Certificate
SSLShoper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right choice.
...
Because passphrase encryption requires an administrator's intervention, the current standard is to not use passphrase encryption and instead rely on the file system to protect the keys.
Note |
---|
We will continue with the BonsaiFramework example and be creating an SSL certificate for https://www.earth.com and http://earth.com. |
Without Passphrase Encryption
...
Code Block | ||
---|---|---|
| ||
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
sudo chmod 700 ./private
cd private
openssl genrsa -out earth.com-server.key 2048
|
The openssl command reads,
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
The private directory is not necessary but present for convention.
The openssl command reads,
Because we do not want to enter a password every time the web server is restarted, remove the password from the key file,
The next step is to generate the CSR. |
Generate the
...
CSR
Generate the CSR which will be submitted to the CA,
Code Block | ||
---|---|---|
| ||
openssl req -new -key earth.com-server.key -out earth.com-server.csr |
You will be prompted to enter information about the certificate. The values should reflect your organization.
...
Submit Public Key to CA
The CRS CSR file is submitted to the CA. Every CA will have a slightly different procedure.
Warning |
---|
Add the exact steps for StartSSL here as a reference. |
This step also includes various CA specific procedures to prove your identity.
You may also be prompted for a hostname host name underneath your domain. If you want to use both https://www.earth.com and https://earth.com then make sure both are listed here.
...
The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com-server.crt.
Download CA Certificates
...
It is recommend to change the ca.pem file to startsslStartSSL-caRoot_CA.pem.
Download Intermediate Certificates
...
Change the default sub.class1.server.ca.pem file to starssl-sub.class1.server.ca.StartSSL_Sub_Class1_CA.pem.
Store Certificates in Protect Area
...
Panel |
---|
/etc/ssl/private/ # Only viewable view-able by root and a good location for the private keys |
Store the
...
Apache Setup
First enable the module in Apache,
...