www.bonsaiframework.com
Page tree

Versions Compared

Old Version 52

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 53

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

I understand the overall process but not the details. Going to document the entire process.This is unfamiliar territory for me so comments on how this article can be made more clear are appreciated.

Select SSL Certificate

SSLShoper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right choice.

...

Because passphrase encryption requires an administrator's intervention, the current standard is to not use passphrase encryption and instead rely on the file system to protect the keys.

Note

We will continue with the BonsaiFramework example and be creating an SSL certificate for https://www.earth.com and http://earth.com.

Without Passphrase Encryption

...

Code Block
languagebash
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
sudo chmod 700 ./private
cd private
openssl genrsa -out earth.com-server.key 2048

The openssl command reads,

...

Panel

The private directory is not necessary but present for convention.

Code Block
languagebash
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
sudo chmod 700 ./private
cd private
openssl genrsa -aes256 -out earth.com-server.key 2048

The openssl command reads,

  • genrsa - generate asymmetric keys
  • aes266- - protect the RSA key with a passphrase using CBC AES 256 symmetric key encyrption 
  • 2048 - make the RSA private key 2048 bit
Info

As of May 2011, most of the examples including the Apache 2.2 documentation use des3 and 1024. This was to accommodate older browsers. The standard has since changed to AES-256-CBC 2048. Some CA will no longer accept 1024.

Because we do not want to enter a password every time the web server is restarted, remove the password from the key file,

Code Block
languagebash
openssl rsa -in earth.com-server.key -out earth.com-server.key.insecure

The next step is to generate the CSR.

Generate the

...

CSR

Generate the CSR which will be submitted to the CA,

Code Block
languagebash
openssl req -new -key earth.com-server.key -out earth.com-server.csr

You will be prompted to enter information about the certificate. The values should reflect your organization.

...

Submit Public Key to CA

The CRS CSR file is submitted to the CA. Every CA will have a slightly different procedure.

Warning

Add the exact steps for StartSSL here as a reference.

This step also includes various CA specific procedures to prove your identity.
You may also be prompted for a hostname host name underneath your domain. If you want to use both https://www.earth.com and https://earth.com then make sure both are listed here.

...

The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com-server.crt.

Download CA Certificates

...

It is recommend to change the ca.pem file to startsslStartSSL-caRoot_CA.pem.

Download Intermediate Certificates

...

Change the default sub.class1.server.ca.pem file to starssl-sub.class1.server.ca.StartSSL_Sub_Class1_CA.pem.

Store Certificates in Protect Area

...

Panel

/etc/ssl/private/ # Only viewable view-able by root and a good location for the private keys
/etc/ssl/certs/ # Location for the

Store the
...

Apache Setup

First enable the module in Apache,

...