...
SSLShoper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right choicetype of certificate with a list of possible CAs.
Select CA
Specifically for Ubuntu, we perform the additional pre-check to ensure that the selected candidate CA's public certificates are part of the Ubuntu Certificate Repository. This makes future management easier because Ubuntu will take care of updating and maintaining the CA certificates.
Note |
---|
This is not a requirement. You can manually add the CA certificates orimport to the Ubuntu Certificate Repository. However, it is highly recommended to let the Operating System do the work of managing the CA certificates. |
In this example, after running the SSL Shopper Wizard the first CA of interest is StartCom which has a a free as in beer SSL certificate package called StartSSL Free.
To determine if StartCom is part of the Ubuntu Certificate Repository,
Code Block |
---|
cd /etc/ssl/certs
ls | grep -i start # perform case insensitive search for the keyword "start" |
The result,
Code Block | ||
---|---|---|
| ||
StartCom_Certification_Authority.pem
StartCom_Ltd..pem
StartSSL_Sub_Class1_CA.pem |
Most likely StartCom_Certification_Authority.pem is the highest level root CA certificate and the other two certificates are chain certificates.
Because naming convention and the number of certificates required differ from CA to CA you must do some reading and searching on the CA's website.
The key things to be searching for are,
- Download of the root CA certificate
- Determination if any chain certificates are required and where to download them
In this case I found the answers at StartCom How to Install Apache Server webpage which also indicates by their sample Apache configuration that,
- ca.pem is the root CA certificate
- sub.class1.server.ca.pem is the chain certificate
The next step is match up the certificates from StartCom against the Ubuntu Certificate Repository.
Code Block | ||
---|---|---|
| ||
wget http://www.startssl.com/certs/ca.pem
diff ca.pem /etc/ssl/certs/StartCom_Certification_Authority.pem |
The diff command did not return any differences so
Code Block |
---|
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
diff sub.class1.server.ca.pem /etc/ssl/certs/StartCom_Ltd..pem
2,35c2,29
< MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
< MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg |
Returned differences so move on to the next file,
Code Block |
---|
diff sub.class1.server.ca.pem /etc/ssl/certs/StartSSL_Sub_Class1_CA.pem |
Is a match meaning StartSSL_Sub_Class1_CA.pem is the chain certificate.
SSL Process
Generate Server Private Key
...
Warning |
---|
Provide a link to explain the CA signing process. |
Download Signed Server Certificate
Following this example using StartSSL we are provided an email and follow instructions to retrieve the certificate through their web interface,
...
The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com_server.crt.
Warning |
---|
This next section needs to be moved out into a sub page. |
Download CA Certificates
You may also need the CA's certificates which can be downloaded from StartSSL,
...
It is recommend to change the ca.pem file to include the CA's brand or name, such as, StartSSL_Root_CA.pem.
Warning |
---|
Ask Dickson, Garth and Shawn, is my statement about Managed correct? |
However, you will want to check if the file already exists and managed by the operating system. In the case of Ubuntu, look in /etc/ssl/certs.
...