www.bonsaiframework.com
Page tree

Versions Compared

Old Version 83

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 84

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SSLShoper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right choicetype of certificate with a list of possible CAs.

Select CA

Specifically for Ubuntu, we perform the additional pre-check to ensure that the selected candidate CA's public certificates are part of the Ubuntu Certificate Repository. This makes future management easier because Ubuntu will take care of updating and maintaining the CA certificates.

Note

This is not a requirement. You can manually add the CA certificates orimport to the Ubuntu Certificate Repository. However, it is highly recommended to let the Operating System do the work of managing the CA certificates.

In this example, after running the SSL Shopper Wizard the first CA of interest is StartCom which has a a free as in beer SSL certificate package called StartSSL Free.

To determine if StartCom is part of the Ubuntu Certificate Repository,

Code Block
cd /etc/ssl/certs
ls | grep -i start # perform case insensitive search for the keyword "start"

The result,

Code Block
languagebash
StartCom_Certification_Authority.pem
StartCom_Ltd..pem
StartSSL_Sub_Class1_CA.pem

Most likely StartCom_Certification_Authority.pem is the highest level root CA certificate and the other two certificates are chain certificates.

Because naming convention and the number of certificates required differ from CA to CA you must do some reading and searching on the CA's website.

The key things to be searching for are,

  1. Download of the root CA certificate
  2. Determination if any chain certificates are required and where to download them

In this case I found the answers at StartCom How to Install Apache Server webpage which also indicates by their sample Apache configuration that,

  • ca.pem is the root CA certificate
  • sub.class1.server.ca.pem is the chain certificate

The next step is match up the certificates from StartCom against the Ubuntu Certificate Repository.

Code Block
languagebash
wget http://www.startssl.com/certs/ca.pem
diff  ca.pem /etc/ssl/certs/StartCom_Certification_Authority.pem

The diff command did not return any differences so

Code Block
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
diff sub.class1.server.ca.pem /etc/ssl/certs/StartCom_Ltd..pem
2,35c2,29
< MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
< MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg

Returned differences so move on to the next file,

Code Block
diff sub.class1.server.ca.pem /etc/ssl/certs/StartSSL_Sub_Class1_CA.pem

Is a match meaning StartSSL_Sub_Class1_CA.pem is the chain certificate.

SSL Process

Generate Server Private Key

...

Warning

Provide a link to explain the CA signing process.

Download Signed Server Certificate

Following this example using StartSSL we are provided an email and follow instructions to retrieve the certificate through their web interface,

...

The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com_server.crt.

Warning

This next section needs to be moved out into a sub page.

Download CA Certificates

You may also need the CA's certificates which can be downloaded from StartSSL,

...

It is recommend to change the ca.pem file to include the CA's brand or name, such as, StartSSL_Root_CA.pem.

Warning

Ask Dickson, Garth and Shawn, is my statement about Managed correct?

However, you will want to check if the file already exists and managed by the operating system. In the case of Ubuntu, look in /etc/ssl/certs.

...