www.bonsaiframework.com
Page tree

Versions Compared

Old Version 125

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 126

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
chmod 700 ./private
cd private
openssl genrsa -out www.earth.com_server.pem.base64.key 2048

The openssl command reads,

  • 2048 - make the RSA private key 2048 bit
  • The default file format will be PEM . (to link to upcoming article about formats and standards)
  • The default encoding of the file will be base64 (link to upcoming article about formats and standards)
Note

Notice the creation of the private directory. It is very important that only the proper administrators should have access to the private key.

...

Code Block
languagebash
openssl req -new -key www.earth.com_server.pem.base64.key -out www.earth.com_server.pem.base64.csr

You will be prompted to enter information about the certificate. The values should reflect your organization.

...

Info

Here are some useful details about the CSR,

  • The default is a Base64 (pem) encoded format. (link to upcoming article about formats and standards)
  • The private key used to digitally sign the CSR. (link to upcoming article about formats and standards)
  • The CSR contains the public key.

...

The CA will use your public key in the CSR to sign and return back your server certificate.

Warning

Provide a sub-page to explain the CA signing process as an example.

...

Panel

Toolbox, Retrieve Certificate, select your certificate. The result is often a file in (I think DER format (link to upcoming article about formats and standards) or base64 which will be a file or webpage where you must copy and paste the Certificate text data into a text file.

The text file should be saved with the domain name and the crt extension (link to upcoming article about formats and standards) and is your public key signed by that CA. In this example, it will be earth.com_server.crt.

...

Almost all CAs require the server install a one or more chain certificatecertificates.

You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions.

In this case I found the chain certificate at StartCom How to Install Apache Server webpage which also indicates by their sample Apache configuration that,

  • ca.pem is the root CA certificate
  • sub.class1.server.ca.pem is the chain certificate

The file names, extension and documentation on file formats for certificates is a mess (link to details). There is not real standard that everyone follows.

What About the CA Certificate?

You don't need it. Yes, it is noted in many tutorials on the Internet...

Store Certificates

In Ubuntu, the default location for SSL certificates are,

...