www.bonsaiframework.com
Page tree

Versions Compared

Old Version 187

changes.mady.by.user Roderick Fong Yee

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

From the results, we chose a free simple SSL certificate from the CA StartCom in a SSL certificate package called StartSSL Free.

Note there is a newer service (checked July 2018), a non-profit called Let's Encrypt that provides free SSL certificates. To understand what you get, you may look at their Hello World site.

SSL Setup (using openssl)

Server keys must be generated for the Certificate Signing Request (CSR). Openssl will be used to generate this CSR.

...

Warning
titlesection to be completed by Roderick

To verify your signed server certificate in Windows make sure change the certificate has a crt file extensionfile extension to crt. Then just double-click the file and you should at minimum confirm,

  1. The DN (Distinguished Name) matches your existing request.
  2. Bit size of the certificate matches your request.
  3. Expiry date of the certificate and record that in a calender to remind you for renewal.

ADD IMAGE

...

Warning

Q: I did not register the certificates, someone just sent me a bunch of files and I do not know what is what.

A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files.

...

Panel

/etc/ssl/private/ # Only view-able by root the standard location for the private keys
/etc/ssl/certs/ # Standard location for CA keys with symbolic links pointing to /usr/share/ca-certificates/

However, we see some issues with this. First putting For now we will use this structure.

Warning

This needs some consideration of structure and permissions.

However, are the issues with using the default Ubuntu locations.

  • Putting chain certificates in the same directory as CA certificates does not make sense if SSLCACertificatePath is used.

...

  • Developing a portable BonsaiFramework version of Apache Web Server and keeping certificates with the service makes more sense

...

So the BonsaiFramework will use the following directories,

Warning

This needs some consideration of structure and permissions.

...

  • .
  • One other alternative is to use Debian's apparent standard, /etc/apache/ssl

...

  • but I

...

  • noticed there is no consideration for protecting the private key.

...

Store Public Key

Store the public key in the public folder,

...

Panel

If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/

Code Block
languagebash
sudo chown -R root:ssl-cert /opt/apache/httpd/ssl/private/* # Make the user starting Apache the owner, in this case it is root.
sudo chownchmod 710 /opt/apache/httpd/ssl/private/

Again, I will stress that this is very important!

...

Info

On the topic of having SSL support for both https://www.earth.com and http://earth.com, when inspecting the certificate, navigate to,

  1. www.earth.com
  2. Certificate
  3. Extensions
  4. Certificate Subject Alt Name

Under the Certificate Subject Alt Name will see both DNS entries,

No Format
Not Critical
DNS Name: www.earth.com
DNS Name: earth.com

Checking for Mixed Content

If you inline load images without using a relative path you will get mixed content which makes your page insecure. Tools to check this,

And here's an example page of common mixed content errors.

Clean Up

Some CSR requests may be re-used to renew the Signed SSL Certificate. However, often most CA's will by process ask for a new CSR even if the original may be reused. To

Check with your CA to see how the CSR renewal process works. If the requirement is for a new csr, to avoid confusion it is best to delete the csr request once everything is proven to be working,

...

[Thu Jan 26 19:13:25 2012] [warn] RSA server certificate CommonName (CN) `domain name`www.domain.com' does NOT match server name!?

Check that you have not enabled the virtual host SSL instead of the just the virtual host because what is happening is with the virtual host SSL enabled its matching www.domain.com-ssl agains the common name www. domain.com.

...


References

https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.

...