www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

I understand the overall process but not the details. Going to document the entire process.

Select SSL Certificate

SSLShoper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right choice.

SSL Process

Generate Server Keys

Clarify with Shawn, where the keys are generated is not important right? It is for IHS but not for Apache. Also what about randomizing like this Entrust example? Is it no longer needed?

Generate server keys for the Certificate Signing Request (CSR).

cd ~
mkdir private
sudo chmod 700 ./private
cd private
openssl genrsa -aes256 -out server.key 2048

The command reads,

  • genrsa - generate asymmetric keys
  • aes266- - protect the RSA key pair with a passphrase using CBC AES 256 symmetric key encyrption 
  • 2048 - make the RSA keys 2048 bit

As of May 2011, most of the examples including the Apache 2.2 documentation use des3 and 1024. This was to accommodate older browsers. The standard has since changed to AES-256-CBC 2048. Some CA will no longer accept 1024.

Because we do not want to enter a password every time the web server is restarted, remove the password from the key file,

openssl rsa -in server.key -out server.key.insecure

Finally, generate the CSR which will be submitted to the CA,

openssl req -new -key server.key.insecure -out server.csr

The CSR file will be used by the CA to issue the Web Server's certificate.

According to Entrust the CSR should be in Base64 (pem) encoded format.

Submit to Public Key to CA

...

Download and Store Keys

...

Apache Setup

First enable the module in Apache,

sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Modify Apache configuration http://www.startssl.com/?app=21

It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers.

References

https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.

http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-reference/cha.apache2.html#sec.apache2.ssl - quickly read and seems to be a good read.

http://www.entrust.net/ssl-technical/webserver.cfm - Entrust provides some decent docs.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1304737120524+28353475&threadId=1398455 - good explanation about what is actually happening with the openssl genrsa command.

http://forums.freebsd.org/showthread.php?t=6490 - straight to the point list of commands.

http://allben.net/post/2009/02/01/SSL-Certificate-for-WWW-and-no-WWW.aspx - discussion on www or no www in common name while generating CSR.

http://jasoncodes.com/posts/startssl-free-ssl - complete tutorial, the notes look good and clear.

http://www.ehow.com/how_7811607_create-verified-ssl-certificate.html - alright, I should comment on this one.

  • No labels