This is unfamiliar territory for me so comments on how this article can be made more clear are appreciated.
Select SSL Certificate
SSLShoper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right choice.
SSL Process
Generate Server Private Key
Server keys must be generated for the Certificate Signing Request (CSR).
There are two options for generating the keys,
- Without Passphrase Encryption
- With Passphrase Encryption
Because passphrase encryption requires an administrator's intervention, the current standard is to not use passphrase encryption and instead rely on the file system to protect the keys.
We will continue with the BonsaiFramework example and be creating an SSL certificate for https://www.earth.com and http://earth.com.
Without Passphrase Encryption
This is the generally accepted method of generating the key,
su bhitch # Use a sudo enabled account. cd ~ mkdir private sudo chmod 700 ./private cd private openssl genrsa -out www.earth.com_server.key 2048
The openssl command reads,
- 2048 - make the RSA private key 2048 bit
Notice the creation of the private directory. It is very important that only the proper administrators should have access to the private key.
The next step is to generate the CSR.
With Passphrase Encryption
If a password is used, a password will need to be entered whenever the service using the certificate is started.
The private directory is not necessary but present for convention.
su bhitch # Use a sudo enabled account. cd ~ mkdir private sudo chmod 700 ./private cd private openssl genrsa -aes256 -out www.earth.com_server.key 2048
The openssl command reads,
- genrsa - generate asymmetric keys
- aes266- - protect the RSA key with a passphrase using CBC AES 256 symmetric key encyrption
- 2048 - make the RSA private key 2048 bit
As of May 2011, most of the examples including the Apache 2.2 documentation use des3 and 1024. This was to accommodate older browsers. The standard has since changed to AES-256-CBC 2048. Some CA will no longer accept 1024.
Because we do not want to enter a password every time the web server is restarted, remove the password from the key file,
openssl rsa -in www.earth.com_server.key -out www.earth.com_server.key.insecure
The next step is to generate the CSR.
Generate the CSR
Generate the CSR which will be submitted to the CA,
openssl req -new -key www.earth.com_server.key -out www.earth.com_server.csr
You will be prompted to enter information about the certificate. The values should reflect your organization.
A not so obvious prompt is Common Name (eg, YOUR Name). This value should not be your name. Instead it should be the base domain name of your website. In our example, it would be earth.com. We prefer using the www in our domain name, so we use www.earth.com.
Some CA such as StartSSL includes the base domain always in the Subject Alternative Name extension together with the chosen common name so both www.earth.com and earth.com will have ssl support.
The CSR file will be used by the CA to issue the Web Server's certificate.
According to Entrust the CSR should be in Base64 (pem) encoded format.
Submit Public Key to CA
The CSR file is submitted to the CA. Every CA will have a slightly different procedure.
Add the exact steps for StartSSL here as a reference.
This step also includes various CA specific procedures to prove your identity.
You may also be prompted for a host name underneath your domain. If you want to use both https://www.earth.com and https://earth.com then make sure both are listed here.
Download and Store Keys
The CA will use your public key in the CSR to sign (need details here).
Download Certificate
Following this example using StartSSL we are provided an email and follow instructions to retrieve the certificate through their web interface,
Toolbox, Retrieve Certificate, select your certificate. The result is a webpage where you must copy and paste the Certificate text data into a text file.
The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com_server.crt.
Download CA Certificates
You also need the CA's certificates.
Toolbox, StartCom CA Certificates: Download "StartCom Root CA (PEM encoded)"
It is recommend to change the ca.pem file to StartSSL_Root_CA.pem.
Download Intermediate Certificates
In some cases you will also need the intermediate certificates.
Toolbox, StartCom CA Certificates: Download "Class 1 Intermediate Server CA"
Change the default sub.class1.server.ca.pem file to StartSSL_Sub_Class1_CA.pem.
Store Certificates in Protect Area
In Ubuntu, the default location for SSL certificates,
/etc/ssl/private/ # Only view-able by root and a good location for the private keys
/etc/ssl/certs/ # Location for the
Store the CA certificates into the publicly view-able folder,
sudo mv *.pem /ect/ssl/certs sudo mv *.crt /etc/ssl/certs
Store the private key into the protected folder,
sudo mv www.earth.com_server.key /etc/ssl/private
You may delete the csr request,
rm www.earth.com_server.csr
Next, Apache needs to be setup.
Apache Setup
First enable the module in Apache,
sudo a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration!
Modify the Apache configuration.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName www.myrapham.com
ServerAlias myrapham.com
# Enforce www in front of url.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.myrapham\.com$ [NC]
RewriteRule (.*) http://www.myrapham.com$1 [R,L]
DocumentRoot /home/www.myrapham.com/www
<Directory />
# This prevents use of .htaccess
AllowOverride None
</Directory>
ErrorLog /var/log/apache2/www.myrapham.com.error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/www.myrapham.com.access.log combined
# Mount application on Tomcat
JkMount /wiki/* tomcat_confluence_a_worker
JkMount /wiki tomcat_confluence_a_worker
<Location /wiki/>
FilterDeclare filter_string_replace
FilterProvider filter_string_replace SUBSTITUTE resp=Content-Type $text/html
Substitute "s/www.breakitdown.ca/www.myrapham.com/ni"
Substitute "s/Break It Down/www.myrapham.com/n"
FilterChain filter_string_replace
Redirect permanent /wiki/dashboard.action http://www.myrapham.com/wiki/display/myra/Home
Redirect permanent /wiki/display/myrahouse/Home http://www.myrapham.com/wiki/display/myra/Home
</Location>
</VirtualHost>
http://www.startssl.com/?app=21
It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers.
References
https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.
http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-reference/cha.apache2.html#sec.apache2.ssl - quickly read and seems to be a good read.
http://www.entrust.net/ssl-technical/webserver.cfm - Entrust provides some decent docs.
http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1304737120524+28353475&threadId=1398455 - good explanation about what is actually happening with the openssl genrsa command.
http://forums.freebsd.org/showthread.php?t=6490 - straight to the point list of commands.
http://allben.net/post/2009/02/01/SSL-Certificate-for-WWW-and-no-WWW.aspx - discussion on www or no www in common name while generating CSR.
http://jasoncodes.com/posts/startssl-free-ssl - complete tutorial, the notes look good and clear.
http://www.ehow.com/how_7811607_create-verified-ssl-certificate.html - alright, I should comment on this one.