Tierra Lab
Easy Guide to SSL Certs
Often, I find that I have to reference an old html document I created explaining how to set up SSL certs for https. I thought I would convert those notes into something a bit more useful in an effort to help others out. Usually, we don’t set up many SSL certs for web sites, so it’s always good to have a refresher course.
Pre-Setup:
1.) Generate a certificate request (CSR) and private key – CD into /etc/httpd/conf/ and run the following command to generate a CSR (Certificate Request File) and private key. The private key file will be named {domainname}.key and the CSR will be {domainname}.csr.
openssl req -new -nodes -keyout {domainname}.key -out {domainname}.csr
You will now be asked to enter details to be entered into your CSR. What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: New York
Locality Name (eg, city) []: New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: {companyname}
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: www.{domainname}.com[1]
Email Address []: {emailaddress}
Please enter the following ‘extra’ attributes to be sent with your certificate request:[2]
A challenge password []:
An optional company name []:
[1] NOTE: The certificate will NOT match non-www records. You’ll need to make sure to redirect all non-www requests over to the www, or buy a wildcard certificate whill will work for any *.(domainname) instance.
[2] NOTE: Please find out if the CI (Certificate Issuing Company) would like the certificate request password protected. Most DO NOT. If they do NOT want it password protected, hit ENTER and leave the fields BLANK.
—–
Your CSR will now have been created. Open the {domainname}.csr in a text editor and copy and paste the contents into the online enrollment form when requested.
2.) Forward off the .csr file you have generated to the CI (certificate issuing company). They will email you the new certificate. They will also email you a ca certificate. This tells the client’s browser that the CI is vaild. You should rename that ca file to ca-{domainname}.crt and also the private key needs to be moved into the ssl.key folder which is located at:
/etc/httpd/conf/ssl.key/
You will want to copy the private key that was generated with the certificate request in step #1 to:
/etc/httpd/conf/ssl.crt/
You will want to copy the ca file that was sent from the CI to:
/etc/httpd/conf/ssl.crt/
See the config below for how this should look.
Server Configuration:
1.) Setup an IP Based Host – This means that the server responds to a unique IP address not configured for any site except for the one the certificate will be used: (Port 443)
<VirtualHost 12.34.56.78:443>
2.) Add the following lines to the apache conf for that site directly under the specified ServerName:
<VirtualHost 12.34.56.78:443>
ServerName www.{domainname}.com
SSLEngine on
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SetEnvIf User-Agent “.*MSIE.*” ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLCertificateFile /etc/httpd/conf/ssl.crt/{domainname}.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/{domainname}.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-{domainname}.crt
<Files ~ “\.(cgi|shtml)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/home/httpd/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
CustomLog /var/log/httpd/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
<Directory /var/www/html/{domainname}>
SSLOptions +StdEnvVars
Options FollowSymLinks Indexes ExecCGI
AllowOverride None
</Directory>
RewriteEngine On
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/{domainname}
</VirtualHost>
Restarting Apache
You must completely stop and start apache for the certificate settings to be absorbed in apache:
sudo /usr/sbin/apachectl stop
sudo /usr/sbin/apachectl start
If you restart the server, for some reason, apache won’t sever “all” connections, so it is advised you stop and start.
Other Notes
Keep in mind that your locations for installing the certs, paths to apachectl can be completely different then what we have listed here. Find your locations and amend this document to best fit your needs.
Leave a Reply
Copyright © 2010 Tierra Innovation, Inc.
| 
RSS | Client Login
A New Support Site
Flickr Feed
Recent Comments
- I'm new to php. I've inherited a codeigniter project, and I was about to scour the web for a ... (joe)
- Thanks for the kudos Hakan. Sign up on the Wordpress CMS Toolkit site for updates and we'll let you ... (Jamie)
- I was at your presentation and found what you have achieved with this project really impressive. Congratulations! I was familiar ... (Hakan Sinar)