M at 23:34, 19 February 2021

2021-02-19T23:34:55Z

← Older revision		Revision as of 23:34, 19 February 2021
Line 20:		Line 20:
	You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.		You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.
	I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.		I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
	~~The last one I saved, I had used a password of "borlando" but not even sure where that was set. Whatever.~~

	3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____		3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____

M at 01:28, 17 January 2017

2017-01-17T01:28:21Z

← Older revision		Revision as of 01:28, 17 January 2017
Line 1:		Line 1:
	NOTE: THIS IS NOW DEPRECATED, see [[SSL certificate instructions]] instead.		NOTE: THIS IS NOW DEPRECATED, see [[SSL certificate instructions]] instead.
	Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign.		Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign.
	---
			----------

	I am using free certificates from StartCom, http://startssl.com/		I am using free certificates from StartCom, http://startssl.com/

M: Created page with "NOTE: THIS IS NOW DEPRECATED, see SSL certificate instructions instead. Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign. --- I..."

2017-01-17T01:28:02Z

Created page with "NOTE: THIS IS NOW DEPRECATED, see SSL certificate instructions instead. Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign. --- I..."

New page

NOTE: THIS IS NOW DEPRECATED, see [[SSL certificate instructions]] instead.
Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign.
---

I am using free certificates from StartCom, http://startssl.com/
They have a 1-year validity and therefore require annual renewal.

INSTRUCTIONS
------------
1) browse to https://www.startssl.com
2) click on Control Panel, Authenticate
If the browser does not already have a valid certificate to identify you (from a previous session),
you will not be authenticated. To get a new certificate to identify you:
Click Sign-up and re-enter details.
Use webmaster@thedigitalmachine.com (or other valid domain).
You'll get a code to verify email, use it.
Then, you might have to wait to get the browser certificate.
You will receive a link and a passcode; click the link and enter the passcode and a cert will be installed in the browser.
You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.
I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
The last one I saved, I had used a password of "borlando" but not even sure where that was set. Whatever.

3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____
Do domain name validations for these four base domain names:
x ssl.thedigitalmachine.com
x ssl.thedigitalage.org
x ssl.abettersoftware.com
x ssl.bitpost.com

4) Create web server SSL/TLS Certificates
It's easy enough to let startssl generate the keys (but do it locally if you have time? see below)...
pw = (see private.txt)
keysize = high (4096)
algo = SHA1 (Default)
generate private...
save as ~m/config/StartCom/(site)/(year, eg 2014-)/ssl.withpassword.key
create no-password key with: openssl rsa -in ssl.withpassword.key -out ssl.key
wait for email re: approval, then get ssl.crt from toolbox, save to same place
x ssl.abettersoftware.com
x ssl.bitpost.com
x ssl.thedigitalmachine.com
x ssl.thedigitalage.org
Put new ones here (eg): /home/m/config/StartCom/bitpost.com/2014-/
Ideally we'd make them readable ONLY by apache, but I am keeping a backup in git, so use:
sudo chmod -R 770 *

5) Update apache to use new certs
a) stop apache
b) move existing certs in /home/m/config/StartCom/(domain)/ out to (eg) (domain)/2013-/... (this may not be needed if a copy is already there)
c) move new certs from (eg) /2014-/... up one dir to the base (where apache is looking)
d) restart apache and make sure it's happy (watch startup warnings, browse to each site)

NOTE here is what Apache needs:
SSLCertificateFile /home/m/config/StartCom/bitpost.com/ssl.crt
SSLCertificateKeyFile /home/m/config/StartCom/bitpost.com/server.key
SSLCertificateChainFile /home/m/config/StartCom/sub.class1.server.ca.pem
SSLCACertificateFile /home/m/config/StartCom/ca.pem.crt

MORE NOTES
----------

ALL 4 DOMAINS ARE NOW SYNCED for renewal in AUGUST/SEPT, try to remember dude
of course any new domains are going to be out of sync, pita, cest la vie

here, we store common docs:

browser_cert_install_first.p12
the browser cert that lets you log in to https://startssl.com

ca.pem.crt
sub.class1.server.ca.pem
the official certs for StartCom level 1
you can get these from Control Panel->Tool Box->StartCom CA certificates

GENERATING YOUR OWN KEYS
------------------------
Note that you can generate your own keys.
Generally not worth it tho, I trust StartCom, and you have to give them the key anyway.
Plus, all the extra info you add to the key is discarded by StartCom since it's an unvalidated owner (ie free).
But for completeness, here's old notes on how to do it... (should it still be des3??)

server.key generated with:

openssl genrsa -des3 -out server.key 2048

CSR generated as follows:

---
m@thedigitalmachine ~/config/StartCom/abettersoftware.com $ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:Raleigh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A better Software
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Michael Behrns-Miller
Email Address []:noreply@abettersoftware.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
---

then that gets pasted into StartCom form under the Certificates Wizard on the control panel
note from the form:
All content of the certificate signing request is ignored except its public key.

StartCom - Revision history

M at 23:34, 19 February 2021

M at 01:28, 17 January 2017

M: Created page with "NOTE: THIS IS NOW DEPRECATED, see SSL certificate instructions instead. Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign. --- I..."