|
|
| Line 1: |
Line 1: |
| I am using free certificates from StartCom, http://startssl.com/
| | https://certbot.eff.org/#ubuntutyakkety-apache |
| They have a 1-year validity and therefore require annual renewal.
| |
|
| |
|
| INSTRUCTIONS
| | I am using free certificates from [https://letsencrypt.org/getting-started/ Let's Encrypt]. NOTE Through 2016, I used [[StartCom]]. |
| ------------
| |
| 1) browse to https://www.startssl.com
| |
| 2) click on Control Panel, Authenticate
| |
| If the browser does not already have a valid certificate to identify you (from a previous session),
| |
| you will not be authenticated. To get a new certificate to identify you:
| |
| Click Sign-up and re-enter details.
| |
| | |
| You'll get a code to verify email, use it.
| |
| Then, you might have to wait to get the browser certificate.
| |
| You will receive a link and a passcode; click the link and enter the passcode and a cert will be installed in the browser.
| |
| You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.
| |
| I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
| |
| The last one I saved, I had used a password of "borlando" but not even sure where that was set. Whatever.
| |
| | |
| 3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____
| |
| Do domain name validations for these four base domain names:
| |
| x ssl.thedigitalmachine.com
| |
| x ssl.thedigitalage.org
| |
| x ssl.abettersoftware.com
| |
| x ssl.bitpost.com
| |
| | |
| 4) Create web server SSL/TLS Certificates
| |
| It's easy enough to let startssl generate the keys (but do it locally if you have time? see below)...
| |
| pw = (see private.txt)
| |
| keysize = high (4096)
| |
| algo = SHA1 (Default)
| |
| generate private...
| |
| save as ~m/config/StartCom/(site)/(year, eg 2014-)/ssl.withpassword.key
| |
| create no-password key with: openssl rsa -in ssl.withpassword.key -out ssl.key
| |
| wait for email re: approval, then get ssl.crt from toolbox, save to same place
| |
| x ssl.abettersoftware.com
| |
| x ssl.bitpost.com
| |
| x ssl.thedigitalmachine.com
| |
| x ssl.thedigitalage.org
| |
| Put new ones here (eg): /home/m/config/StartCom/bitpost.com/2014-/
| |
| Ideally we'd make them readable ONLY by apache, but I am keeping a backup in git, so use:
| |
| sudo chmod -R 770 *
| |
| | |
| 5) Update apache to use new certs
| |
| a) stop apache
| |
| b) move existing certs in /home/m/config/StartCom/(domain)/ out to (eg) (domain)/2013-/... (this may not be needed if a copy is already there)
| |
| c) move new certs from (eg) /2014-/... up one dir to the base (where apache is looking)
| |
| d) restart apache and make sure it's happy (watch startup warnings, browse to each site)
| |
| | |
| NOTE here is what Apache needs:
| |
| SSLCertificateFile /home/m/config/StartCom/bitpost.com/ssl.crt
| |
| SSLCertificateKeyFile /home/m/config/StartCom/bitpost.com/server.key
| |
| SSLCertificateChainFile /home/m/config/StartCom/sub.class1.server.ca.pem
| |
| SSLCACertificateFile /home/m/config/StartCom/ca.pem.crt
| |
| | |
| | |
| MORE NOTES
| |
| ----------
| |
| | |
| ALL 4 DOMAINS ARE NOW SYNCED for renewal in AUGUST/SEPT, try to remember dude
| |
| of course any new domains are going to be out of sync, pita, cest la vie
| |
| | |
| here, we store common docs:
| |
| | |
| browser_cert_install_first.p12
| |
| the browser cert that lets you log in to https://startssl.com
| |
| | |
| ca.pem.crt
| |
| sub.class1.server.ca.pem
| |
| the official certs for StartCom level 1
| |
| you can get these from Control Panel->Tool Box->StartCom CA certificates
| |
| | |
| | |
| GENERATING YOUR OWN KEYS
| |
| ------------------------
| |
| Note that you can generate your own keys.
| |
| Generally not worth it tho, I trust StartCom, and you have to give them the key anyway.
| |
| Plus, all the extra info you add to the key is discarded by StartCom since it's an unvalidated owner (ie free).
| |
| But for completeness, here's old notes on how to do it... (should it still be des3??)
| |
| | |
| server.key generated with:
| |
| | |
| openssl genrsa -des3 -out server.key 2048
| |
| | |
| CSR generated as follows:
| |
| | |
| ---
| |
| m@thedigitalmachine ~/config/StartCom/abettersoftware.com $ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key:
| |
| You are about to be asked to enter information that will be incorporated
| |
| into your certificate request.
| |
| What you are about to enter is what is called a Distinguished Name or a DN.
| |
| There are quite a few fields but you can leave some blank
| |
| For some fields there will be a default value,
| |
| If you enter '.', the field will be left blank.
| |
| -----
| |
| Country Name (2 letter code) [AU]:US
| |
| State or Province Name (full name) [Some-State]:NC
| |
| Locality Name (eg, city) []:Raleigh
| |
| Organization Name (eg, company) [Internet Widgits Pty Ltd]:A better Software
| |
| Organizational Unit Name (eg, section) []:
| |
| Common Name (eg, YOUR name) []:Michael Behrns-Miller
| |
| | |
| | |
| Please enter the following 'extra' attributes
| |
| to be sent with your certificate request
| |
| A challenge password []:
| |
| An optional company name []:
| |
| ---
| |
| | |
| then that gets pasted into StartCom form under the Certificates Wizard on the control panel
| |
| note from the form:
| |
| All content of the certificate signing request is ignored except its public key.
| |