SSL certificate instructions: Difference between revisions

From Bitpost wiki
(Created page with "I am using free certificates from StartCom, http://startssl.com/ They have a 1-year validity and therefore require annual renewal. INSTRUCTIONS ------------ 1) browse to http...")
 
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
I am using free certificates from StartCom, http://startssl.com/
I am using free certificates from [https://letsencrypt.org/getting-started/ Let's Encrypt]. Their certbot app does all the heavy lifting, nice.  Details:
They have a 1-year validity and therefore require annual renewal.


INSTRUCTIONS
m@case:~/development/config/bitpost/etc/letsencrypt$ cat README
------------
1) browse to https://www.startssl.com
2) click on Control Panel, Authenticate
      If the browser does not already have a valid certificate to identify you (from a previous session),
      you will not be authenticated.  To get a new certificate to identify you:
            Click Sign-up and re-enter details.
            Use webmaster@thedigitalmachine.com (or other valid domain).
            You'll get a code to verify email, use it.
            Then, you might have to wait to get the browser certificate.
            You will receive a link and a passcode; click the link and enter the passcode and a cert will be installed in the browser.
            You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.
            I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
            The last one I saved, I had used a password of "borlando" but not even sure where that was set.  Whatever.


3) From the Control Panel, validate each domain through the Validation wizard.  Requires email confirmation with webmaster@____
== INSTALL ON GENTOO ==
        Do domain name validations for these four base domain names:
    emerge -av app-crypt/certbot app-crypt/certbot-apache
          x ssl.thedigitalmachine.com
          x ssl.thedigitalage.org
          x ssl.abettersoftware.com
          x ssl.bitpost.com


4) Create web server SSL/TLS Certificates
== INSTALL INITIAL CERTS INTO APACHE ON GENTOO ==
  It's easy enough to let startssl generate the keys (but do it locally if you have time?  see below)...
    certbot --apache
            pw = (see private.txt)
    (pick base urls of all configurations found)
            keysize = high (4096)
    (cerbot generates certs in /etc/letsencrypt/archive/....)
            algo = SHA1 (Default)
    (certbot sets up symlinks in /etc/letsencrypt/live/#HOSTNAME#/*.pem)
            generate private...
    (certbot updates apache ssl configs to point there)
            save as ~m/config/StartCom/(site)/(year, eg 2014-)/ssl.withpassword.key
    emacs the config file and break out chain:
            create no-password key with: openssl rsa -in ssl.withpassword.key -out ssl.key
            wait for email re: approval, then get ssl.crt from toolbox, save to same place
          x ssl.abettersoftware.com
          x ssl.bitpost.com
          x ssl.thedigitalmachine.com
          x ssl.thedigitalage.org
  Put new ones here (eg): /home/m/config/StartCom/bitpost.com/2014-/
  Ideally we'd make them readable ONLY by apache, but I am keeping a backup in git, so use:
          sudo chmod -R 770 *


5) Update apache to use new certs
== RENEW ALL CERTS ==
  a) stop apache
    # NOTE this runs once a month in crontab
  b) move existing certs in /home/m/config/StartCom/(domain)/ out to (eg) (domain)/2013-/... (this may not be needed if a copy is already there)
    ~/development/scripts/gentoo/bitpost/root/renew_ssl_certs_as_needed.sh
  c) move new certs from (eg) /2014-/... up one dir to the base (where apache is looking)
  d) restart apache and make sure it's happy (watch startup warnings, browse to each site)


  NOTE here is what Apache needs:
== UPGRADE ALL CERTS TO 4096 ==
    SSLCertificateFile /home/m/config/StartCom/bitpost.com/ssl.crt
(haven't done this yet, may impact performance a bit)
     SSLCertificateKeyFile /home/m/config/StartCom/bitpost.com/server.key
     certbot renew --force-renewal --rsa-key-size 4096
    SSLCertificateChainFile /home/m/config/StartCom/sub.class1.server.ca.pem
    SSLCACertificateFile /home/m/config/StartCom/ca.pem.crt


 
NOTE Through 2016, I used [[StartCom]].
MORE NOTES
----------
 
ALL 4 DOMAINS ARE NOW SYNCED for renewal in AUGUST/SEPT, try to remember dude
of course any new domains are going to be out of sync, pita, cest la vie
 
here, we store common docs:
 
    browser_cert_install_first.p12
        the browser cert that lets you log in to https://startssl.com
 
    ca.pem.crt
    sub.class1.server.ca.pem
        the official certs for StartCom level 1
        you can get these from Control Panel->Tool Box->StartCom CA certificates
 
 
GENERATING YOUR OWN KEYS
------------------------
Note that you can generate your own keys.
Generally not worth it tho, I trust StartCom, and you have to give them the key anyway.
Plus, all the extra info you add to the key is discarded by StartCom since it's an unvalidated owner (ie free).
But for completeness, here's old notes on how to do it... (should it still be des3??)
 
server.key generated with:
 
openssl genrsa -des3 -out server.key 2048
 
CSR generated as follows:
 
---
m@thedigitalmachine ~/config/StartCom/abettersoftware.com $ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:Raleigh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A better Software
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Michael Behrns-Miller
Email Address []:noreply@abettersoftware.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
---
 
then that gets pasted into StartCom form under the Certificates Wizard on the control panel
note from the form:
    All content of the certificate signing request is ignored except its public key.

Latest revision as of 17:09, 28 January 2017

I am using free certificates from Let's Encrypt. Their certbot app does all the heavy lifting, nice. Details:

m@case:~/development/config/bitpost/etc/letsencrypt$ cat README 

INSTALL ON GENTOO

   emerge -av app-crypt/certbot app-crypt/certbot-apache

INSTALL INITIAL CERTS INTO APACHE ON GENTOO

   certbot --apache
   (pick base urls of all configurations found)
   (cerbot generates certs in /etc/letsencrypt/archive/....)
   (certbot sets up symlinks in /etc/letsencrypt/live/#HOSTNAME#/*.pem)
   (certbot updates apache ssl configs to point there)
   emacs the config file and break out chain:

RENEW ALL CERTS

   # NOTE this runs once a month in crontab
   ~/development/scripts/gentoo/bitpost/root/renew_ssl_certs_as_needed.sh

UPGRADE ALL CERTS TO 4096

(haven't done this yet, may impact performance a bit)

   certbot renew --force-renewal --rsa-key-size 4096

NOTE Through 2016, I used StartCom.