SSL certificate instructions

From Bitpost wiki
Revision as of 19:42, 1 September 2014 by M (talk | contribs) (Created page with "I am using free certificates from StartCom, http://startssl.com/ They have a 1-year validity and therefore require annual renewal. INSTRUCTIONS ------------ 1) browse to http...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

I am using free certificates from StartCom, http://startssl.com/ They have a 1-year validity and therefore require annual renewal.

INSTRUCTIONS

1) browse to https://www.startssl.com 2) click on Control Panel, Authenticate 

     If the browser does not already have a valid certificate to identify you (from a previous session),
     you will not be authenticated.  To get a new certificate to identify you:
           Click Sign-up and re-enter details.
           Use webmaster@thedigitalmachine.com (or other valid domain).
           You'll get a code to verify email, use it.
           Then, you might have to wait to get the browser certificate.
           You will receive a link and a passcode; click the link and enter the passcode and a cert will be installed in the browser.
           You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.
           I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
           The last one I saved, I had used a password of "borlando" but not even sure where that was set.  Whatever.

3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____ 

       Do domain name validations for these four base domain names:
         x ssl.thedigitalmachine.com
         x ssl.thedigitalage.org
         x ssl.abettersoftware.com
         x ssl.bitpost.com

4) Create web server SSL/TLS Certificates 

  It's easy enough to let startssl generate the keys (but do it locally if you have time?  see below)...
           pw = (see private.txt)
           keysize = high (4096)
           algo = SHA1 (Default)
           generate private...
           save as ~m/config/StartCom/(site)/(year, eg 2014-)/ssl.withpassword.key
           create no-password key with: openssl rsa -in ssl.withpassword.key -out ssl.key
           wait for email re: approval, then get ssl.crt from toolbox, save to same place
         x ssl.abettersoftware.com
         x ssl.bitpost.com
         x ssl.thedigitalmachine.com
         x ssl.thedigitalage.org
  Put new ones here (eg): /home/m/config/StartCom/bitpost.com/2014-/
  Ideally we'd make them readable ONLY by apache, but I am keeping a backup in git, so use:
          sudo chmod -R 770 *

5) Update apache to use new certs 

  a) stop apache
  b) move existing certs in /home/m/config/StartCom/(domain)/ out to (eg) (domain)/2013-/... (this may not be needed if a copy is already there)
  c) move new certs from (eg) /2014-/... up one dir to the base (where apache is looking)
  d) restart apache and make sure it's happy (watch startup warnings, browse to each site)

  NOTE here is what Apache needs:
   SSLCertificateFile /home/m/config/StartCom/bitpost.com/ssl.crt
   SSLCertificateKeyFile /home/m/config/StartCom/bitpost.com/server.key
   SSLCertificateChainFile /home/m/config/StartCom/sub.class1.server.ca.pem
   SSLCACertificateFile /home/m/config/StartCom/ca.pem.crt


MORE NOTES

ALL 4 DOMAINS ARE NOW SYNCED for renewal in AUGUST/SEPT, try to remember dude of course any new domains are going to be out of sync, pita, cest la vie

here, we store common docs: 

   browser_cert_install_first.p12
       the browser cert that lets you log in to https://startssl.com

   ca.pem.crt
   sub.class1.server.ca.pem
       the official certs for StartCom level 1
       you can get these from Control Panel->Tool Box->StartCom CA certificates


GENERATING YOUR OWN KEYS

Note that you can generate your own keys. Generally not worth it tho, I trust StartCom, and you have to give them the key anyway. Plus, all the extra info you add to the key is discarded by StartCom since it's an unvalidated owner (ie free). But for completeness, here's old notes on how to do it... (should it still be des3??)

server.key generated with:

openssl genrsa -des3 -out server.key 2048

CSR generated as follows:

--- m@thedigitalmachine ~/config/StartCom/abettersoftware.com $ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:NC Locality Name (eg, city) []:Raleigh Organization Name (eg, company) [Internet Widgits Pty Ltd]:A better Software Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Michael Behrns-Miller Email Address []:noreply@abettersoftware.com

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ---

then that gets pasted into StartCom form under the Certificates Wizard on the control panel note from the form: 

   All content of the certificate signing request is ignored except its public key.
Retrieved from "https://bitpost.com/w/index.php?title=SSL_certificate_instructions&oldid=2989"