Results 1 to 10 of 10

Thread: SSL HowTo

  1. #1
    Join Date
    Mar 2003
    Location
    London
    Posts
    383

    SSL HowTo

    This information is from http://linsec.net/info/ssl-cert.html

    (If any links become out of date please email me at webmaster [at] idologic [dot] com.

    Simple SSL cert HOWTO

    You will need openssl.

    Make a new ssl private key:

    Generate a new unencrypted rsa private key in PEM format:
    openssl genrsa -out privkey.pem 1024

    You can create an encrypted key by adding the -des3 option.


    To make a self-signed certificate:

    Create a certificate signing request (CSR) using your rsa private key:
    openssl req -new -key privkey.pem -out certreq.csr

    ( This is also the type of CSR you would create to send to a root CA for them to sign for you. )

    Self-sign your CSR with your own private key:
    openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem

    To make a certificate signed by your own certificate authority (CA):


    Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
    vi /etc/ssl/openssl.cnf
    /usr/lib/ssl/misc/CA.pl -newca

    Your copy of openssl.cnf and CA.pl may be located elsewhere.


    Create an unsigned certificate using your rsa private key:
    openssl req -new -x509 -key privkey.pem -out cert.pem


    Use your private key and your certificate to make a CSR:
    cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr


    Sign the certificate with the CA private key using the CSR you just made:
    openssl ca -in certreq.csr -out newcert.pem
    rm -f certreq.csr


    To install the signed certificate and private key for use by an ssl server:


    The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
    ( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
    ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0 # dot-zero

    ( The server.pem is a PEM file that can be used by apache along with the hash file. )



    You can view the contents of a CSR with:

    openssl req -noout -text -in certreq.csr

    You can view the contents of a certificate with:

    openssl x509 -noout -text -in newcert.pem

    You can display the MD5 fingerprint of a certificate with:

    openssl x509 -fingerprint -noout -in newcert.pem

    You can verify that your private key, CSR, and signed cert match by comparing:

    openssl rsa -noout -modulus -in privkey.pem |openssl md5
    openssl req -noout -modulus -in certreq.csr |openssl md5
    openssl x509 -noout -modulus -in newcert.pem |openssl md5

    Other good links
    http://www.openssl.org/docs/HOWTO/certificates.txt
    http://www.openssl.org/docs/HOWTO/keys.txt
    http://www.sendmail.org/~ca/email/other/cagreg.html
    http://www.post1.com/home/ngps/m2/howto.ca.html


    Cheers

  2. #2
    Join Date
    Sep 2003
    Posts
    80

    Clown

    One doubt: is this text below true?

    You may only have one SSL domain per IP. However you may still have an unlimited number of non-ssl domains on an ip with an SSL domain.
    If so, I can't have all of my domains that are sharing IP have their own SSL certificate, right? If so, Is there a way to let them "share" it? I mean, if site1.com, site2.com and site3.com are hosted in IP 1.2.3.4, can I have https://site1.com, https://site2.com and https://site3.com at the same time?


    Thanks.




    PS: how to use mod_ssl tutorial (talks abour Mac OS X but can be used in others *nix flavours I think)

  3. #3
    Join Date
    Feb 2003
    Posts
    3,667
    Quote Originally Posted by rafa_n
    If so, I can't have all of my domains that are sharing IP have their own SSL certificate, right? If so, Is there a way to let them "share" it? I mean, if site1.com, site2.com and site3.com are hosted in IP 1.2.3.4, can I have https://site1.com, https://site2.com and https://site3.com at the same time?
    They would all have the same certificate, but it would cause errors because the domain name in the cert wouldn't be the same as the site. Though if you say "accept" then it will encrypt the connection (except for Macs with IE 5.1?)

  4. #4
    Join Date
    Sep 2003
    Posts
    80

    Cyclopes

    Quote Originally Posted by idologic_dh
    (except for Macs with IE 5.1?)
    Agh! true. It doesn't encrypt :-(

    Well, thanks for the info. I did a cert for the shared IP but I'm having some problems. Gonna contact support ;-)

  5. #5
    Join Date
    Feb 2003
    Posts
    501
    I have an expired cert. Can I remove it myself or does that have to be done at root level?

  6. #6
    Join Date
    Apr 2003
    Location
    Kansas City, Missouri
    Posts
    914
    Quote Originally Posted by Steve
    I have an expired cert. Can I remove it myself or does that have to be done at root level?
    Just asking.
    Richard Greene
    www.KCServers.com

  7. #7
    Join Date
    Feb 2003
    Posts
    3,667
    Quote Originally Posted by Steve
    I have an expired cert. Can I remove it myself or does that have to be done at root level?
    If you're installing a new one over the expired one then it will take care of it. If you just want it removed, then let us know as I don't think DA or cPanel have that option.

  8. #8
    Join Date
    Apr 2003
    Location
    Kansas City, Missouri
    Posts
    914
    Quote Originally Posted by idologic_dh
    If you're installing a new one over the expired one then it will take care of it. If you just want it removed, then let us know as I don't think DA or cPanel have that option.
    Like he said... BUT, this part of cPanel is expecially buggy towards mozilla. That dang "Do it" button wouldn't work for me. The higher ups let me know that it's partial to IE.

    Me better now
    Richard Greene
    www.KCServers.com

  9. #9
    Join Date
    Feb 2003
    Posts
    501
    Weird, I couldn't get it to work in IE but it worked in (what was) Mozilla a few months ago.

  10. #10
    Join Date
    Apr 2003
    Location
    Kansas City, Missouri
    Posts
    914
    Quote Originally Posted by Steve
    Weird, I couldn't get it to work in IE but it worked in (what was) Mozilla a few months ago.
    Curious indeed.

    Just to clarify, It did work in Mozilla Firebird 1.01 and it could have been me all along... stranger things have happen.
    Richard Greene
    www.KCServers.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

-->