SSL (Secure Socket Layer) is a protocol for secure transmission of data over the Internet. SSL encrypts all data which is sent between the web browser and the web server, and by using digital keys you make sure that the data arrives safely to the recipient.
Recipe for ordering and use of SSL-certificates (Uninett)
UiO is authorized to issue certificates under the domain uio.no
- OpenSSL 0.9.X or newer
All instances of 'www.foo.uio.no' in the text should be replaced with the name/URL that the certificate should be for. In this regard we need the full domain name (FQDN), ex www.admin.uio.no or universitas.uio.no
Important: If you copy the contents from the CSR-file in windows after creating it on a *nix-computer, you must use Wordpad and not Notepad.
Start with creating the file www.foo.uio.no.cnf. A typical example would be:
[ req ] default_bits = 2048 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn utf8 = yes [ dn ] C = NO L = Oslo O = Universitetet i Oslo OU = USIT CN = www.foo.uio.no
In [req] you can set the default_bits to higher, but beware that some services are have problems with too high bitrates. 2048 is a safe choice.
Here you need to change OU and CN.
OU is Organizational Unit and CN is Common Name or domain name, 'www.foo.uio.no' in our example.
If you are ordering certificat for multiple DNS-names (aliases) we need to expand the .cnf-file:
[ req ] default_bits = 2048 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn utf8 = yes req_extensions = v3_req [ v3_req ] subjectAltName = @alt_names [ dn ] C = NO O = Universitetet i Oslo OU = USIT CN = www.foo.uio.no [alt_names] DNS.0 = www.foo.uio.no DNS.1 = foo.uio.no
Change OU and CN as the previous example. CN should be the same as DNS.0. in addition we have DNS.1 as an alias. if you need multiple alias' you add DNS.2, DNS.3 etc.
Then you create an RSA-key and a CSR (Certificate Signing Request) with OpenSSL. Save all files a place you can find again. You don't need to create the key and CSR on the same machine that the certificate is for.
maskin.uio.no# /local/bin/openssl req -new -config www.foo.uio.no.cnf -keyout www.foo.uio.no.key -out www.foo.uio.no.csr Generating a 2048 bit RSA private key ............+++ .+++ writing new private key to 'www.foo.uio.no.key' -----
Next we need to protect the private key. Choose a secure password and remember it. It can be changed later if you remember the old password. Take a backup of www.foo.uio.no.key.
maskin.uio.no# /local/bin/openssl rsa -in www.foo.uio.no.key -des3 -out www.foo.uio.no-enc.key writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
The encrypted key will be stored as www.foo.uio.no-enc.key.
You can view the key in cleartext with:
maskin.uio.no# /usr/bin/openssl rsa -noout -text -in www.foo.uio.no.key ...[bøttevis av output]
Do not save the private key in cleartext.
You should now reassure yourself that you have a proper backup of the private key.
To use the automated ordering form, there are some simplicities that have to be considered. It is only for multidomain, so no wildcard domains are posible, it has to be encrypted with sha256. If you need special certs you need to contact us at firstname.lastname@example.org
Then you send in the order
When the certificate is created it will be sent to you in an email — save it as www.foo.uio.no.crt.
Adding the certificate to the server
- The private key (should be password-protected): www.foo.uio.no.key
- The signed certificate: www.foo.uio.no.crt (recieved in the email)
- CA certificate (Certificate Chain in the email) DigiCertCA.pem
We recoment to run apache from RedHat, and the newest RHEL available to you. You can save the certificate files wherever you like, but it is neatest to put them in:
If you need to run RHEL5 and apache 2.2 from Store you move the files to:
(path-specified in the distributed httpd.conf). Then you run:
maskin.uio.no# ln -s /site/opt/apache2.2/conf/ssl.crt/www.foo.uio.no.crt /site/opt/apache2.2/conf/ssl.crt/server.crt maskin.uio.no# ln -s /site/opt/apache2.2/conf/ssl.key/www.foo.uio.no.key /site/opt/apache2.2/conf/ssl.key/server.key
...so Apache2.2 finds the files, to secure the files:
maskin.uio.no# chmod 440 /site/opt/apache2.2/conf/ssl.crt/www.foo.uio.no.crt maskin.uio.no# chmod 400 /site/opt/apache2.2/conf/ssl.key/www.foo.uio.no.key
The Certificate Chain file should be saved as DigiCertCA.pem in /site/opt/apache2.2/conf/ssl.crt/
If no SSL-config exist you need to copy the default config:
cp -i /local/opt/apache2.2/conf/extra/httpd-ssl.conf /site/opt/apache2.2/conf/
... and change the necessary values.
Important: if you use a certificate from UNINETT you must change SSLCACertificateFile to use the one from DigiCert:
Add this to /etc/httpd.conf:
ServerName www.foo.uio.no ErrorLog /site/opt/apache2.2/logs/ssl.error_log TransferLog /site/opt/apache2.2/logs/ssl.access_log
# Include local SSL-config (make sure the path is correct): Include /site/opt/apache2.2/conf/httpd-ssl.conf
Start the SSL-server:
maskin.uio.no# /local/etc/init.d/httpd start Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for sequrity resasons. IN order to read them you have to provide us with the pass phrase. Server www.foo.uio.no:443 (RSA) Enter pass phrase:
- Example CSR
- Years of validity for certificate
- How to change passphrase of private keys
- Check when the SSL-certificate is valid
The content of your CSR will look something like this:
-----BEGIN CERTIFICATE REQUEST----- MIIB1jCCAT8CAQAwgZUxCzAJBgNVBAYTAk5PMQ8wDQYDVQQIEwZOb3J3YXkxDTAL BgNVBAcTBE9zbG8xGzAZBgNVBAoTElVuaXZlcnNpdHkgb2cgT3NsbzENMAsGA1UE CxMEVVNJVDEUMBIGA1UEAxMLdGVzdC51aW8ubm8xJDAiBgkqhkiG9w0BCQEWFXdl Ym1hc3RlckB1c2l0LnVpby5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA pLBeDow+X0ZfFrEnYPsljVmI45IZTakVpqqh/0JXNfffUA6JA/scbpBcOLtstgo6 XPK3AXvX9/dHbrMFkMB/MxQjZdANGz+IBTMjEhmrP/a0bBImMyGribMN021kln6S t8QJkFy0sXIRKFzGLAp19EnM0w5J9WthHaCZcSu8oScCAwEAAaAAMA0GCSqGSIb3 DQEBBAUAA4GBACnD/K+jihjIP6SKRUJa4Y7kdxyzh6ydV9ZOQFUKJsPTLmkeuIb2 7hHFStjnWjy7Zd4XratKb4MwO0k/7h+TyYTL+j6hoAPhqQA0/y2zndehx4bhUUNc KLhnBZIsg93/Iwt9bW9rJmrhLkjHAW0mRQa0y3O9jArQKFofE+k6bqxu -----END CERTIFICATE REQUEST-----
When you order, you have to send the whole content, from and including
----BEGIN... to and including
END CERTICATE REQUEST-----
Lifespan for a SSL-certificate is one, two or three years. You can choose this when you order.
You can change the passphrase like this:
maskin.uio.no# /local/bin/openssl rsa -des3 -in www.foo.uio.no.key -out www.foo.uio.no.key.new read RSA key Enter PEM pass phrase: writing PEM pass phrase: Verifying password - Enter PEM pass phrase: maskin.uio.no# mv www.foo.uio.no.key.new www.foo.uio.no.key
maskin.uio.no# /local/bin/openssl x509 -startdate -enddate -noout < www.foo.uio.no.crt notBefore=Apr 16 12:00:51 2007 GMT notAfter=Apr 18 16:23:16 2008 GMT