Changes between Initial Version and Version 1 of configure-mosh-x509


Ignore:
Timestamp:
Aug 10, 2013, 2:50:41 PM (7 years ago)
Author:
Dana
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • configure-mosh-x509

    v1 v1  
     1[[TranslatedPages]]
     2[[PageOutline]]
     3== How to configure x509 on Moshes ==
     4
     51. Find out if cert sign request exists.
     6   * a. login to server cd /etc/ssl
     7   * b. ls -l
     8   * c. look for servername.csr
     9
     10      If it exists remove it with 'rm SERVERNAME.mayfirst.org.csr' (We're going to create a new csr)
     11
     122. Get new certificate
     13   * a. Generate a new csr (see instructions below)
     14        Create a temporary directory 'mkdir /etc/ssl/temp'
     15   * b. go to https://cheapssls.com
     16   * c. find login info in keyringer - if configured issue the command 'pass cheapssls'
     17   * d. login and go to My SSL Account >> My SSLs
     18   * e. If there are unassigned ssls, use one of those. If not buy 5 PositiveSSL 5-year certs (currently $4.99p/y, discounted if multiple certs purchased)
     19   * i. Use keyringer (if configured run 'pass paypal' for login info) again for paypal information, to purchase certificates.
     20
     213. Once certificates are purchased, go back to My SSL Account >> My SSLs
     22   * a. Click on "Activate" beside one of the SSLs
     23   * b. Paste in csr from step 2.a., use Apache2-openssl as the server type
     24   * c. https://support.mayfirst.org/wiki/ordering-cartel-x509-certificates
     25   * d. You will recieve an validation email at hostmaster@mayfirst.org, validate it.
     26   * e. You will recieve the certificate at hostmaster@mayfirst.org in a zip file.
     27   * f. save zip locally then on your local computer run 'scp /PATH/TO/SERVERNAME_mayfirst_org.zip root@SERVER_NAME.mayfirst.org:/etc/ssl/temp' to copy the zip file to the server.
     28   * g. on the server 'unzip /etc/ssl/temp/SERVERNAME_mayfirst_org.zip'
     29   * h. from /etc/ssl/temp on the host machine you can run 'cat PositiveSSLCA2.crt >> SERVERNAME_mayfirst_org.crt && mv SERVERNAME_mayfirst_org.crt ../SERVERNAME.mayfirst.org.crt.new' .  This will create the correct certificate for the /etc/ssl directory (including the intermediate certificate). You need both Intermediate and Primary certificates for apache to use ssl correctly.
     30   * i. next from /etc/ssl/private do 'umask 177; cat SERVERNAME.mayfirst.org.key.$(date +%F) >> SERVERNAME.mayfirst.org.pem.new'
     31   * j. next from /etc/ssl/private do 'cat ../SERVERNAME.mayfirst.org.crt.new >> SERVERNAME.mayfirst.org.pem.new; umask 133'
     32   * k. Make sure no files in the /etc/ssl/private directory are readable by the world.
     33   * l. from /etc/ssl do 'mv $(hostname).mayfirst.org.crt{,.old} && mv $(hostname).mayfirst.org.crt{.new,} && mv private/$(hostname).mayfirst.org.pem{,.old} && mv private/$(hostname).mayfirst.org.pem{.new,}'
     34   * m. restart apache with 'service apache2 restart'
     35   * i. Check that the certificate is working by going to https://SERVERNAME.mayfirst.org
     36   * n. restart courier-imap-ssl and courier-pop-ssl 'service courier-imap-ssl restart && service courier-pop-ssl restart'
     37   * o. Remove any unnecessary files.  Here's an example of the needed files on jones (with permissions):
     38
     39    {{{
     40    0 jones:/etc/ssl# ls -l
     41    total 40
     42    drwxr-xr-x 2 root root     20480 Nov 15  2011 certs
     43    -rw-r--r-- 1 root root      3566 Aug  6 11:54 jones.mayfirst.org.crt
     44    -rw-r--r-- 1 root root      9495 May  9  2011 openssl.cnf
     45    drwx--x--- 2 root ssl-cert  4096 Aug  6 12:01 private
     46
     47    0 jones:/etc/ssl# ls -l private/
     48    total 16
     49    -rw------- 1 root root     1675 Aug  6 11:37 jones.mayfirst.org.key.2013-08-06
     50    -rw------- 1 root ssl-cert 5241 Aug  6 11:53 jones.mayfirst.org.pem
     51    -rw-r----- 1 root ssl-cert  887 Jun  9  2008 ssl-cert-snakeoil.key
     52    0 jones:/etc/ssl#
     53    }}}
     54
     55    === How to Remove Files ===
     56    * cd into the directory
     57    * rm files in that directory
     58
     59    === How to Remove Directory ===
     60    * cd into the directory
     61    * rm files in that directory
     62    * cd out of the directory
     63    * rmdir directory_name
     64
     65== Certs supplied by Positive ssl ==
     66* AddTrustExternalCARoot.crt  <-- This is the CA certificate (rarely do we need this, can probably delete after installing certificates)
     67* PositiveSSLCA2.crt  <-- Intermediate Certificate
     68* SERVERNAME_mayfirst_org.crt  <-- The server's primary certificate.
     69
     70== Creating a new csr ==
     711. from root@SERVERNAME.mayfirst.org:/etc/ssl/private look for SERVERNAME.mayfirst.org.key (ls -l)
     72
     73    If  it exists, remove it with 'rm SERVERNAME.mayfirst.org.key' <-- the  key may have a .DATE extension (remove that key as well)
     74
     752.  Create a new key in /etc/ssl/private with the command 'umask 177;  certtool -p > SERVERNAME.mayfirst.org.key.$(date +%F)' <-- umask here  creates the correct permissions for the key file.
     76
     773.  Run the following command from /etc/ssl/private 'umask 133;  certtool --generate-request --load-privkey  SERVER_NAME.mayfirst.org.key.$(date +%F)'
     78  * a. Enter the correct values for the signing request
     79
     80== Questions asked by 'certtool --generate-request' command ==
     81* Enter the e-mail of the subject of the certificate:
     82* Enter a challenge password:
     83* Does the certificate belong to an authority? (y/N): N
     84* Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
     85* Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
     86* Is this a TLS web client certificate? (y/N): y
     87* Is this also a TLS web server certificate? (y/N): y
     88* Country name (2 chars): US
     89* Organization name: May First People Link
     90* Organizational unit name: Support
     91* Locality name: New York City
     92* State or province name: NY
     93* Common name: SERVER_NAME.mayfirst.org
     94* UID:
     95* Enter a dnsName of the subject of the certificate:
     96* Enter the IP address of the subject of the certificate:
     97* Enter the e-mail of the subject of the certificate:
     98* Enter a challenge password:
     99* Does the certificate belong to an authority? (y/N): N
     100* Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
     101* Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
     102* Is this a TLS web client certificate? (y/N): y
     103* Is this also a TLS web server certificate? (y/N):