| 1 | [[TranslatedPages]] |
| 2 | [[PageOutline]] |
| 3 | == How to configure x509 on Moshes == |
| 4 | |
| 5 | 1. Find out if cert sign request exists. |
| 6 | * a. login to server cd /etc/ssl |
| 7 | * b. ls -l |
| 8 | * c. look for servername.csr |
| 9 | |
| 10 | If it exists remove it with 'rm SERVERNAME.mayfirst.org.csr' (We're going to create a new csr) |
| 11 | |
| 12 | 2. Get new certificate |
| 13 | * a. Generate a new csr (see instructions below) |
| 14 | Create a temporary directory 'mkdir /etc/ssl/temp' |
| 15 | * b. go to https://cheapssls.com |
| 16 | * c. find login info in keyringer - if configured issue the command 'pass cheapssls' |
| 17 | * d. login and go to My SSL Account >> My SSLs |
| 18 | * e. If there are unassigned ssls, use one of those. If not buy 5 PositiveSSL 5-year certs (currently $4.99p/y, discounted if multiple certs purchased) |
| 19 | * i. Use keyringer (if configured run 'pass paypal' for login info) again for paypal information, to purchase certificates. |
| 20 | |
| 21 | 3. Once certificates are purchased, go back to My SSL Account >> My SSLs |
| 22 | * a. Click on "Activate" beside one of the SSLs |
| 23 | * b. Paste in csr from step 2.a., use Apache2-openssl as the server type |
| 24 | * c. https://support.mayfirst.org/wiki/ordering-cartel-x509-certificates |
| 25 | * d. You will recieve an validation email at hostmaster@mayfirst.org, validate it. |
| 26 | * e. You will recieve the certificate at hostmaster@mayfirst.org in a zip file. |
| 27 | * f. save zip locally then on your local computer run 'scp /PATH/TO/SERVERNAME_mayfirst_org.zip root@SERVER_NAME.mayfirst.org:/etc/ssl/temp' to copy the zip file to the server. |
| 28 | * g. on the server 'unzip /etc/ssl/temp/SERVERNAME_mayfirst_org.zip' |
| 29 | * h. from /etc/ssl/temp on the host machine you can run 'cat PositiveSSLCA2.crt >> SERVERNAME_mayfirst_org.crt && mv SERVERNAME_mayfirst_org.crt ../SERVERNAME.mayfirst.org.crt.new' . This will create the correct certificate for the /etc/ssl directory (including the intermediate certificate). You need both Intermediate and Primary certificates for apache to use ssl correctly. |
| 30 | * i. next from /etc/ssl/private do 'umask 177; cat SERVERNAME.mayfirst.org.key.$(date +%F) >> SERVERNAME.mayfirst.org.pem.new' |
| 31 | * j. next from /etc/ssl/private do 'cat ../SERVERNAME.mayfirst.org.crt.new >> SERVERNAME.mayfirst.org.pem.new; umask 133' |
| 32 | * k. Make sure no files in the /etc/ssl/private directory are readable by the world. |
| 33 | * l. from /etc/ssl do 'mv $(hostname).mayfirst.org.crt{,.old} && mv $(hostname).mayfirst.org.crt{.new,} && mv private/$(hostname).mayfirst.org.pem{,.old} && mv private/$(hostname).mayfirst.org.pem{.new,}' |
| 34 | * m. restart apache with 'service apache2 restart' |
| 35 | * i. Check that the certificate is working by going to https://SERVERNAME.mayfirst.org |
| 36 | * n. restart courier-imap-ssl and courier-pop-ssl 'service courier-imap-ssl restart && service courier-pop-ssl restart' |
| 37 | * o. Remove any unnecessary files. Here's an example of the needed files on jones (with permissions): |
| 38 | |
| 39 | {{{ |
| 40 | 0 jones:/etc/ssl# ls -l |
| 41 | total 40 |
| 42 | drwxr-xr-x 2 root root 20480 Nov 15 2011 certs |
| 43 | -rw-r--r-- 1 root root 3566 Aug 6 11:54 jones.mayfirst.org.crt |
| 44 | -rw-r--r-- 1 root root 9495 May 9 2011 openssl.cnf |
| 45 | drwx--x--- 2 root ssl-cert 4096 Aug 6 12:01 private |
| 46 | |
| 47 | 0 jones:/etc/ssl# ls -l private/ |
| 48 | total 16 |
| 49 | -rw------- 1 root root 1675 Aug 6 11:37 jones.mayfirst.org.key.2013-08-06 |
| 50 | -rw------- 1 root ssl-cert 5241 Aug 6 11:53 jones.mayfirst.org.pem |
| 51 | -rw-r----- 1 root ssl-cert 887 Jun 9 2008 ssl-cert-snakeoil.key |
| 52 | 0 jones:/etc/ssl# |
| 53 | }}} |
| 54 | |
| 55 | === How to Remove Files === |
| 56 | * cd into the directory |
| 57 | * rm files in that directory |
| 58 | |
| 59 | === How to Remove Directory === |
| 60 | * cd into the directory |
| 61 | * rm files in that directory |
| 62 | * cd out of the directory |
| 63 | * rmdir directory_name |
| 64 | |
| 65 | == Certs supplied by Positive ssl == |
| 66 | * AddTrustExternalCARoot.crt <-- This is the CA certificate (rarely do we need this, can probably delete after installing certificates) |
| 67 | * PositiveSSLCA2.crt <-- Intermediate Certificate |
| 68 | * SERVERNAME_mayfirst_org.crt <-- The server's primary certificate. |
| 69 | |
| 70 | == Creating a new csr == |
| 71 | 1. from root@SERVERNAME.mayfirst.org:/etc/ssl/private look for SERVERNAME.mayfirst.org.key (ls -l) |
| 72 | |
| 73 | If it exists, remove it with 'rm SERVERNAME.mayfirst.org.key' <-- the key may have a .DATE extension (remove that key as well) |
| 74 | |
| 75 | 2. Create a new key in /etc/ssl/private with the command 'umask 177; certtool -p > SERVERNAME.mayfirst.org.key.$(date +%F)' <-- umask here creates the correct permissions for the key file. |
| 76 | |
| 77 | 3. Run the following command from /etc/ssl/private 'umask 133; certtool --generate-request --load-privkey SERVER_NAME.mayfirst.org.key.$(date +%F)' |
| 78 | * a. Enter the correct values for the signing request |
| 79 | |
| 80 | == Questions asked by 'certtool --generate-request' command == |
| 81 | * Enter the e-mail of the subject of the certificate: |
| 82 | * Enter a challenge password: |
| 83 | * Does the certificate belong to an authority? (y/N): N |
| 84 | * Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y |
| 85 | * Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y |
| 86 | * Is this a TLS web client certificate? (y/N): y |
| 87 | * Is this also a TLS web server certificate? (y/N): y |
| 88 | * Country name (2 chars): US |
| 89 | * Organization name: May First People Link |
| 90 | * Organizational unit name: Support |
| 91 | * Locality name: New York City |
| 92 | * State or province name: NY |
| 93 | * Common name: SERVER_NAME.mayfirst.org |
| 94 | * UID: |
| 95 | * Enter a dnsName of the subject of the certificate: |
| 96 | * Enter the IP address of the subject of the certificate: |
| 97 | * Enter the e-mail of the subject of the certificate: |
| 98 | * Enter a challenge password: |
| 99 | * Does the certificate belong to an authority? (y/N): N |
| 100 | * Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y |
| 101 | * Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y |
| 102 | * Is this a TLS web client certificate? (y/N): y |
| 103 | * Is this also a TLS web server certificate? (y/N): |