Version 11 (modified by 10 years ago) ( diff ) | ,
---|
How to configure x509 on Moshes
- Find out if cert sign request exists.
- a. login to server cd /etc/ssl
- b. ls -l
- c. look for servername.csr
If it exists remove it with 'rm SERVERNAME.mayfirst.org.csr' (We're going to create a new csr)
- Get new certificate
- a. Generate a new csr (see instructions below)
- b. Create a temporary directory 'mkdir /etc/ssl/temp'
- c. go to https://cheapssls.com
- d. find login info in keyringer - if configured issue the command 'pass cheapssls'
- e. login and go to My SSL Account >> My SSLs
- f. If there are unassigned ssls, use one of those. If not buy 5 PositiveSSL 5-year certs (currently $4.99p/y, discounted if multiple certs purchased)
- i. Use keyringer (if configured run 'pass paypal' for login info) again for paypal information, to purchase certificates.
- Once certificates are purchased, go back to My SSL Account >> My SSLs
- a. Click on "Activate" beside one of the SSLs
- b. Paste in csr from step 2.a., use Apache2-openssl as the server type
- c. https://support.mayfirst.org/wiki/ordering-cartel-x509-certificates
- d. You will recieve an validation email at hostmaster@…, validate it.
- e. You will recieve the certificate at hostmaster@… in a zip file.
- f. save zip locally then on your local computer run command below to copy the zip file to the server.
scp /PATH/TO/SERVERNAME_mayfirst_org.zip root@SERVER_NAME.mayfirst.org:/etc/ssl/temp
- g. on the server
unzip /etc/ssl/temp/$(hostname)_mayfirst_org.zip
- h. from /etc/ssl/temp on the host machine you can run
cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt >> $(hostname)_mayfirst_org.crt && mv $(hostname)_mayfirst_org.crt ../$(hostname).mayfirst.org.crt.new
- This will create the correct certificate for the /etc/ssl directory (including the intermediate certificate). You need both Intermediate and Primary certificates for apache to use ssl correctly.
- i. next from /etc/ssl/private do
umask 177; cat $(hostname).mayfirst.org.key.$(date +%F) >> $(hostname).mayfirst.org.pem.new
- j. next from /etc/ssl/private do
cat ../$(hostname).mayfirst.org.crt.new >> $(hostname).mayfirst.org.pem.new; umask 133
- j.0 Check the .pem file to verify it has the following components:
- The secret key
- The server's (End Entity) certificate
- The intermediate certificate
- j.0 Check the .pem file to verify it has the following components:
- k. Make sure no files in the /etc/ssl/private directory are readable by the world.
- l. from /etc/ssl do
mv $(hostname).mayfirst.org.crt{,.old} && mv $(hostname).mayfirst.org.crt{.new,} && mv private/$(hostname).mayfirst.org.pem{,.old} && mv private/$(hostname).mayfirst.org.pem{.new,}
- m. restart apache with
service apache2 restart
- i. Check that the certificate is working by going to https://SERVERNAME.mayfirst.org
- n. restart courier-imap-ssl and courier-pop-ssl
service courier-imap-ssl restart && service courier-pop-ssl restart
- n.0 In order to generate DH parameters, you may want to do
freepuppet-run
on the server in question. - n.1 Verify that imap is working, from your local machine do
gnutls-cli --port imaps SERVER_NAME.mayfirst.org
- n.1.1 You should see a successful handshake and be able to verify the necessary certificates and intermediate certificates. Look for lines like these in the output:
- Certificate[1] info: - subject `OU=Domain Control Validated,OU=PositiveSSL,CN=mandela.mayfirst.org', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-12-19 00:00:00 UTC', expires `2018-12-18 23:59:59 UTC', SHA-1 fingerprint `bf977b3ea56da74284e111391ed1efaaf6454dc2' - Certificate[2] info: - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-02-16 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `94807b1c788dd2fcbe19c8481ce41cfab8a4c17f'
- n.1.2 If the above command fails, you will need to run the command
freepuppet-run
as root on the server. Usually a failure in the above gnutls command is related to missing Diffie-Hellman parameters.
- n.1.1 You should see a successful handshake and be able to verify the necessary certificates and intermediate certificates. Look for lines like these in the output:
- n.0 In order to generate DH parameters, you may want to do
- o. Remove any unnecessary files. Here's an example of the needed files on jones (with permissions):
0 jones:/etc/ssl# ls -l total 40 drwxr-xr-x 2 root root 20480 Nov 15 2011 certs -rw-r--r-- 1 root root 3566 Aug 6 11:54 jones.mayfirst.org.crt -rw-r--r-- 1 root root 9495 May 9 2011 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Aug 6 12:01 private 0 jones:/etc/ssl# ls -l private/ total 16 -rw------- 1 root root 1675 Aug 6 11:37 jones.mayfirst.org.key.2013-08-06 -rw------- 1 root ssl-cert 5241 Aug 6 11:53 jones.mayfirst.org.pem -rw-r----- 1 root ssl-cert 887 Jun 9 2008 ssl-cert-snakeoil.key 0 jones:/etc/ssl#
How to Remove Files
- cd into the directory
- rm files in that directory
How to Remove Directory
- cd into the directory
- rm files in that directory
- cd out of the directory
- rmdir directory_name
Certs supplied by Positive ssl
- AddTrustExternalCARoot.crt <-- This is the CA certificate (rarely do we need this, can probably delete after installing certificates)
- PositiveSSLCA2.crt <-- Intermediate Certificate
- SERVERNAME_mayfirst_org.crt <-- The server's primary certificate.
Creating a new csr
- from
root@SERVERNAME.mayfirst.org:/etc/ssl/private
look for SERVERNAME.mayfirst.org.key (ls -l)
If it exists, remove it with 'rm $(hostname).mayfirst.org.key' <-- the key may have a .DATE extension (remove that key as well)
- Create a new key in /etc/ssl/private with the command
umask 177; certtool -p > $(hostname).mayfirst.org.key.$(date +%F)
<-- umask here creates the correct permissions for the key file. Note: some versions of gnutls-bin (or certtool) add key info to the top of their output. You'll want to verify the key created here and make sure it's clean, containing only the following:-----BEGIN RSA PRIVATE KEY----- key data -----END RSA PRIVATE KEY-----
- Run the following command from /etc/ssl/private
umask 133; certtool --generate-request --load-privkey $(hostname).mayfirst.org.key.$(date +%F)
- a. Enter the correct values for the signing request
Questions asked by 'certtool --generate-request' command
- Enter the e-mail of the subject of the certificate:
- Enter a challenge password:
- Does the certificate belong to an authority? (y/N): N
- Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
- Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
- Is this a TLS web client certificate? (y/N): y
- Is this also a TLS web server certificate? (y/N): y
- Country name (2 chars): US
- Organization name: May First People Link
- Organizational unit name: Support
- Locality name: New York City
- State or province name: NY
- Common name: SERVER_NAME.mayfirst.org
- UID:
- Enter a dnsName of the subject of the certificate:
- Enter the IP address of the subject of the certificate:
- Enter the e-mail of the subject of the certificate:
- Enter a challenge password:
- Does the certificate belong to an authority? (y/N): N
- Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
- Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
- Is this a TLS web client certificate? (y/N): y
- Is this also a TLS web server certificate? (y/N):
Note:
See TracWiki
for help on using the wiki.