[[TranslatedPages]] [[PageOutline]] == How to configure x509 on Moshes == 1. Find out if cert sign request exists. * a. login to server cd /etc/ssl * b. ls -l * c. look for servername.csr If it exists remove it with 'rm SERVERNAME.mayfirst.org.csr' (We're going to create a new csr) 2. Get new certificate * a. Generate a new csr (see instructions below) * b. Create a temporary directory 'mkdir /etc/ssl/temp' * c. go to https://cheapssls.com * d. find login info in keyringer - if configured issue the command 'pass cheapssls' * e. login and go to My SSL Account >> My SSLs * f. If there are unassigned ssls, use one of those. If not buy 5 PositiveSSL 5-year certs (currently $4.99p/y, discounted if multiple certs purchased) * i. Use keyringer (if configured run 'pass paypal' for login info) again for paypal information, to purchase certificates. 3. Once certificates are purchased, go back to My SSL Account >> My SSLs * a. Click on "Activate" beside one of the SSLs * b. Paste in csr from step 2.a., use Apache2-openssl as the server type * c. https://support.mayfirst.org/wiki/ordering-cartel-x509-certificates * d. You will recieve an validation email at hostmaster@mayfirst.org, validate it. * e. You will recieve the certificate at hostmaster@mayfirst.org in a zip file. * f. save zip locally then on your local computer run command below to copy the zip file to the server. {{{ scp /PATH/TO/SERVERNAME_mayfirst_org.zip root@SERVER_NAME.mayfirst.org:/etc/ssl/temp }}} * g. on the server {{{ unzip /etc/ssl/temp/$(hostname)_mayfirst_org.zip }}} * h. from /etc/ssl/temp on the host machine you can run {{{ cat PositiveSSLCA2.crt >> $(hostname)_mayfirst_org.crt && mv $(hostname)_mayfirst_org.crt ../$(hostname).mayfirst.org.crt.new' . }}} * This will create the correct certificate for the /etc/ssl directory (including the intermediate certificate). You need both Intermediate and Primary certificates for apache to use ssl correctly. * i. next from /etc/ssl/private do {{{ umask 177; cat $(hostname).mayfirst.org.key.$(date +%F) >> $(hostname).mayfirst.org.pem.new }}} * j. next from /etc/ssl/private do {{{ cat ../$(hostname).mayfirst.org.crt.new >> $(hostname).mayfirst.org.pem.new; umask 133 }}} * k. Make sure no files in the /etc/ssl/private directory are readable by the world. * l. from /etc/ssl do {{{ mv $(hostname).mayfirst.org.crt{,.old} && mv $(hostname).mayfirst.org.crt{.new,} && mv private/$(hostname).mayfirst.org.pem{,.old} && mv private/$(hostname).mayfirst.org.pem{.new,} }}} * m. restart apache with {{{ service apache2 restart }}} * i. Check that the certificate is working by going to https://SERVERNAME.mayfirst.org * n. restart courier-imap-ssl and courier-pop-ssl {{{ service courier-imap-ssl restart && service courier-pop-ssl restart }}} * o. Remove any unnecessary files. Here's an example of the needed files on jones (with permissions): {{{ 0 jones:/etc/ssl# ls -l total 40 drwxr-xr-x 2 root root 20480 Nov 15 2011 certs -rw-r--r-- 1 root root 3566 Aug 6 11:54 jones.mayfirst.org.crt -rw-r--r-- 1 root root 9495 May 9 2011 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Aug 6 12:01 private 0 jones:/etc/ssl# ls -l private/ total 16 -rw------- 1 root root 1675 Aug 6 11:37 jones.mayfirst.org.key.2013-08-06 -rw------- 1 root ssl-cert 5241 Aug 6 11:53 jones.mayfirst.org.pem -rw-r----- 1 root ssl-cert 887 Jun 9 2008 ssl-cert-snakeoil.key 0 jones:/etc/ssl# }}} === How to Remove Files === * cd into the directory * rm files in that directory === How to Remove Directory === * cd into the directory * rm files in that directory * cd out of the directory * rmdir directory_name == Certs supplied by Positive ssl == * AddTrustExternalCARoot.crt <-- This is the CA certificate (rarely do we need this, can probably delete after installing certificates) * PositiveSSLCA2.crt <-- Intermediate Certificate * SERVERNAME_mayfirst_org.crt <-- The server's primary certificate. == Creating a new csr == 1. from `root@SERVERNAME.mayfirst.org:/etc/ssl/private` look for SERVERNAME.mayfirst.org.key (ls -l) If it exists, remove it with 'rm $(hostname).mayfirst.org.key' <-- the key may have a .DATE extension (remove that key as well) 2. Create a new key in /etc/ssl/private with the command `umask 177; certtool -p > $(hostname).mayfirst.org.key.$(date +%F)` <-- umask here creates the correct permissions for the key file. 3. Run the following command from /etc/ssl/private `umask 133; certtool --generate-request --load-privkey $(hostname).mayfirst.org.key.$(date +%F)` * a. Enter the correct values for the signing request == Questions asked by 'certtool --generate-request' command == * Enter the e-mail of the subject of the certificate: * Enter a challenge password: * Does the certificate belong to an authority? (y/N): N * Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y * Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y * Is this a TLS web client certificate? (y/N): y * Is this also a TLS web server certificate? (y/N): y * Country name (2 chars): US * Organization name: May First People Link * Organizational unit name: Support * Locality name: New York City * State or province name: NY * Common name: SERVER_NAME.mayfirst.org * UID: * Enter a dnsName of the subject of the certificate: * Enter the IP address of the subject of the certificate: * Enter the e-mail of the subject of the certificate: * Enter a challenge password: * Does the certificate belong to an authority? (y/N): N * Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y * Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y * Is this a TLS web client certificate? (y/N): y * Is this also a TLS web server certificate? (y/N):