wiki:faq/security/get-certificate

Version 15 (modified by Jamie McClelland, 10 years ago) (diff)

--

Please note: the heart bleed vulnerability discovered April 7, 2014 affects May First/People Link members. We encourage all members who generated a key and obtained an x509 certificate prior to this date to generate a new key and obtain a new certificate. If you need assistance generating a new key, please submit a ticket and include the domain name of the web site that you are running.

How do I get a x509 (aka SSL) Certificate for my Web site?

A security certificate is required if you want to offer a encrypted connection between your web visitors and your web site. An encrypted connection to a web site is typically indicated by a lock icon in your browser and most encrypted web sites have URLs that start with https instead of plain http.

The purpose of a security certificate is to provide proof to the world that your web site is indeed operated by you (and not an impostor). For more information about security certificates, please see our certificate faq.

Generating the key and signing request

Before you can get a security certificate attesting that you are who you say you are, you will need to two files:

  • The private key is the file with the secret material that should only be accessible to the web server hosting your site
  • The certificate signing request is the non-confidential file generated based on your private key that you submit to a certificate authority

Then, you will need to submit your certificate signing request to a certificate authority, such as SSLs.com or cacert. SSLs.com costs as little as $4.99 per certificate per year and can generate a certificate for you that will be accepted by nearly all browsers on the planet. cacert will generate a certificate for free but users will need to import the cacert root certificate or they will get errors. We have a raging debate about which approach is the best to take. In these examples domain.csr and domain.key are the file names provided. These filenames are arbitrary and can be anything you want (for example, I would recommend replacing domain with your actual domain, e.g. mayfirst.org.key and mayfirst.org.csr, so it is easier to keep track of the domains for which they are being generated.

Generating a key and signing request for the first time or to replace a vulnerable key

To generate a private key and a certificate signing request, ssh into your primary host and run:

openssl req -new -nodes -out domain.csr -keyout domain.key -config /etc/ssl/openssl.cnf

You will be prompted to answer a series of questions (with the defaults used by MFPL provided in brackets).

The most important question is:

Common Name (hostname, IP, or your name) []:

You must type the exact domain name that will be used for your site (e.g. members.mayfirst.org).

When the command has completed you should have two files: a private key file that you should not share with anyone (domain.key) and a certificate signing request (domain.csr) that is based on your key that can be shared with anyone and should be provided to a certificate authority if you would like to get a certificate for your private key..

Generating a signing request for a renewal - I already have a key

If your certificate is expiring, you can simply re-submit your existing signing request and get a new certificate for the next year. You do not need to generate a new signing request.

If you lost your signing request, you can regenerate a new one based on your existing key:

openssl req -out domain.csr -key path/to/your/private/key/domain.key -new -config /etc/ssl/openssl.cnf

Examining your certificate signing request

If you want to get a human-readable view of what you just created (to check for typos), you can type:

openssl req -in domain.csr -text -verify -noout

After Receiving Your Certificate You Can Test It

If you want to test to ensure that your certificate is valid (after receiving it from a certificate authority) and works with your key file, you can run this command:

openssl s_server -cert domain.crt -key domain.key -www

You should get something like this:

0 jamie@chicken:~$ openssl s_server -cert domain.crt -key domain.key 
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
^C
130 jamie@chicken:~$

Hit ctrl-c to cancel.

If you are prompted for a password, then it means you created your key file with a password, which will cause problems if try to use it for your web site.

Next steps

This file and your domain.key file can be used to setup your web site to use a security certificate or replace an existing one.