Changes between Version 11 and Version 12 of ordering-cartel-x509-certificates


Ignore:
Timestamp:
Aug 15, 2016, 9:32:46 AM (5 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ordering-cartel-x509-certificates

    v11 v12  
    11[[TranslatedPages]]
    22[[PageOutline]]
     3
    34For instructions on updating or adding a MOSH x.509 see [[configure-mosh-x509]]
     5
    46= Ordering X.509 certificates from the CA Cartel =
    57
    6 For most public-facing services, we choose to purchase X.509 certificates from a certificate authority that is implicitly trusted by default in most browsers.  These certificate authorities (CAs) form "the CA Cartel" due to their
    7 
    8 When that is necessary, please follow these steps:
    9 
    10  * Order from https://ssls.com/ (login in [wiki:keyringer keyringer])
    11  * Purchasing and activating are different steps. First check to see if any x509 certificates have been purchased but not yet activated. If so, activate an already purchased certificate. Otherwise, purchase a new certificate. For payment method, choose paypal (password in [wiki:keyringer keyringer]).  Note that ssls.com does not group purchased-but-not-activated certificate together; you have to page through the order history to search for them.  (As of 4/13/2014, there were purchased-but-not-yet-activated certificates buried on page 8 ...)
    12  * Puppet will auto-generate a certificate signing request for you, with the canonical name as the "common name" (e.g. `mandela.mayfirst.org`) in /etc/ssl/. If you want a different "common name" (e.g. `members.mayfirst.org` or `webmail.mayfirst.org`) then you will need to generate a new csr.
    13  * Login to the [https://members.mayfirst.org/cp members control panel] and ensure that your email address is listed as a recipient for the `hostmaster@mayfirst.org` email address.
    14  * Order at least three 5-year standard (domain-validated) PositiveSSL certificates at a time (five years means less admin to update it, and less $ thrown at the cartel because of discounts; as of 2013-06-03 we are switching from RapidSSL to PositiveSSL.).
    15  * When filling in the details of the certificate, choose the hostmaster email address for confirmation and for contact info for the certificate. For the rest of the requested information, enter our public contact info.
    16 {{{
    17 ssl@mayfirst.org
    18 May First
    19 237 Flatbush Ave, #278
    20 Brooklyn, NY 11217-5224
    21 718-303-3204
    22 }}}
    23  * You will get an email asking for confirmation from Comodo, which operates PositiveSSL.  Click through the link from the e-mail to activate the certificate, and then the certificate will be emailed to `hostmaster@mayfirst.org`.
     8Don't order cartel certs anymore! Instead, [wiki:letsencrypt use letsencrypt].