Initially this blog was setup with https using a self signed certificate. I did always intend on updating the certificate with a “real” certificate to avoid web browsing errors. This certificate would also need to handle other sites/services at destephen.com. This is my first effort at installing certificates that needed to be recognized on everyones browsers.
To preface my current background, my experience for working with web based certificates has primarily been with Cisco UC applications. These apps generate a certificate signing request (CSR) that can be signed by a certificate authority (CA). Most of the time, this is an local Microsoft CA that signs the certificate. It is a pretty straightforward process after you have worked through the steps. The only other time I have really got into web based certificates has been when I published my Exchange box through Forefront.
I am using GoDaddy.com as my registrar and used their services to purchase my certificate as well. Their folks were patient with my seemingly basic questions and took the time to thoroughly answer them. Their sales folks browsed this site, discussed with me how I am doing my redirects, and verified internally the best common name (CN) to place on the certificate. The extra effort was appreciated. I ended up picking up a 5 name Standard Multiple Domain pack for a year to try it out.
One of the nice sites I used to for some testing was SSLShopper.com. The site is a little basic, but their SSL checker under the tools section proved to be useful.
Now for the good stuff. These steps are covered in many different websites, but all covered the local private key being created with 3des encryption. Not sure why – but I used aes256 without any issues.
First, we need to generate a private key. This is where I deviated from many of the other examples. I also did use a key, which will cause a passcode to be entered every time apache restarts. This can be circumvented if needed – and Webmin can help.
openssl genrsa -aes256 -out blog.destephen.com.key 2048
Next, we need to create the CSR file. This file will contain all the information that is needed to copy into your CA request.
openssl req -new -key blog.destephen.com.key -out blog.destephen.com.csr
I used GoDaddy as mentioned and it was straightforward to get the certificate requested. Once the certificate was approved and posted, it is then able to be downloaded. I downloaded the certificate with the Apache format.
With the certificate now downloaded, the file can be uploaded to the web server. For my particular case, I front end my web servers with Forefront so I can host multiple services on the same port (blog and mail both use tcp/443 for example). There is an additional post walking through the steps to export the Linux certificate into ForeFront. This post will focus on an individual Ubuntu 12.04 system with Apache2 loaded.
Starting with the original Ubuntu 12.04 blog.destephen.com server, I placed the files in the /etc/ssl/private directory. sudo rights were required to place the files in the directory due to the permissions (a good thing!). There are two keys provided by godaddy.com – the intermediate certificate and the actual blog.destephen.com certificate. Additionally, the key file that was created at the beginning of the process could be placed in this folder.
Now that the new certificates are in place, we now need to modify Apaches’ configuration file. For my particular setup, that is located at /etc/apache2/sites-enabled/default-ssl. For Ubuntu 12.04, the following settings need commented out or modified to match the new lines as they are part of the self signed certificate:
Line 51: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
Line 52: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Additionally, these lines need to be created for the new certificate within the default-ssl file:
And also within the default-ssl, the intermediate certificate needs a reference. Uncomment and change as needed.
With the configuration files updated, a restart of the Apache2 service is required. Keep in mind at this time, I have the passphrase associated to the certificate. This requires interaction to load the key into apache. This may be a future post as Webmin can easily help automate the passphrase.
Now we can test out the server. You may want to use a different browser or clear out the cache if you have issues with the certificate refreshing.