Howto Overview for Creating and Installing SSL Certificates

LOGIN



This HOWTO aims to give you a brief overview of SSL creation installation on all platforms. Our website has information on creating a CSR and installing SSL certificates for specific systems.

Apache on Linux How To

edit the httpd.conf file which is located in variously
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/apache2/apache2.conf

change:
#Include /etc/apache2/mod_ssl.conf
to:
Include /etc/apache2/mod_ssl.conf

OR

Your SSL installation may have installed these files
/etc/apache2/mods-enabled/ssl.conf
/etc/apache2/mods-enabled/ssl.load

NB: you need mod_ssl and httpd installed. Use Yum, apt-get etc. to install these programmes

You may also need to change your startup file /etc/rc.d/rc.httpd
change this:
'start')
/usr/sbin/apachectl start ;;
to this:
'start')
/usr/sbin/apachectl startssl ;;

You also need to ensure that you have this line in your apache2.conf file
Listen 443

To check that SSL is working execute this on the command line
netstat -tpan | grep 443
If you don't get any output then there must be a problem with your installation. Check your apache error file.

Generating keys and certificate:
To generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, "server", use the following command :
openssl req -new -nodes -keyout myserver.key -out server.csr
This creates a two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.
In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR

What you are about to enter is what is called a Distinguished Name or a DN.

For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
-----
Use the name of the webserver as Common Name (CN). If the domain name is mydomain.com append the domain to the hostname (use the fully qualified domain name).
The fields email address, optional company name and challenge password can be left blank for a webserver certificate.
Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

Setting up Apache
Now that SSL is all set up, you are going to want to tell Apache what to serve up when somebody connects using https://. This is done by the VirtualHost directive and the one pertaining to SSL connections can be found in the /etc/apache/mod_ssl.conf file, httpd.conf or your own specific control panel file. You will need to change some of the settings but this gives a general idea.

<IfModule mod_ssl.c>
<VirtualHost 123.123.123.123:443>
ServerName www.mydomain.co.uk:443
ServerAdmin webmaster@mydomain.co.uk
DocumentRoot /home/www/yourweb/web
SSLEngine on
SSLCertificateFile /home/www/yourweb/ssl/www.mydomain.co.uk.crt
SSLCertificateKeyFile /home/www/yourweb/ssl/www.mydomain.co.uk.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>

Internet Information Server on Windows How To

Requirements

The following items describe the recommended hardware, software, network infrastructure, skills and knowledge, and service packs that you will need:
  • Windows 2000 Server, Advanced Server, or Professional, with Internet Information Services (IIS) version 5.0 and Microsoft Certificate Server version 2.0 installed and configured.
  • Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Datacenter Edition, or Windows Server 2003 Web Edition-based computer with Internet Information Services (IIS) 6.0 or 7.0 and Certificate Services installed and configured.
If the computer that is hosting Certificate Server is not the same computer that has IIS, you need a valid network or Internet connection to the server that is hosting Certificate Server.

Create a certificate request

First, the Web server must make a certificate request. To do this, follow these steps:
  1. Start the Internet Service Manager (ISM), which loads the Internet Information Server snap-in for the Microsoft Management Console (MMC). To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Service Manager or Internet Information Services (IIS) Manager.
  2. Double-click the server name so that you see all of the Web sites. In IIS 6.0, expand Web Sites.
  3. Right-click the Web site on which you want to install the certificate, and then click Properties.
  4. Click the Directory Security tab, and then click Server Certificate under Secure Communications to start the Web Server Certificate Wizard.
  5. In IIS 6.0, click Next. If you are running IIS 5.0, go to step 6.
  6. Select Create a new certificate and click Next.
  7. Select Prepare the request now, but send it later and click Next.
  8. Type a name for the certificate. You may want to match the certificate name to the name of the Web site. Now, select a bit length; the higher the bit length, the stronger the certificate encryption. Select Server Gated Cryptography if your users may be coming from countries with encryption restrictions.
  9. Type your organization name and the organizational unit (for example, MyWeb and Development Dept). Click Next.
  10. Type either the fully qualified domain name (FQDN) or the server name as the common name. If you are creating a certificate that will be used over the Internet, it is preferable to use a FQDN (for example, www.MyWeb.com). Click Next.
  11. Enter your location information, and then click Next.
  12. Type the path and file name to save the certificate information to, and click Next to continue.

    Note If you type anything other than the default location and file name, be sure to note the name and location you choose, because you will have to access this file in later steps.
  13. Verify the information that you have typed, and then click Next to complete the process and create the certificate request.

Submit a certificate request

The certificate request that you just created needs to be submitted to a Certificate Authority (CA). This may be your own server with Certificate Server 2.0 installed on it or an online CA such as VeriSign. Contact the certificate provider of your choice and determine the best level of certificate for your needs. There are different methods of submitting your request. Contact the Certificate Authority of your choice to request and receive your certificate. You can create your own certificate with Certificate Server 2.0, but your clients must implicitly trust you as the Certificate Authority. The steps below assume that you are using Certificate Server 2.0 as the certificate provider.

Note The IIS Certificate Wizard will only recognize the Default Web Server template. When you select an Online Enterprise CA, the Authority will not be listed unless the CA is using the Default Web Server template.
  1. Open a browser and browse to http:// YourWebServerName/CertSrv/.
  2. In IIS 5.0, select Request a Certificate and click Next. In IIS 6.0, click Request a certificate.
  3. In IIS 5.0, select Advanced Request and click Next. In IIS 6.0, click advanced certificate request.
  4. In IIS 5.0, select Submit a Certificate Request using a Base64 and click Next. In IIS 6.0, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  5. In Microsoft Notepad, open the request document that you created in the "Create a certificate request" section. In IIS 6.0, you can also click Browse for a file to insert.
  6. Copy the contents of the document. The contents should resemble the following:
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIICcjCCAhwCAQAwYjETMBEGA1UEAxMKcm9ic3NlcnZlcjELMAkGA1UECxMCTVMx
    CzAJBgNVBAoTAk1TMREwDwYDVQQHEwhCZWxsZXZ1ZTERMA8GA1UECBMIV2FzaGl0
    b24xCzAJBgNVBAYTAlVTMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALYK4sYDNQ7h
    LmSfL0qpIvUfY7Ddw7fNCvDp3rM7z4QqoLhA2c8TkyamqWTBsV0WRHIidf/J6mU4
    wN4wrUzJTLUCAwEAAaCCAVMwGgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUG
    CisGAQQBgjcCAQ4xJzAlMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEF
    BQcDATCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0
    ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBw
    AGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAGKa0jzBn8fkxScrWsdnU2eUJOMU
    K5Ms87Q+fjP1/pWN3PJnH7x8MBc5isFCjww6YnIjD8c3OfYfjkmWc048ZuGoH7Zo
    D6YNfv/SfAvQmr90eGmKOFFiTD+hl1hM08gu2oxFU7mCvfTQ/2IbXP7KYFGEqaJ6
    wn0Z5yLOByPqblQZAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADQQCgRCWkaXlY2nVa
    tbn6p5miPwWfrbViYo0B62wkuH0f7J0nSGcxMnn/6Q/iLEIsgHqFhox5PWCzIV0J
    tXKPWrBL
    -----END NEW CERTIFICATE REQUEST-------
  7. Note If you save the document with the default name and location, it is located at C:\Certreq.txt.

    Note Be sure to copy all of the content just as shown.

  8. Paste the contents of the document into the Web form's Base64 Encoded Certificate Request text box.
  9. Under Certificate Template, select Web Server or User, and then click Submit.
  10. If Certificate Server is set to Always Issue the Certificate, you can access the certificate immediately. To do this, follow these steps:
    1. Click Download CA Certificate (do not click Download CA Certificate path or Download certificate chain).
    2. When you are prompted, select Save this file to disk and save the certificate to your desktop or another location that you will remember. You may now go directly to the "Install the certificate and set up an SSL Web site" section.

Issue and download a certificate

To issue a certificate in Certificate Server, follow these steps:
  1. Open the CA MMC snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Certificate Authority.
  2. In IIS 5.0, expand Certificate Authority and click the Pending Requests folder. Your pending certificate requests appear in the right pane. In IIS 6.0, expand the server name.
  3. Right-click the pending certificate request that you just submitted, select All Tasks, and then click Issue.

    Note After you select Issue, the certificate is no longer displayed in this window and folder. It now resides in the Issued Certificate folder.
  4. After you have issued (and authorized) the certificate, you can return to the Certificate Servers Web interface to select and download the certificate. To do this, follow these steps:
    1. Browse to http:// YourWebServerName/CertSrv/.
    2. On the default page, select Check on a pending certificate and click Next. In IIS 6.0, click View the status of a pending certificate request.
    3. Select your pending certificate, then click Next to go to the download page.
    4. On the download page, click Download CA Certificate (do not click Download CA Certificate path or Download certificate chain).
    5. When you are prompted, select Save this file to disk and save the certificate to your desktop or another location that you will remember.

Install the certificate and set up an SSL Web site

To install the certificate, follow these steps:
  1. Open the Internet Services Manager and expand the server name so that you can view the Web sites.
  2. Right-click the Web site for which you created the certificate request and click Properties.
  3. Click the Directory Security tab. Under Secure Communications, click Server Certificate. This starts the Certificate Installation Wizard. Click Next to continue.
  4. Select Process the pending request and install the certificate and click Next.
  5. Type the location of the certificate that you downloaded in the "Issue and download a certificate" section, then click Next. The Wizard displays the Certificate Summary. Verify that the information is correct, then click Next to continue.
  6. Click Finish to complete the process.

Configure and test the certificate

To configure and test the certificate, follow these steps:
  1. On the Directory Security tab, under Secure Communications, note that there are now three available options. To set the Web site to require secure connections, click Edit. The Secure Communications dialog box appears.
  2. Select Require Secure Channel (SSL) and click OK.
  3. Click Apply and then OK to close the property sheet.
  4. Browse to the site and verify that it works. To do this, follow these steps:
    1. Access the site through HTTP by typing http://localhost/Postinfo.html in the browser. You receive an error message that resembles the following:
      HTTP 403.4 - Forbidden: SSL required.
    2. Try to browse to the same Web page using a secured connection (HTTPS) by typing https://localhost/postinfo.html in the browser. You may receive a security alert that states that the certificate is not from a trusted root CA. Click Yes to continue to the Web page. If the page appears, you have successfully installed your certificate.
APPLIES TO
  • Microsoft Internet Information Services 5.0, when used with:
    • the operating system: Microsoft Windows 2000
  • Microsoft Internet Information Services 6.0 and 7.0, when used with:
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)