Process for ordering ssl certificate
From Docupedia
Contents |
The Concept
First you have to buy the cert from a company like go-daddy. Once you buy it you then make a csr and then ship it off for their CA to sign. Once you get it back you have a valid signed cert ready for another year. Couple things to realize here. We first generate a .pem file. This file contains both our public certificate request and your private key. You will need this .pem file which will later become a .key file.
An Overview
Here is the process in a nutshell. You go to godaddy and buy an ssl cert. You then activate the cert. Once activated you can generate your pem file. Once your pem is generated don't forget to run it through openssl again to remove the pass phrase. This assumes you've already renamed the .pem file to a .key file.
openssl rsa -in secure.domainname.com.key -out secure.domainname.com.key
Removing the passphrase will allow apache to start without needing a password.
Signing Request
So now you take the csr part out of your .pem file and go to go-daddy's website. You will find in there a field for you to paste in your certificate request. Paste your csr into there and follow the forms. Once this request is completed an email is sent to the administrative contract for the domain name that exists in the whois database. This is also the same contact email you will have used to get the original registrar information to bring the domain online. You will now have a .key file you made and a new .crt file from godaddy which you will be emailed and asked to download after the verification process.
Apache Preparation
Next you will need to prepare an apache vhost to host the site with the new cert. You should have something like this inside your vhost:
SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /foobar/ssl/certs/secure.domainname.com.crt SSLCertificateKeyFile /foobar/ssl/private/secure.domainname.com.key SSLCertificateChainFile /foobar/ssl/certs/sf_issuing.crt
Making it easier
For our network we keep a script for making the new csr:
jsmith@certs:/ssl/CA> perl CA-alkaloid.pl -newreq Generating a 2048 bit RSA private key ........................................................ ..........................................+++ ....+++ writing new private key to 'newreq.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:CA State or Province Name (full name) [Georgia]:British Columbia Locality Name (eg, city) [Atlanta]:Kelowna Organization Name (eg, company) [Alkaloid Networks]: Organizational Unit Name (eg, section) [Network Operations]: Common Name (eg, YOUR name/FQDN) []:secure.domainname.com Email Address []:support@domainname.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: (LEAVE BLANK) An optional company name []: Request (and private key) is in newreq.pem
If your acting as your own CA don't forget to sign the request.
jsmith@certs:/ssl/CA> perl CA-alkaloid.pl -signreq
This will sign the default request file newreq.pem in the current directory.
