How to install an SSL certificate manually

From ISPWiki

Jump to: navigation, search

Contents

Installing an SSL certificate

To install an SSL certificate you need to obtain:

  • The certificate file and chain from a Certification authority (they will be sent to the email address of the certificate's owner);
  • The certificate key. The key is generated prior to certificate order; CSR is based on the key.
  • Root access to server.

Certificate chain for different types of certificates

Certification center sends an email containing several files. You can use them to create a certificate chain for different type of certificates.

Comodo Essential SSL certificates

The Certification Authority sends the following files:

  • AddTrustExternalCARoot.crt
  • ComodoUTNSGCCA.crt
  • EssentialSSLCA_2.crt
  • domainname.crt
  • UTNAddTrustSGCCA.crt

domainname.crt is the certificate

You will need other files to create the chain:

cat EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle

Comodo PositiveSSL SSL certificates

The Certification Authority sends the following files:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • domainname.crt

domainname.crt is the certificate

You will need other files to create the chain:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >  yourDomain.ca-bundle

Apache

If Apache processes ssl requests, the certificate will be installed into the Apache configuration file. Execute the following command to check how this service listens on port 443(ssl):

  • Linux:
# netstat -napt | grep 443
tcp        0      0 188.120.233.16:443      0.0.0.0:*               LISTEN      731/apache2
  • FreeBSD:
# sockstat |grep 443
root      httpd      83299 19 tcp4   188.120.225.20:443    *:*  


Open the Apache configuration file. If you run FreeBSD - /usr/local/etc/apache22/httpd.conf; Debian - /etc/apache2/apache2.conf; if Centos - /etc/httpd/conf/httpd.conf. Locate VirtualHost of your domain.

Sometimes the <VirtualHost> blocks can locate in separate files in the web-server's directory.

Add the block <VirtualHost> for SSL connection. For example:

<VirtualHost 10.0.0.1:443>
  DocumentRoot /home/user/data/www/domain.com
  ServerName domain.com
  SSLEngine on
  SSLCertificateFile /path/to/domain.crt
  SSLCertificateKeyFile /path/to/domain.key
  SSLCACertificateFile /path/to/ca.crt
</VirtualHost>


where

  • domain.com — domain's name.
  • 10.0.0.1 — IP addresses, assigned to this domain.
  • /home/user/data/www/domain.com — path to your domain's home directory.
  • /path/to/domain.crt — file where the certificate is located.
  • /path/to/domain.key — file where the certificate key is located.
  • /path/to/ca.crt - root certificate file.

Restart Apache apachectl restart or apache2ctl restart

Nginx

If Nginx processes ssl requests, the certificate will be installed into the Nginx configuration file.

Open the Nginx configuration file. If you run FreeBSD - /usr/local/etc/nginx/nginx.conf, Linux - /etc/nginx/nginx.conf

Add a server module for SSL connection. For example:

server {

        listen 10.0.0.1:443;
        server_name domain.com;
        ssl                  on;
        ssl_certificate     /path/to/domain.crt;
        ssl_certificate_key  /path/to/domain.key ;
  }

where

  • domain.com — domain name.
  • 10.0.0.1 — IP-address assigned to this domain.
  • /path/to/domain.crt — file where the certificate is located.
  • /path/to/domain.key — file where the certificate key is located.

Certificate chain is added into the certificate file.

Let's take an example of Comodo Positive SSL. The certification authority sends the files: domain.crt, PositiveSSLCA2 and AddTrustExternalCARoot. The certificate chain consists of the files PositiveSSLCA2 + AddTrustExternalCARoot. The domain.crt file must contain the domain's certificate + certificates PositiveSSLCA2 + AddTrustExternalCARoot.

Restart Nginx

  • FreeBSD:
/usr/local/etc/rc.d/nginx restart
  • Linux:
/etc/init.d/nginx restart

Multiple SSL certificates assigned to one IP address

If several ssl certificates are assigned to one IP address, the browser will take the default server certificate, regardless the server name requested. This can be explained by peculiarities of the SSL protocol. SSL-connection is set before the server sends an HTTP-request, and the web-server doesn't know the name of the server requested. Thus, it can use only a default certificate.

To allow multiple HTTPS-requests on one IP address you can use the extension Server Name Indication of the TLS protocol (SNI, RFC 6066), by which a client indicates to what hostname it is attempting to connect at the start of the handshaking process. Most modern browsers support SNI, however SNI requires the OPenSSL library to support this option as well. OpenSSL 0.9.8f and later supports SNI.

Useful Openssl commands

  • Create the SSL certificate key.
openssl req -batch -noout -new -newkey rsa:2048 -nodes -keyout cert.key
  • Generate a CSR:
openssl req -new -key cert.key -out cert.csr
  • Remove the key password:
openssl rsa -in cert.key -out cert.key
  • View CSR:
openssl req -noout -text -in cert.csr
  • Certificate information (what certification authority issued this SSL, etc.):
openssl x509 -noout -text -in cert.crt
  • Check that the key corresponds the certificate:
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5

Both values must match.

  • Request length:
echo '(' `openssl req -noout -modulus -in cert.csr | cut -d'=' -f2 | wc -c` '-1)*4' | bc
  • Check HTTPS result:
openssl s_client -host  ulanovka.ru -port 443

Generating a CSR for Microsoft IIS

  • Click Start - Administrative Tools - Internet Information Services (IIS) Manager.
  • Click the server name.
  • In the IIS section open Server Certificates.

File:crt1.png

  • In Actions select Create Certificate Request. The CSR Creation Wizard will open.

File:crt2.png

  • Enter the required information.

File:crt3.png

Click Next.

  • Do not change anything in the form that will open. click Next.
  • Enter the name of your CSR file.

File:crt4.png

  • Open the file using your favorite text editor. Send your CSR including the BEGIN and END tags.

Installing an SSL certificate on Microsoft IIS

  • Click Start - Administrative Tools - Internet Information Services (IIS) Manager.
  • Enter the server name.
  • In the IIS section open Server Certificates.

File:crt1.png

  • In Actions select Complete Certificate Request. The Wizard will open.

File:crt5.png

  • Upload the certificate that you got from the Certification Authority. Enter the certificate name (administrator may need it).

File:crt6.png

  • Сlick Оk. The certificate will be installed on the server.
  • To install the certificate on a specific web-domain, go to the section Sites and select the site for which the certificate is ordered. In the right part of the Actions module click Bindings. Site Bindings window will open.

File:crt7.png

  • In the Site Bindings window click Add... The Add Site Binding window will open.

File:crt8.png

  • In the Type section select https. In IP address locate the IP address of the site or All Unassigned. Port- 443. In the SSL Certificate field select your certificate.

File:crt9.png

Click Ok.

  • You have successfully installed your SSL certificate

File:crt10.png

Was this helpful? Yes | No
Views
Personal tools