This article is about SSL server certificates to be used for Virtual Host in production. The following paragraphs describe how to generate a keypair, create a certificate signing request or a self signed certificate and install the certificate issued by the authority. You should already have basic knowledge of SSL certificates.
You do not need an official server certificate to test your server with SSL enabled. Airlock contains a (self-signed) test certificate which is available for each Virtual Host. The only disadvantage is that the browser will display a warning.
You should have the following things ready before creating a key and requesting a certificate:
Create a openssl config file openssl.conf with following command:
# ssh root@airlock
# cat > /opt/airlock/custom-settings/openssl.conf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (eg, CH)
countryName_default = Country
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name
stateOrProvinceName_default = State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name
commonName = Common Name (eg, FQDN)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
EOF
Add the option -config /opt/airlock/custom-settings/openssl.conf to your openssl call if you like to use this customized openssl.conf, e.g.:
# openssl req -config /opt/airlock/custom-settings/openssl.conf -new -days 365 -key host.key -out host.csr
Let's now start by generating a private and a public key. The public key can be derived from the private key, but the other way around is only possible with brute force. The private key is security sensitive and must be kept secret. That's why it is normally encrypted with a passphrase (a password long and secure enough for such a critical piece of information).
2048 bit should be a safe key length for the next few years. Choose your passphrase wisely as no one will be able to recover the private key without it (in this case it will be triple-des encrypted):
# ssh root@airlock
# cd /tmp
# openssl genrsa -des3 -out host.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
...................................................................+++
e is 65537 (0x10001)
Enter pass phrase: ********
Verifying - Enter pass phrase: ********
If you do not need a passphrase protected key, ommit the option -des3 in the command above.
You should now have a passphrase-protected private key in the file host.key. This key is PEM-encoded and can be copied as text from the command line to your pc.
Make a safe backup of the key file. If you did not encrypt it with a strong password, you have to protect the key with another mechanism.
Before buying an official certificate from a Certificate Authority (CA) like Verisign, Entrust, Thawte etc., you have to create a file called Certificate Signing Request (CSR). Call the CSR command as shown below. It will ask you for the private key passphrase. After that, you must provide the details for your certificate (do not enter extra attributes at the prompt).
# openssl req -new -key host.key -out host.csr
Enter pass phrase for host.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [Country]:CH
State or Province Name (full name) [Some-State]:ZH
Locality Name (eg, city) []:Zuerich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG
Organizational Unit Name (eg, section) []:Internet
Common Name (FQDN) []:www.mycompany.ch
Email Address []:admin@mycompany.ch
Now send the contents of the file host.csr to the certificate authority. If you have any questions, ask your certificate authority first. If they want to know what type of web server you have, tell them it's an Apache with mod_ssl.
Are you afraid of wasting money by providing the wrong data? Why not test with a free 30 day fully functional trial certificate? These are offered for example by RapidSSL.
When creating a CSR, you must follow some conventions. The following characters must not be used: < > ~ ! @ # $ % ^ * / \ ( ) ? . , & (the '@' and '.' characters are allowed for the email address).
If you want to create your own self signed certificate, use following command:
# openssl req -new -key host.key -out host.cert -x509 -days 365
Enter pass phrase for host.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [Country]:CH
State or Province Name (full name) [Some-State]:ZH
Locality Name (eg, city) []:Zuerich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG
Organizational Unit Name (eg, section) []:Internet
Common Name (FQDN) []:www.mycompany.ch
Email Address []:admin@mycompany.ch
As soon as you receive the certificate from your CA, you have all together to configure your Virtual Host on the admin interface of Airlock. Open your Virtual Host and open the section SSL server certificate. If these settings still contain the test certificate, press the Clear SSL settings button. Now fill in the values as follows:
Klick OK to save your settings.
After activating your configuration, it is recommended to test it with both Internet Explorer and Firefox. Click on your browsers lock symbol and check the data and verification messages.