Configuring SSL for our servers

Hey guys, it’s Brad again. I’ve just recently configured SSL for edwards.sdsu.edu and its attached site, edwards.sdsu.edu/labsite. I’m going to post the process!

  1. Log into the conf folder for your apache server. in our case it’s /etc/httpd/conf
  2. Use SSL to generate a server key. That requires you to use openssl genrsa -out server.key 1024 (If you add -des3 before the -out, then it will prompt you for a key password. I’ve left it out for ease.)
  3. Generate a Certificate request using SSL and the Key you’ve just generated. This requires you to do this: openssl req -new -key server.key -out server.csr
  4. You will get a bunch of questions that you have to answer. Here’s the order of answers that I put in. Country Name: US, State or Province: California, City or Locality: San Diego, Organization Name: San Diego State University, Organizational Unit: Edwards Lab, Common Name: edwards.sdsu.edu, Server Admin’s email: (rob’s email) .
  5. For the questions after that, the Challenge Password, and everything else, DO NOT PUT ANYTHING. Just hit enter.
  6. Now, in your directory, you will have two files. server.key, and server.csr.
  7. Go to http://certs.ipsca.com/srvc/buy.asp
  8. Fill out all of the information, as Rob wants you to, and when you get to the point where it wants you to choose server type, and enter your CSR, we are using Apache MOD_SSL.
  9. For the CSR, just cat server.csr, and copy-paster the entire text. Dashes and all. What you should copy will look like this:
  10. —–BEGIN NEW CERTIFICATE REQUEST—–
    MIIDFDCCAn0CAQAwfzEQMA4GA1UEAxMHcmxvcG9ydDERMA8GA1UECxMISU5URVJO
    RVQxKTAnBgNVBAoTIElQUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWSBTLkwuMQ8w
    aA+mDX7/0nwL0Jq/dHhpijhRYkw/oZdYTNPILtqMRVO5gr300P9iG1z+ymBRhKmi
    esJ9Gecizgcj6m5UGQAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GBACrV66lZ74aJ
    Ja9vNyzmOg0mPfVSrkbtVzghO8ZVxCOBT13ppUS8YDCzRRXTDmwkK1VbH5Dau0nO
    2r7nPSWGwuuKj0OErKr9o99Dp9T7S7PlnImEg7PwghcN3Msd5L6c688gMUkzQ9j3
    Vluur5eooxSmn4BRQolvIKpsRw+3X8P0
    —–END NEW CERTIFICATE REQUEST—–
  11. Hit submit. Rob will get a bunch of emails re: your server request, and you get to sit around happily. This will take about a day.
  12. Once rob fwds you the email, you will see at the bottom of the mail an attached .txt file. It will look something like this: sitename.com_########_######.txt
  13. You can now delete server.csr if you want. DO NOT DELETE server.key IT IS IMPORTANT.
  14. Download an intermediate certificate. This is used in conjunction with your real certificate to prove that it’s signed by ipsCA. For our apache servers, grab their IPS-IPSCABUNDLE.crt
  15. scp these up to the server. Log out if you are currently connected, and at your un-logged-in terminal type: scp [filelocation] [username]@[server]:
  16. You can put as many file locations as you want before the [username]@[server]: THE COLON IS VERY IMPORTANT. IT WILL NOT WORK IF IT IS NOT [username]@[server]:
  17. You will be asked for your password, and the file will then get put into your account’s home directory. If you don’t have one, you need one. you COULD put a path after the colon, but if you don’t have a home directory it still gives you crap, I think.
  18. Now that it’s on the server, log in, and rename that .txt to .crt! (mv xxxx.txt xxxx.crt).
  19. Put the three required files (server.key, IPS-IPSCABUNDLE.crt, server_XXXX.crt) wherever you want them to go. I have them just sitting around the httpd/conf folder, but you could, if you’re the organized type, have them in httpd/conf/keys or some such. Just put them somewhere you can find them.
  20. Open up your httpd.conf file.
  21. Here is the tricky part. For the pipe2 apache configuration, we have a lot of virtual hosts. As it turns out. WE CANNOT CERTIFY VIRTUAL HOSTS. We can only certify a site that has its own IP. So you cannot use SSL on a site that is listed as *:80.
  22. When you list your virtual hosts, here’s what edwards.sdsu.edu looks like now. Just do this for your site, and SSL will work, when you request it server-side. (the Lab Blog seems to have a problem with angle brackets. Now, all of these server definitions lie in angle brackets. The ones that look like greater than or less than signs. For now, if you see { it should be a less than. If you see } it is a greater than.
  23. {VirtualHost xxx.xxx.xx.xxx:80}
    ServerAdmin (rob’s email here)
    DocumentRoot /var/www/html
    ServerAlias *.edwards.sdsu.edu
    ServerName edwards.sdsu.edu
    {/VirtualHost}

    {VirtualHost xxx.xxx.xx.xxx:443}
    ServerAdmin (rob’s email here)
    DocumentRoot /var/www/html
    ServerAlias *.edwards.sdsu.edu
    ServerName edwards.sdsu.edu
    SSLEngine on
    SSLCertificateKeyFile /etc/httpd/conf/server.key
    SSLCertificateFile /etc/httpd/conf/edwards.sdsu.edu_20090715_200943.crt
    SSLCertificateChainFile /etc/httpd/conf/IPS-IPSCABUNDLE.crt
    {/VirtualHost}

  24. As you can see, they are exact copies of one another, but with different ports specified, and the :443 has the 4 lines at the end, enabling SSL, and pointing to the certificates and the key. What is inside the specification is not important. The port number and the SSL lines are. As long are the two are exact copies, with those four lines added, and the second specifies port 443 as the entry, then SSL will work.
  25. TA-DA!