Friday, April 1, 2011
Setup and configure SSL / HTTPS with Verisign CA on Linux CENTOS [step by step tutorial]
If you need to install SSL certificates on your server web you have to follow this step by step tutorial about Verisign's certificate installation. (i get a 30 days trial cert to test it)
1) Install mod_ssl with command:
yum install mod_ssl
2) Create a directory in which we save our key files and move to it
mkdir /home/ssl/
cd /home/ssl/
3) Execute the follow command on a single line:
openssl x509 -req -days 365 -in www.domain_name.com.csr -signkey secure.domain_name.com.key -out www.domain_name.com.crt
4) Copy the key into .secure file.
cp www.domain_name.com.key www.domain_name.com.key.secure
5) Execute the command to generate the file
openssl rsa -in www.domain_name.com.secure -out www.domain_name.com.key
6) Type the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver. Warning: If you lose or forget the passphrase, you must purchase another certificate.
openssl genrsa -des3 -out www.domain_name.com.key 1024
7) You could also create a private key without file encryption if you do not want to enter the passphrase when starting your webserver:
openssl genrsa -out www.domain_name.com.key 1024
Note: i recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key
8) Type the following command to create a CSR with the RSA private key (output will be PEM format):
openssl req -new -key www.domain_name.com.key -out www.domain_name.com.csr
* Note: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 6.
* 2nd Note: When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
8) Put the output of cat command in a txt file.
cat www.domain_name.com.csr > mycert.txt
9) Copy source from that file mycert.txt and paste it into the Verisign's CSR form validation.
10) wait for the Versign's confirmation email with the browser cert file that will be send to you within 24 hours.
Once you received that email you'll have to download and install the Test Root CA Certificate into your browser. This is the procedure to follow:
11.1) Save the test root CA certificate from Verisign website on a file with .cer extension (ex. browser.cer) and install it into your browser.
11.2) Copy the intermediate CA certificate content from verisign website into a file called (intermediate.crt)
11.4) Copy the certificate that you received with the email in a file called (public.crt)
11.5) Copy the content of the bundle (two cert) into a file ca-cert.crt
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIQFoFkpCjKEt+rEvGfsbk1VDANBgkqhkiG9w0BAQUFADCB
.....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
IEVzCCAz+gAwIBAgIQFoFkpCjKEt+rEvGfsbk1VDANBgkqhkiG9w0BAQUFADCB
......
-----END CERTIFICATE-----
11.6) Copy all .crt files (public.crt, intermediate.crt, ca-bundle.crt) into /etc/pki/tls/certs/ on your centos distribution.
11.7) Copy www.domain_name.com.key to /etc/pki/tls/private/ folder
11.8) Now you could check virtual host and insert these lines of code into your /etc/httpd/conf.d/ssl.conf file:
DocumentRoot /var/www/html/yourwebdir
ServerPath /var/www/html/yourwebdir
ServerName www.domain_name.com:443
ServerAlias *.domain_name.com:443
DirectoryIndex index.html index.php index.shtml
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.domain_name.com.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
12) Now restart apache /etc/init.d/httpd restart
If everything goes [OK] you could check your https and ssl at your web address: https://www.domain_name.com
Good luck!
1) Install mod_ssl with command:
yum install mod_ssl
2) Create a directory in which we save our key files and move to it
mkdir /home/ssl/
cd /home/ssl/
3) Execute the follow command on a single line:
openssl x509 -req -days 365 -in www.domain_name.com.csr -signkey secure.domain_name.com.key -out www.domain_name.com.crt
4) Copy the key into .secure file.
cp www.domain_name.com.key www.domain_name.com.key.secure
5) Execute the command to generate the file
openssl rsa -in www.domain_name.com.secure -out www.domain_name.com.key
6) Type the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver. Warning: If you lose or forget the passphrase, you must purchase another certificate.
openssl genrsa -des3 -out www.domain_name.com.key 1024
7) You could also create a private key without file encryption if you do not want to enter the passphrase when starting your webserver:
openssl genrsa -out www.domain_name.com.key 1024
Note: i recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key
8) Type the following command to create a CSR with the RSA private key (output will be PEM format):
openssl req -new -key www.domain_name.com.key -out www.domain_name.com.csr
* Note: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 6.
* 2nd Note: When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
8) Put the output of cat command in a txt file.
cat www.domain_name.com.csr > mycert.txt
9) Copy source from that file mycert.txt and paste it into the Verisign's CSR form validation.
10) wait for the Versign's confirmation email with the browser cert file that will be send to you within 24 hours.
Once you received that email you'll have to download and install the Test Root CA Certificate into your browser. This is the procedure to follow:
11.1) Save the test root CA certificate from Verisign website on a file with .cer extension (ex. browser.cer) and install it into your browser.
11.2) Copy the intermediate CA certificate content from verisign website into a file called (intermediate.crt)
11.4) Copy the certificate that you received with the email in a file called (public.crt)
11.5) Copy the content of the bundle (two cert) into a file ca-cert.crt
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIQFoFkpCjKEt+rEvGfsbk1VDANBgkqhkiG9w0BAQUFADCB
.....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
IEVzCCAz+gAwIBAgIQFoFkpCjKEt+rEvGfsbk1VDANBgkqhkiG9w0BAQUFADCB
......
-----END CERTIFICATE-----
11.6) Copy all .crt files (public.crt, intermediate.crt, ca-bundle.crt) into /etc/pki/tls/certs/ on your centos distribution.
11.7) Copy www.domain_name.com.key to /etc/pki/tls/private/ folder
11.8) Now you could check virtual host and insert these lines of code into your /etc/httpd/conf.d/ssl.conf file:
DocumentRoot /var/www/html/yourwebdir
ServerPath /var/www/html/yourwebdir
ServerName www.domain_name.com:443
ServerAlias *.domain_name.com:443
DirectoryIndex index.html index.php index.shtml
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.domain_name.com.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
12) Now restart apache /etc/init.d/httpd restart
If everything goes [OK] you could check your https and ssl at your web address: https://www.domain_name.com
Good luck!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment