Security Certificates

Security Certificate

This page describes how to setup a SSL Certificate for a clent. Before starting, you will need the following information:

The domain name for https - ie. https://www.client.com
company name (full name) - ie. Client, Inc.
Company address - The full address
Type of company, ie, public, private, etc....
Company DUNS number (optional)
The company's authorising contact peron (name, title, telephone and email address)
Credit card details (ie. name, cc number, cc exp)

Within the Openssl-0.9.3a directory are the tools needed to generate keys for a secure web server.

First, create a RSA private key for the Apache server. It will be will be Triple-DES encrypted and PEM formatted:
./apps/openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and remember the pass-phrase you had to enter at a secure location.
You can see the details of this RSA private key via the command:
./apps/openssl rsa -noout -text -in server.key
Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
./apps/openssl req -new -key server.key -out server.csr
You will be asked a series of short questions.
It is essential that you enter the domain name of the SSL server for the Common Name.
For example, for http://safe.mydomain.com you would enter safe.mydomain.com .
You can see the details of this CSR via the command:
./apps/openssl req -noout -text -in server.csr

The server.csr file that you created is the key that is to be sent over to Thawte.
Backup the two files: server.csr and server.key .

Thawte

This section describes how to send over the key, server.csr to Thawte.

Go to this section of Thawte's website. (opens new window)

Click on Reseller Home Page which appears on the left frame of the page.
Enter in the appropriate username and password.

Once you are in, click on Buy a Server Certificate.

You are then asked a few simple questions - make sure you choose the correct web server you intend the certificate to run on.

Also make sure that you enter in the exact domain name as you had specified when you created the server.csr file (above).

Cut and paste the server.csr file into the box - make sure you include the taglines before & after the code.

Configuring Apache for SSL

Once you have recieved the key from Thawte (this takes several days), save this to server.crt and in within in the same directory copy over the server.key (from above).

Getting the right Apache binary

In order to run Apache with SSL, you must have SSL compiled into Apache.
In /usr/ssl_binary is the directory in which you can take the binary httpd and script file apachectl.
The Apache binary, httpd comes pre-compiled with:

Apache/1.3.9 (Unix) mod_perl/1.21 mod_ssl/2.4.9 OpenSSL/0.9.4 configured

This page describes how to set Apache up for this.

Backup your current httpd and apachectl first!

Copy these files over to your site's bin directory and edit them, as described below:

It is advised that you add/replace these lines to the configuration section:

ROOT=/usr/apache/httpd-[site]
HTTPD="/usr/apache/httpd-[site]/bin/httpd -d $ROOT -DSSL"

In the httpd.conf file, point the following variables to the right locations for the .key and .crt certificates:


SSLCertificateKeyFile /usr/apache/httpd-[site]/conf/server.key # public key
SSLCertificateFile /usr/apache/httpd-[site]/conf/server.crt # key recieved from Thawte

Restart the server using /usr/apache/httpd-[site]/apachectl stop and then start

Afra Ahmad 1999