Coremanaged SSL: Difference between revisions

From Cheatsheet
Jump to navigation Jump to search
← Older edit
No edit summary
m 14 revisions
 
(11 intermediate revisions by the same user not shown)
Line 5: Line 5:


'''CSR generation'''
'''CSR generation'''
<pre>openssl genrsa -out domain.com.key 2048
 
***IF there are previous certificates and key please move to be backed up. (replace domain.com with customers domain.) ***
<pre>ls /etc/pki/tls/certs/
ls /etc/pki/tls/private/</pre>
And if you see the domain that you are working with, Do the following.
<pre>
mv /etc/pki/tls/certs/domain.com.csr /etc/pki/tls/certs/domain.com.csr.old
mv /etc/pki/tls/certs/domain.com.crt /etc/pki/tls/certs/domain.com.crt.old
mv /etc/pki/tls/certs/domain.com.cabundle /etc/pki/tls/certs/domain.com.cabundle.old
mv /etc/pki/tls/private/domain.com.key /etc/pki/tls/private/domain.com.key.old
</pre>
Now proceed With making the new RSA key.
<pre>
cd /etc/pki/tls/private/
openssl genrsa -out domain.com.key 2048
chmod 400 domain.com.key</pre>
chmod 400 domain.com.key</pre>
Now for the CSR.
<pre>
cd /etc/pki/tls/certs/
openssl req -new -nodes -key domain.key -out domain.com.csr
</pre>
You will now be asked to answer the following.
<pre>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code):
State or Province Name (full name):
Locality Name (eg, city):
Organization Name (eg, company):
Organizational Unit Name (eg, section):
Common Name (eg, your name or your server's hostname):
Email Address:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password:
An optional company name:
</pre>
After answering those questions your certificate will be located in that directory:<br>
/etc/pki/tls/certs/<br> cat it and go to globalsign and purchase the cert.




'''SSL installation'''
Now to install the certificate please go to /etc/pki/tls/certs/ and create the following.
<pre>
cd /etc/pki/tls/certs/
touch domain.com.crt
touch domain.com.cabundle
</pre>
Now paste the certificate and the cabundle into each of those files.
<br>
use this for the cabundle
<pre>
echo "-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEbjCCA1agAwIBAgILBAAAAAABHkSl+JUwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA1MDQxMDAw
MDBaFw0xNzA1MDQxMjAwMDBaMHExCzAJBgNVBAYTAkJFMR0wGwYDVQQLExREb21h
aW4gVmFsaWRhdGlvbiBDQTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYG
A1UEAxMfR2xvYmFsU2lnbiBEb21haW4gVmFsaWRhdGlvbiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALSfSeaznwFVNtA2lWzLFlpscrXineL6OekK
3HNcoDt2bQUokw2lQvPoy+7TMxoTJwrfXNFUYmqaFzbWPFiHHrJmH1VpK4lWR7TC
UAzlXcH9KRtmc0P0b9EUTyptSFI69eSQP96y9BDV+fqslg0QMiPS01GnlYVQ+g8p
naeITg0xm0RBjkEvbpoatLalWfFJWQl+fknTaTNLAJLFG0Igafhk39inRNGQXv05
rWt9/tWLpAFk9qe0IITMBS8n7h7VJJauhEOkPkPzO5nX+fLePRnt0GXxScpI0jh9
xkjXcmG4xsJnCthlWv1b88X9voxpz5kgtursOYDpZqjuPZ1Ge4cCAwEAAaOCAR8w
ggEbMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMEsGA1UdIARE
MEIwQAYJKwYBBAGgMgEKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFs
c2lnbi5uZXQvcmVwb3NpdG9yeS8wHQYDVR0OBBYEFDYSTp5xxCZB8frxKUy/F6RT
KLbrMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQv
cm9vdC5jcmwwEQYJYIZIAYb4QgEBBAQDAgIEMCAGA1UdJQQZMBcGCisGAQQBgjcK
AwMGCWCGSAGG+EIEATAfBgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzAN
BgkqhkiG9w0BAQUFAAOCAQEAUDDGUrqceMIYdXPZDrqmzA4+/nm454LL6cz+ligM
JuG9smtxsggGco4pr0h6rbo15prR/L6h481l5XFgLQCJ59Jrgnafm9dZjO42yfT0
6s5/QtO576vfu5eiQ4bPeSQvRsG9Cz2hNrn57nesHZ9roi59zLvDMQp9paczuFkN
dYe/9jPGCXu+7mtw9wyOeiBSRX1mgruUspHtNy1l5BotHs9B1DkhjkQl7zobuxK6
/2kJO+P8vRBatmBrj4cCObi41BEx56IuiThG47NhgHSInh7xJ+uqkyLHtQnbqzcq
OKRrcEp8wUNtCl+pS47s+YWwzXrb8P40f6dC+N7Hlm0fMw==
-----END CERTIFICATE-----" > domain.com.cabundle</pre>


Proceed to next steps.


'''Add the ns record'''
'''Add the ns record'''
<pre>cd /var/named/
<pre>cd /var/named/
vim domain.com.db
vim domain.com.db</pre>


Below is a template dns record you can use.  Don't forget to title it "domain.com.db".
Below is a template dns record you can use.  Don't forget to title it "domain.com.db".
Line 27: Line 132:
         )
         )


domain.com. 86400   IN      NS      ns1.domain.com.
domain.com.     300   IN      NS      ns1.domain.com.
domain.com. 86400   IN      NS      ns2.domain.com.
domain.com.     300   IN      NS      ns2.domain.com.
 
domain.com.     300  IN      A      69.167.155.110
domain.com.   300  IN      A      69.167.155.110
localhost      300  IN      A      127.0.0.1
localhost      300  IN      A      127.0.0.1
domain.com.   300  IN      MX      0      domain.com.
domain.com.     300  IN      MX      10    domain.com.
 
mail            300  IN      CNAME  domain.com.
mail            300  IN      CNAME  domain.com.
www            300  IN      CNAME  domain.com.
www            300  IN      CNAME  domain.com.
Line 57: Line 160:


         ServerName domain.com
         ServerName domain.com
         DocumentRoot  
         DocumentRoot /var/www/(username goes here)/www/
         UseCanonicalName Off
         UseCanonicalName Off


Line 68: Line 171:
</VirtualHost>
</VirtualHost>
</pre>
</pre>
'''complete the installation''
Run the following.
<pre>/etc/init.d/httpd stop
/etc/init.d/httpd startssl </pre>
Then go to [http://www.sslshopper.com/ssl-checker.html SSLshopper.com] and verify your work.

Latest revision as of 23:49, 23 October 2014

Coremanaged SSL

To install a ssl certificate on a coremanaged box you will need to do the following.
First you will need to create the RSA key using the following line.
(change the domain to what you are working on in all instances of domain.com.)

CSR generation

      • IF there are previous certificates and key please move to be backed up. (replace domain.com with customers domain.) ***
ls /etc/pki/tls/certs/
ls /etc/pki/tls/private/

And if you see the domain that you are working with, Do the following. 

mv /etc/pki/tls/certs/domain.com.csr /etc/pki/tls/certs/domain.com.csr.old
mv /etc/pki/tls/certs/domain.com.crt /etc/pki/tls/certs/domain.com.crt.old
mv /etc/pki/tls/certs/domain.com.cabundle /etc/pki/tls/certs/domain.com.cabundle.old
mv /etc/pki/tls/private/domain.com.key /etc/pki/tls/private/domain.com.key.old

Now proceed With making the new RSA key. 

cd /etc/pki/tls/private/
openssl genrsa -out domain.com.key 2048
chmod 400 domain.com.key

Now for the CSR. 

cd /etc/pki/tls/certs/
openssl req -new -nodes -key domain.key -out domain.com.csr

You will now be asked to answer the following. 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code):
State or Province Name (full name):
Locality Name (eg, city):
Organization Name (eg, company):
Organizational Unit Name (eg, section):
Common Name (eg, your name or your server's hostname):
Email Address:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password:
An optional company name:

After answering those questions your certificate will be located in that directory:
/etc/pki/tls/certs/
cat it and go to globalsign and purchase the cert.


SSL installation Now to install the certificate please go to /etc/pki/tls/certs/ and create the following. 

cd /etc/pki/tls/certs/
touch domain.com.crt
touch domain.com.cabundle

Now paste the certificate and the cabundle into each of those files.
use this for the cabundle 

echo "-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEbjCCA1agAwIBAgILBAAAAAABHkSl+JUwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA1MDQxMDAw
MDBaFw0xNzA1MDQxMjAwMDBaMHExCzAJBgNVBAYTAkJFMR0wGwYDVQQLExREb21h
aW4gVmFsaWRhdGlvbiBDQTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYG
A1UEAxMfR2xvYmFsU2lnbiBEb21haW4gVmFsaWRhdGlvbiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALSfSeaznwFVNtA2lWzLFlpscrXineL6OekK
3HNcoDt2bQUokw2lQvPoy+7TMxoTJwrfXNFUYmqaFzbWPFiHHrJmH1VpK4lWR7TC
UAzlXcH9KRtmc0P0b9EUTyptSFI69eSQP96y9BDV+fqslg0QMiPS01GnlYVQ+g8p
naeITg0xm0RBjkEvbpoatLalWfFJWQl+fknTaTNLAJLFG0Igafhk39inRNGQXv05
rWt9/tWLpAFk9qe0IITMBS8n7h7VJJauhEOkPkPzO5nX+fLePRnt0GXxScpI0jh9
xkjXcmG4xsJnCthlWv1b88X9voxpz5kgtursOYDpZqjuPZ1Ge4cCAwEAAaOCAR8w
ggEbMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMEsGA1UdIARE
MEIwQAYJKwYBBAGgMgEKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFs
c2lnbi5uZXQvcmVwb3NpdG9yeS8wHQYDVR0OBBYEFDYSTp5xxCZB8frxKUy/F6RT
KLbrMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQv
cm9vdC5jcmwwEQYJYIZIAYb4QgEBBAQDAgIEMCAGA1UdJQQZMBcGCisGAQQBgjcK
AwMGCWCGSAGG+EIEATAfBgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzAN
BgkqhkiG9w0BAQUFAAOCAQEAUDDGUrqceMIYdXPZDrqmzA4+/nm454LL6cz+ligM
JuG9smtxsggGco4pr0h6rbo15prR/L6h481l5XFgLQCJ59Jrgnafm9dZjO42yfT0
6s5/QtO576vfu5eiQ4bPeSQvRsG9Cz2hNrn57nesHZ9roi59zLvDMQp9paczuFkN
dYe/9jPGCXu+7mtw9wyOeiBSRX1mgruUspHtNy1l5BotHs9B1DkhjkQl7zobuxK6
/2kJO+P8vRBatmBrj4cCObi41BEx56IuiThG47NhgHSInh7xJ+uqkyLHtQnbqzcq
OKRrcEp8wUNtCl+pS47s+YWwzXrb8P40f6dC+N7Hlm0fMw==
-----END CERTIFICATE-----" > domain.com.cabundle

Proceed to next steps.

Add the ns record 

cd /var/named/
vim domain.com.db

Below is a template dns record you can use. Don't forget to title it "domain.com.db". 

$TTL 300
domain.com.  86400   IN      SOA     ns1.domain.com.      template.liquidweb.com.       (
                        2010052200 ;Serial Number
                                                86400 ;refresh
                                                7200 ;retry
                                                3600000 ;expire
                                                86400 ;minimum
        )

domain.com.     300   IN      NS      ns1.domain.com.
domain.com.     300   IN      NS      ns2.domain.com.
domain.com.     300   IN      A       69.167.155.110
localhost       300   IN      A       127.0.0.1
domain.com.     300   IN      MX      10    domain.com.
mail            300   IN      CNAME   domain.com.
www             300   IN      CNAME   domain.com.
ftp             300   IN      A       IP here
ns1             300   IN      A       IP here
ns2             300   IN      A       IP here
host            300   IN      A       IP here

cd /var/named/
vim domain.com.db
rndc reload domain.com
rndc reload domain.com

Add the Vhost entry Usually located here. 

vim /etc/httpd/conf.d/ssl_vhosts.conf

Then add the following and modify it to have the paths and ip that you will be using for your new ssl domain. 

<VirtualHost (sites ip here):443>

        ServerName domain.com
        DocumentRoot /var/www/(username goes here)/www/
        UseCanonicalName Off

        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
        SSLCACertificateFile /etc/pki/tls/certs/domain.com.cabundle
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>

'complete the installation Run the following. 

/etc/init.d/httpd stop
/etc/init.d/httpd startssl

Then go to SSLshopper.com and verify your work.

Retrieved from "https://wiki.shooltz.net/w/index.php?title=Coremanaged_SSL&oldid=493"