Coremanaged SSL: Difference between revisions

From Cheatsheet
Jump to navigation Jump to search
← Older editNewer edit →
No edit summary
No edit summary
Line 9: Line 9:
<pre>ls /etc/pki/tls/certs/
<pre>ls /etc/pki/tls/certs/
ls /etc/pki/tls/private/</pre>
ls /etc/pki/tls/private/</pre>
Do the following.
And if you see the domain that you are working with, Do the following.
<pre>
<pre>
mv /etc/pki/tls/certs/domain.com.csr /etc/pki/tls/certs/domain.com.csr.old
mv /etc/pki/tls/certs/domain.com.csr /etc/pki/tls/certs/domain.com.csr.old
Line 16: Line 16:
mv /etc/pki/tls/private/domain.com.key /etc/pki/tls/private/domain.com.key.old
mv /etc/pki/tls/private/domain.com.key /etc/pki/tls/private/domain.com.key.old
</pre>
</pre>
 
Now proceed.
<pre>
<pre>
cd /etc/pki/tls/private/
cd /etc/pki/tls/private/

Revision as of 01:09, 23 May 2010

Coremanaged SSL

To install a ssl certificate on a coremanaged box you will need to do the following.
First you will need to create the RSA key using the following line.
(change the domain to what you are working on in all instances of domain.com.)

CSR generation

      • IF there are previous certificates and key please move to be backed up. (replace domain.com with customers domain.) ***
ls /etc/pki/tls/certs/
ls /etc/pki/tls/private/

And if you see the domain that you are working with, Do the following. 

mv /etc/pki/tls/certs/domain.com.csr /etc/pki/tls/certs/domain.com.csr.old
mv /etc/pki/tls/certs/domain.com.crt /etc/pki/tls/certs/domain.com.crt.old
mv /etc/pki/tls/certs/domain.com.cabundle /etc/pki/tls/certs/domain.com.cabundle.old
mv /etc/pki/tls/private/domain.com.key /etc/pki/tls/private/domain.com.key.old

Now proceed. 

cd /etc/pki/tls/private/
mv domain.com.key domain.com.key.old
openssl genrsa -out domain.com.key 2048
chmod 400 domain.com.key

Now for the CSR. 

cd /etc/pki/tls/certs/
mv domain.com.csr domain.com.csr.old
openssl req -new -nodes -key domain.key -out domain.com.csr

If there are previous certificates and key please move to be backed up. (replace domain.com with customers domain.) 

mv /etc/pki/tls/certs/domain.com.csr /etc/pki/tls/certs/domain.com.csr.old
mv /etc/pki/tls/certs/domain.com.crt /etc/pki/tls/certs/domain.com.crt.old
mv /etc/pki/tls/certs/domain.com.cabundle /etc/pki/tls/certs/domain.com.cabundle.old
mv /etc/pki/tls/private/domain.com.key /etc/pki/tls/private/domain.com.key.old
<pre>

You will now be asked to answer the following.
<pre>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code):
State or Province Name (full name):
Locality Name (eg, city):
Organization Name (eg, company):
Organizational Unit Name (eg, section):
Common Name (eg, your name or your server's hostname):
Email Address:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password:
An optional company name:

After answering those questions your certificate will be located in that directory:
/etc/pki/tls/certs/cat it and go to globalsign and purchase the cert.

SSL installation


Add the ns record 

cd /var/named/
vim domain.com.db

Below is a template dns record you can use. Don't forget to title it "domain.com.db". 

$TTL 300
domain.com.  86400   IN      SOA     ns1.domain.com.      template.liquidweb.com.       (
                        2010052200 ;Serial Number
                                                86400 ;refresh
                                                7200 ;retry
                                                3600000 ;expire
                                                86400 ;minimum
        )

domain.com.     300   IN      NS      ns1.domain.com.
domain.com.     300   IN      NS      ns2.domain.com.
domain.com.     300   IN      A       69.167.155.110
localhost       300   IN      A       127.0.0.1
domain.com.     300   IN      MX      10    domain.com.
mail            300   IN      CNAME   domain.com.
www             300   IN      CNAME   domain.com.
ftp             300   IN      A       IP here
ns1             300   IN      A       IP here
ns2             300   IN      A       IP here
host            300   IN      A       IP here

cd /var/named/
vim domain.com.db
rndc reload domain.com
rndc reload domain.com

Add the Vhost entry Usually located here. 

vim /etc/httpd/conf.d/ssl_vhosts.conf

Then add the following and modify it to have the paths and ip that you will be using for your new ssl domain. 

<VirtualHost (sites ip here):443>

        ServerName domain.com
        DocumentRoot /var/www/(username goes here)/www/
        UseCanonicalName Off

        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
        SSLCACertificateFile /etc/pki/tls/certs/domain.com.cabundle
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>

'complete the installation Run the following. 

/etc/init.d/httpd restart

Then go to SSLtester.com and verify your work.

Retrieved from "https://wiki.shooltz.net/w/index.php?title=Coremanaged_SSL&oldid=487"