Results 1 to 1 of 1
-
02-17-2011, 05:46 PM #1Aspiring Evangelist
- Join Date
- Sep 2010
- Location
- Behind you...
- Posts
- 356
Wildcard SSL certificate request, installation and virtualhost configuration
This tutorial will show how to create an SSL wildcard certificate for Apache, how to install it and how to use it on multiple sites on the same physical server using SSL virtualhosts. In this tutorial I will request and install an AlphaSSL certificate for the website www.file1.info. I used parts of the instructions found on AlphaSSL.com, although I found out these are not entirely correct. This tutorial is probably not for beginners.
Generating the request for the certificate
After ordering a wildcard certificate you are required to provide a certificate signing request. This is done by creating a private key and a certificate signing request. The first command creates the private key which should remain on the server; it is not needed to provide this to anyone. The second command creates a certificate signing request which should be sent to the website where you bought the certificate.
All fields in the certificate signing request can be left to their defaults, or changed as you like, except the common name. Set this to *.file1.info so we create a wildcard certificate.
Although AlphaSSL has a tutorial where they create a 1024 bit key, only 2048 bit keys are accepted. Also, the order of the openssl commands is wrong on the AlphaSSL website.
The private key can be protected with a password, but this is not required. A password can always be removed from a private key later (even after the certificate is installed and used).
If the private key has a password, it is required to enter this every time Apache is (re)started, or a custom program should be developed for automtically feeding it to Apache, see the docs for details about SSLPassPhraseDialog.
Remember, enter the correct common name with an asterisk: *.file1.info
Creating the private key, choose a password, write it down and don't forget it!
Code:$ openssl genrsa -out file1.info.key -des3 2048 Generating RSA private key, 2048 bit long modulus ..............................................................................+++ .....+++ e is 65537 (0x10001) Enter pass phrase for file1.info.key: Verifying - Enter pass phrase for file1.info.key:
Remember, to use *.file1.info for wildcard certificates! The values you entered can not be changed after you receive the certificate, but other than the common name they don't really matter.
Code:$ openssl req -out file1.info.csr -new -key file1.info.key Enter pass phrase for file1.info.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:*.file1.info Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Optional: remove a password from the private key file
If you used a password on the private key, you are required to enter it every time Apache (re)starts. Although this adds some safety it can be irritating. You can remove it by using the following command:
Code:openssl rsa -in file1.info.key -out file1.info.key.nopass
Although I try to keep this tutorial as generic as possible, not every SSL certificate comes with a root and an intermediate key. If your SSL provider has an intermediate certificate and a root certificate, you can create an authority file containing the root and the intermediate certificate in this exact format:
Code:-----BEGIN CERTIFICATE----- GlobalSign Root CA Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- AlphaSSL intermediate Certificate -----END CERTIFICATE-----
Code:/etc/ssl/private/file1.info.private.key /etc/ssl/certs/file1.info.crt /etc/ssl/certs/file1.info.ca-bundle
This is the hardest part, and some people think it's impossible. This is because Apache (or better because of SSL limitations) does not support multiple SSL certificates for a single IP. This is because the hostname (e.g. file1.info or mail.file1.info)
is not send by the client when setting up the initial SSL connection. Therefore, Apache does not now where to route the SSL request.
This is not a problem with wildcard SSL certificates because all hostnames/domains use the same SSL certificate.
To support this configuration add "NameVirtualHost *:443" to the file /etc/apache2/ports.conf, so it looks like this. You can ignore the comment in the configuration file, saying what we're about to do is impossible.
Code:<IfModule mod_ssl.c> # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here NameVirtualHost *:443 Listen 443 </IfModule>
Code:<VirtualHost *:443> DocumentRoot /var/www/file1 ServerName *.file1.info ServerAlias file1.info ServerAlias www.file1.info ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined Options -Indexes SSLEngine on SSLCertificateKeyFile /etc/ssl/private/file1.info.private.key SSLCertificateFile /etc/ssl/certs/file1.info.crt SSLCertificateChainFile /etc/ssl/certs/file1.info.ca-bundle </VirtualHost>
Code:Init: You should not use name-based virtual hosts in conjunction with SSL!!
file1.info :: 50GB secure cloudstorage with filemanager
Similar Threads
-
WildCard SSL certificate
By mooodi in forum Hosting Security and TechnologyReplies: 3Last Post: 07-27-2010, 08:11 AM -
ssl certificate installation and firewall configuration
By yais in forum Systems Management RequestsReplies: 8Last Post: 05-04-2010, 12:13 PM -
Cheap Wildcard SSL certificate
By sharepoint-hosting in forum Hosting Security and TechnologyReplies: 3Last Post: 09-10-2009, 02:54 PM -
Wildcard SSL certificate
By livechatr in forum Web HostingReplies: 13Last Post: 08-31-2008, 06:06 PM -
Do you use a Wildcard SSL Certificate?
By aixagent in forum Running a Web Hosting BusinessReplies: 8Last Post: 06-23-2005, 07:38 PM