Ok.. Here we already subscribe Digicert.. You can choose any SSL certificate provider such as www.verisign.com, www.godaddy.com and etc...
There is wildcard cert and standart cer.. Later I will discuss on this issues. In this case, we are using wildcard cert where the cert will start with *.contoso.com
A) SSL Certificate CSR Creation
ref : http://www.digicert.com/csr-creation.htm
Before you can order your SSL Certificates, you must first generate a CSR (Certificate Signing Request) on your server:
Distinguished Name or DN
- The Country (C) is a two-digit code -- for the United States, it's 'US'. For countries outside of the United States, see our listing of SSL Certificate Country Codes.
- State (S) and Locality (L) are full names, i.e. 'California', 'Los Angeles'.
- The Organization Name (O) is your Full Legal Company or Personal Name, as legally registered in your locality.
- The Organizational Unit (OU) is whichever branch of your company is ordering the certificate such as accounting, marketing, etc. -nil-
- The Common Name (CN) is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate. (*.contoso.com.my)
- email - nil ; password -nil
B) OpenSSL CSR Creation for Apache SSL
1. Login to your server via your terminal client (ssh).
At the prompt, type:
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
where server is the name of your server.
You will get 2 files :
1. server.csr - this will be used/ copy to digicert
2. server.key - this will be used in client server. Put this files same path as stated in ee /usr/local/etc/apache22/extra/httpd-ssl.conf (search for : SSLCertificateKeyFile "/usr/local/etc/apache22/path/server.key")
C) Reissues Action
- applicable if we use wild card registration
1. Get duplicate
1. Login to your server via your terminal client (ssh).
At the prompt, type:
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
where server is the name of your server.
You will get 2 files :
1. server.csr - this will be used/ copy to digicert
2. server.key - this will be used in client server. Put this files same path as stated in ee /usr/local/etc/apache22/extra/httpd-ssl.conf (search for : SSLCertificateKeyFile "/usr/local/etc/apache22/path/server.key")
C) Reissues Action
- applicable if we use wild card registration
1. Get duplicate
- Enter Your CSR
- paste key file server.csr (we get from before step)
- Select Your Server Software
- eg: Apache, IIS Microsoft, etc..
- Note
- purpose of server as note
- Click Button Process
- proceed the step
2. Then wait to download the files or you can received it through email notification. ( You will get zip files content :
star_contoso_com_my .crt
DigiCertCA.crt and INSTALL_INSTRUCTIONS.txt
SSLCertificateFile /your/path/to/star_contoso_com_my.crt
SSLCertificateKeyFile /your/path/to/star_contoso_com_my.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt
3. Check apache configuration
# apachectl configtest
4. Check httpd.conf
# ee /usr/local/etc/apache22/httpd.conf
uncomment
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf
5. Stop & Start Apache
#/usr/local/etc/rc.d/apache22 stop
#/usr/local/etc/rc.d/apache22 start
6. Now you should able to access you CAS server
https://servername/login
Done.
SSLCertificateFile /your/path/to/star_contoso_com_my.crt
SSLCertificateKeyFile /your/path/to/star_contoso_com_my.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt
3. Check apache configuration
# apachectl configtest
4. Check httpd.conf
# ee /usr/local/etc/apache22/httpd.conf
uncomment
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf
5. Stop & Start Apache
#/usr/local/etc/rc.d/apache22 stop
#/usr/local/etc/rc.d/apache22 start
6. Now you should able to access you CAS server
https://servername/login
Done.
No comments:
Post a Comment