Setting up HTTPS (SSL) Service with a Certificate

Users of the Budget, Standard, Advanced and Corporate packages can make their domains accessible via https:// by installing a SSL certificate under ~/ssl/. This guide is relevant to SSL certificates purchased from a commercial certificate authorities (such as Thawte or GoDaddy), as well as self-signed certificates.

The alternative, free method (Let's Encrypt) is covered under: Setting up SSL/HTTPS with LetsEncrypt. Note: This guide does not apply to users of Let's Encrypt.

Generating an RSA private key

First, you need to generate a random RSA key in ~/ssl/key. The contents of this newly created file must remain private.

  $ mkdir -m 0700 ~/ssl
  $ cd ~/ssl
  $ openssl genrsa -out key 2048
The Certificate Signing Request (CSR)

The following command will generate a standard X.509 Certificate Signing Request ("CSR") which can be submitted to a certification authority (or signed by yourself). The protocol requires that the Common Name ("CN") match your Server Name setting (configurable from the Parameters section of the Control Panel or using conf set name in csoftadm).

$ openssl req -new -key key -out csr
Using configuration from /etc/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code): (your country code)
State or Province Name (full name): (state / province)
Organization Name (eg, company): (company name)
Organizational Unit Name (eg, section): (hit enter)
Common Name (eg, YOUR name): example.com
Email Address: webmaster@example.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password: (hit enter)
An optional company name:(hit enter)
Certificate signature

At this point, you might wish to submit your certficate for a Certificate Signing Request via a certification authority, such as Thawte or GoDaddy. Alternatively, you can publish a self-signed certificate using the command:

  $ openssl x509 -req -days 365 -in csr -signkey key -out cert

The -days argument refers to the validity period. In this example, the certificate would expire one year from now.

Enabling HTTPS service
Once the files cert, key (and optionally pp if a passphrase is set) are placed in the ~/ssl/ directory, you can enable HTTPS service from csoftadm. If you are using the Control Panel, the option is located in Preferences. Alternatively, you can use the conf set ssl command in the Shell Interface.
Troubleshooting

It will take up to 30 minutes for the new certificate to be included in the web server configuration. If there is a problem with the SSL certificate, an error message will show up in /var/log/users/yourname and the file cert will be renamed to cert.rej.

Prior to the inclusion of your vhost in the SSL httpd configuration file, csoftadm performs a few verifications on the certificate and key. You can check certificates manually using the following commands:

  # For RSA keys:
  $ openssl rsa -in key
  
  # For DSA keys:
  $ openssl dsa -in key
  
  # For keys which require a passphrase:
  $ openssl dsa -in key -passin file:pp
  
  # To read a X.509 certificate fingerprint:
  $ openssl x509 -in cert -fingerprint

The following command may be used to read the CN (Common Name) of the certificate. This value must match your main domain name exactly. Mismatch of the CN and the main domain is a common cause of failure.

  # To read a X.509 certificate subject field:
  $ openssl x509 -in cert -subject

Tip: For the more adventurous, here is a little script that will read off lots of data, like above, on both a cert and a key. -nekhbet@
Links

Csoft.net
© 2024 CubeSoft Communications
All Rights Reserved.