Here are some quick notes on how to order and install the free SSL certificates provided by VPS.NET on your server.
1. Create a self-signed certificate.
Install ssl-cert if it is not already installed
root@ns2:/tmp# aptitude install ssl-cert
NOTE: VPS.NET now require 2048 bit certificates. So, edit ssleay.cnf from1024 bits to 2048 bits.
root@ns2:/tmp# cat /usr/share/ssl-cert/ssleay.cnf
#
# SSLeay example configuration file.
#
RANDFILE = /dev/urandom
[ req ]
default_bits = 2048
Now create a self-signed certificate for your web server domain. It will prompt you for your server Host Name. For the example below it would be your web server domain. We use mydomain.com as an example throughout this guide.
root@ns1:/tmp# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/mydomain.com.crt
After running this command you will end up with your private key and self-signed certificate in the same file – mydomain.com.crt. You must split this into two separate files using an editor.
/etc/ssl/private/domain.com.key // the part surrounded by —– BEGIN/END RSA PRIVATE KEY
/etc/ssl/private/domain.com.pem // the part surrounded by —– BEGIN/END CERTIFICATE
2. Create a Certificate Signing Request (CSR)
VPS.NET use Comodo as a trusted Certificate Authority (CA). You need to generate a certificate signing request (CSR) from the private key created in the previous step and send it to the VPS.NET help desk. They will in turn forward your request to the Comodo Certificate Authority.
Here is the example for the domain mydomain.com.
NOTE: The important thing is to use your domain name for the Common Name when prompted.
root@ns1:/tmp# openssl req -new -key /etc/ssl/private/mydomain.com.crt -out /etc/ssl/private/mydomain.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Florida
Locality Name (eg, city) []:Burlington
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Name
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:mydomain.com
Email Address []:admin@mydomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:enter
An optional company name []:enter
3. Raise a VPS.NET Domain Name/SSL Support Ticket
The next step is to raise a “Domain Name/SSL Request” support ticket.
Make sure you include the following information in the Message part of the ticket and also append the contents of the /etc/ssl/private/mydomain.com.csr file you created.
* Your Name: - Joe Blogs
* Your Company: - mydomain.com
* Contact Email address: admin@mydomain.com
* Address 1: - 1 smith street
* Address 2: -
* Town: - BURLINGTON
* County/Province: - FLORIDA
* Postcode: - 12334
* Country: - US
ip address: 174.127.111.29
host: mydomain.com
Signing Request (CSR)
-----BEGIN CERTIFICATE REQUEST-----
MIIB+DCCAWECAQAwgYMxCzAJBgNVBAYTAkhLMQswCQYDVQQIEwJOVDESMBAGA1UE
BxMJSG9uZyBLb25nMRIwEAYDVQQKEwlwbHNnby5jb20xCzAJBgNVBAsTAklUMRIw
EAYDVQQDE..
...
...
-----END CERTIFICATE REQUEST-----
It only takes VPS.NET support an hour or so to order a certificate from Comodo. You will get a response like this from VPS.NET support.
I have created new SSL certificate for you.
You will be emailed when your certificate is available to download.
Certificate for: mydomain.com
Your order number is: 38383838
Please look out for a confirmation email to admin@mydomain.com
- you'll need to follow the instructions in the email to verify that the domain is yours.
Once you have followed the instructions in your confirmation mail,
you will be able to download your certificate by going to the retrieve certificate page
(https://ssl.uk2.net/cgi-bin/retrieve-certificate.pl)
and entering the hostname and order number above.
Thanks.
--
Best regards,
--
x smith
Support Engineer
After you get this response, go and check your email. Comodo will have also sent you an email verification email. Ensure that you open and accept the link they send.
From: Comodo Security Services <docs@comodo.com>
Date: Sat, Nov 26, 2011 at 4:58 PM
Subject: ORDER #38383838 - Domain Control Validation for mydomain.com
To: "admin@mydomain.com" <admin@mydomain.com>
Domain Control Validation for mydomain.com
Dear admin@mydomain.com,
We have received a request to issue an SSL certificate for mydomain.com.
*** Please ignore this email if neither you nor a trusted colleague made this request for a certificate ***
Otherwise, please browse here and enter the following "validation code":
vCqBZKIkejje838jfj2ldlfe838j33jjd833O0a
Kind Regards,
Comodo Security Services on behalf of uk2.net
Finally go to (https://ssl.uk2.net/cgi-bin/retrieve-certificate.pl) and fill in the requested fields. You will then be able to download a zip file containing your certificates.
4. Install The Certificates On Your Server
FTP the zip file you downloaded to your server and then unzip the contents to a temporary directory on your server.
root@ns2:/tmp# ls
mydomain.com-certificate.zip
root@ns2:/tmp# unzip mydomain.com-certificate.zip
Archive: mydomain.com-certificate.zip
extracting: AddTrustExternalCARoot.crt
extracting: UTNAddTrustServerCA.crt
extracting: PositiveSSLCA.crt
extracting: mydomain_com.crt
Next copy in your original key and the mydomain_com.crt certificate you unzipped
root@ns2:/tmp# cp mydomain_com.crt /etc/ssl/localcerts/mydomain.com.pem
root@ns2:/tmp# cp /etc/ssl/private/mydomain.com.key /etc/ssl/localcerts/
You will also need to add the comodo certificate chain bundle to your webserver configuration. This file is created by combining the other certificates you were given in the zip file. There are some notes on comodo support on how to make your certificate chain bundle, but here is the basic step.
root@ns2:/tmp# cat PositiveSSLCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt > mydomain.com.ca-bundle
Finally we need to ensure our apache webserver configuration is setup correctly to point to the new certificates.
vi /etc/apache2/sites-available/mydomain.com
<VirtualHost *:443>
ServerName mydomain.com
....
....
SSLEngine on
SSLCertificateFile /etc/ssl/localcerts/mydomain.com.pem
SSLCertificateKeyFile /etc/ssl/localcerts/mydomain.com.key
SSLCertificateChainFile /etc/ssl/localcerts/mydomain.com.ca-bundle
As a final step restart apache.
5. Check Your Certificate Installation
If your certificate install did not work you will still be presented with an untrusted certificate warning when you browse to the secure address of your domain
i.e. https : //www. mydomain. com
If everything worked fine. Then you will no longer see any warning messages.
You can also verify the certificate information in your browser by right clicking the web page and selecting view page info.
No comments yet.