SSL-self-signed-certificate-creation-and-config

From Wiki at Neela Nurseries
Jump to: navigation, search

Google : Neela Nurseries : Ted at Neela Wiki

SSL Certificates For Websites - Generation and Maintenance
Notes of Ted Havelka
updated 2017-09-25 MON




Overview

This article at Neela Nurseries Wiki covers self-signed and Let's Encrypt based SSL certificates for web sites.



First Efforts

- 2017-07-20 Thursday -

Ted's first finding of instructions on setting up SSL and configuring Apache2 web server to use this encrypted protocol library:


Copy of summary of steps from above instructions on-line:

"
Here's what we're going to do, in order:

  1. Make sure Apache has SSL enabled.
  2. Generate a certificate signing request (CSR).
  3. Generate a self-signed certificate.
  4. Copy the certificate and keys we've generated.
  5. Tell Apache about the certificate.
  6. Modify the VirtualHosts to use the certificate.
  7. Restart Apache and test.

"


Note From SSL Config On Generic Server

 

STEP 1


ted@localhost:~$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
ted@localhost:~$


STEP 2


ted@localhost:~$ # https://www.linux.com/learn/creating-self-signed-ssl-certificates-apache-linux
ted@localhost:~$ # STEP 2
ted@localhost:~$ sudo openssl req -new > new.ssl.csr
Generating a 1024 bit RSA private key
...........++++++
.................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Portland
Organization Name (eg, company) [Internet Widgits Pty Ltd]:General Industry
Organizational Unit Name (eg, section) []:Web and CMS
Common Name (eg, YOUR name) []:Ted Havelka
Email Address []:ted@general-industry.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
ted@localhost:~$


Checking for new files . . .


ted@localhost:~$ ls -lt
total 60
-rw-r--r-- 1 ted  ted    720 2017-07-20 12:22 new.ssl.csr
-rw-r--r-- 1 root root   963 2017-07-20 12:22 privkey.pem
drwxr-xr-x 2 ted  ted   4096 2017-05-05 15:08 archive
   .
   .
   .


STEP 3


ted@localhost:~$ sudo openssl rsa -in privkey.pem -out new.cert.key
Enter pass phrase for privkey.pem:
writing RSA key
ted@localhost:~$

ted@localhost:~$ sudo openssl x509 -in new.ssl.csr -out new.cert.cert -req -signkey new.cert.key -days 365
Signature ok
subject=/C=US/ST=Oregon/L=Portland/O=General Industry/OU=Alta/CN=Ted Havelka/emailAddress=ted@general-industry.com
Getting Private key

ted@localhost:~$ sudo cp new.cert.cert /etc/ssl/certs/server-localhost.crt
[sudo] password for ted:
ted@localhost:~$ sudo cp new.cert.key /etc/ssl/private/server-localhost.key


Checking permissions of newly created private key file:


ted@localhost:/etc/ssl$ sudo su
# id
uid=0(root) gid=0(root) groups=0(root)
# cd private/
# ls -l
total 8
-rw-r--r-- 1 root root      887 2017-07-20 14:15 server-localhost.key
-rw-r----- 1 root ssl-cert 1679 2011-05-10 08:24 ssl-cert-snakeoil.key
# exit
exit
ted@localhost:/etc/ssl$ ls -l /etc/ssl/certs/server-localhost.crt
-rw-r--r-- 1 root root 993 2017-07-20 14:14 /etc/ssl/certs/server-localhost.crt
ted@localhost:/etc/ssl$



Certificate Authorities and CertBot

Ted's notes here on certbot software. As of 2017 late September Ted wants to find way to install certbot manually, outside of a Linux type package manager. Looks like certbot itself is a Python script, so perhaps there is no compilation required on systems where Python interpreter and supporting libraries are already installed . . .

Some initial URLs related to certbot daily, end-user use:


Invoking certbot to obtain certificate for one sub-domain:


- 2017-09-25 MON -

Ted researching how to install certbot software from sources, and as yet unsure whether this utility and related need be compiled, or whether they are written in a scripting language. Related to maintaining SSL type certificates came across mention of chain certificate files:



REFERENCES



top of page