SSL-self-signed-certificate-creation-and-config
Google : Neela Nurseries : Ted at Neela Wiki
SSL Certificates For Websites - Generation and Maintenance
Notes of Ted Havelka
updated 2017-09-25 MON
Contents
Overview
This article at Neela Nurseries Wiki covers self-signed and Let's Encrypt based SSL certificates for web sites.
First Efforts
- 2017-07-20 Thursday -
Ted's first finding of instructions on setting up SSL and configuring Apache2 web server to use this encrypted protocol library:
Copy of summary of steps from above instructions on-line:
"
Here's what we're going to do, in order:
- Make sure Apache has SSL enabled.
- Generate a certificate signing request (CSR).
- Generate a self-signed certificate.
- Copy the certificate and keys we've generated.
- Tell Apache about the certificate.
- Modify the VirtualHosts to use the certificate.
- Restart Apache and test.
"
Note From SSL Config On Generic Server
STEP 1
ted@localhost:~$ sudo a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration! ted@localhost:~$
STEP 2
ted@localhost:~$ # https://www.linux.com/learn/creating-self-signed-ssl-certificates-apache-linux ted@localhost:~$ # STEP 2 ted@localhost:~$ sudo openssl req -new > new.ssl.csr Generating a 1024 bit RSA private key ...........++++++ .................................++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:General Industry Organizational Unit Name (eg, section) []:Web and CMS Common Name (eg, YOUR name) []:Ted Havelka Email Address []:ted@general-industry.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. ted@localhost:~$
Checking for new files . . .
ted@localhost:~$ ls -lt total 60 -rw-r--r-- 1 ted ted 720 2017-07-20 12:22 new.ssl.csr -rw-r--r-- 1 root root 963 2017-07-20 12:22 privkey.pem drwxr-xr-x 2 ted ted 4096 2017-05-05 15:08 archive . . .
STEP 3
ted@localhost:~$ sudo openssl rsa -in privkey.pem -out new.cert.key Enter pass phrase for privkey.pem: writing RSA key ted@localhost:~$ ted@localhost:~$ sudo openssl x509 -in new.ssl.csr -out new.cert.cert -req -signkey new.cert.key -days 365 Signature ok subject=/C=US/ST=Oregon/L=Portland/O=General Industry/OU=Alta/CN=Ted Havelka/emailAddress=ted@general-industry.com Getting Private key ted@localhost:~$ sudo cp new.cert.cert /etc/ssl/certs/server-localhost.crt [sudo] password for ted: ted@localhost:~$ sudo cp new.cert.key /etc/ssl/private/server-localhost.key
Checking permissions of newly created private key file:
ted@localhost:/etc/ssl$ sudo su # id uid=0(root) gid=0(root) groups=0(root) # cd private/ # ls -l total 8 -rw-r--r-- 1 root root 887 2017-07-20 14:15 server-localhost.key -rw-r----- 1 root ssl-cert 1679 2011-05-10 08:24 ssl-cert-snakeoil.key # exit exit ted@localhost:/etc/ssl$ ls -l /etc/ssl/certs/server-localhost.crt -rw-r--r-- 1 root root 993 2017-07-20 14:14 /etc/ssl/certs/server-localhost.crt ted@localhost:/etc/ssl$
Certificate Authorities and CertBot
Ted's notes here on certbot software. As of 2017 late September Ted wants to find way to install certbot manually, outside of a Linux type package manager. Looks like certbot itself is a Python script, so perhaps there is no compilation required on systems where Python interpreter and supporting libraries are already installed . . .
Some initial URLs related to certbot daily, end-user use:
Invoking certbot to obtain certificate for one sub-domain:
- 2017-09-25 MON -
Ted researching how to install certbot software from sources, and as yet unsure whether this utility and related need be compiled, or whether they are written in a scripting language. Related to maintaining SSL type certificates came across mention of chain certificate files:
REFERENCES
- https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04 . . . Certbot and Letsencrypt tutorial by codingmama