Difference between revisions of "Server:SSL"
From RadonWiki
m (Mcarter moved page SSL-certificate to Server:SSL without leaving a redirect) |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
Two wild certificates: | Two wild certificates: | ||
| − | <code>*.ticktock.nz</code> (valid until | + | <code>*.ticktock.nz</code> (valid until 2nd May 2018) |
| − | <code>*.radon.nz</code> (valid until | + | <code>*.radon.nz</code> (valid until 1st June 2018) |
| Line 19: | Line 19: | ||
/etc/ssl/certs/RapidSSL.pem | /etc/ssl/certs/RapidSSL.pem | ||
</PRE> | </PRE> | ||
| − | |||
| − | |||
== Renewal Process == | == Renewal Process == | ||
| − | |||
| − | |||
<source lang="sh"> | <source lang="sh"> | ||
openssl genrsa -des3 -out radon.nz.key.withpass 2048 | openssl genrsa -des3 -out radon.nz.key.withpass 2048 | ||
| + | openssl genrsa -des3 -out ticktock.nz.key.withpass 2048 | ||
# need to enter a passphrase | # need to enter a passphrase | ||
# but then do the following to remove it | # but then do the following to remove it | ||
openssl rsa -in radon.nz.key.withpass -out radon.nz.key | openssl rsa -in radon.nz.key.withpass -out radon.nz.key | ||
| + | openssl rsa -in ticktock.nz.key.withpass -out ticktock.nz.key | ||
openssl req -new -key radon.nz.key -out radon.nz.csr | openssl req -new -key radon.nz.key -out radon.nz.csr | ||
| + | openssl req -new -key ticktock.nz.key -out ticktock.nz.csr | ||
# Country Name (2 letter code) [AU]:NZ | # Country Name (2 letter code) [AU]:NZ | ||
# State or Province Name (full name) [Some-State]:Otago | # State or Province Name (full name) [Some-State]:Otago | ||
| Line 44: | Line 43: | ||
# to be sent with your certificate request | # to be sent with your certificate request | ||
# A challenge password []: | # A challenge password []: | ||
| − | # An optional company name []: | + | # An optional company name []: Ticktock (for ticktock.nz one) |
| Line 52: | Line 51: | ||
# move radon.nz.key to /etc/ssl/private/ | # move radon.nz.key to /etc/ssl/private/ | ||
| + | # move ticktock.nz.key to /etc/ssl/private/ | ||
# move radon.nz.pem to /etc/ssl/certs/ | # move radon.nz.pem to /etc/ssl/certs/ | ||
| + | # move ticktock.nz.pem to /etc/ssl/certs/ | ||
# move RapidSSL.pem to /etc/ssl/certs/ | # move RapidSSL.pem to /etc/ssl/certs/ | ||
| − | |||
# run "apache2ctl configtest" to check before restarting apache | # run "apache2ctl configtest" to check before restarting apache | ||
| + | |||
| + | # Apache virtual host configuration set to the certificate files | ||
SSLEngine on | SSLEngine on | ||
| Line 62: | Line 64: | ||
SSLCertificateFile /etc/ssl/certs/radon.nz.pem | SSLCertificateFile /etc/ssl/certs/radon.nz.pem | ||
SSLCertificateKeyFile /etc/ssl/private/radon.nz.key | SSLCertificateKeyFile /etc/ssl/private/radon.nz.key | ||
| + | SSLCertificateChainFile /etc/ssl/certs/RapidSSL.pem | ||
| + | |||
| + | SSLEngine on | ||
| + | |||
| + | SSLCertificateFile /etc/ssl/certs/ticktock.nz.pem | ||
| + | SSLCertificateKeyFile /etc/ssl/private/ticktock.nz.key | ||
SSLCertificateChainFile /etc/ssl/certs/RapidSSL.pem | SSLCertificateChainFile /etc/ssl/certs/RapidSSL.pem | ||
| Line 67: | Line 75: | ||
== Restart Services == | == Restart Services == | ||
| − | |||
Check configuration then restart services including sldap | Check configuration then restart services including sldap | ||
| − | < | + | <source lang="sh"> |
apache2ctl configtest | apache2ctl configtest | ||
service slapd force-reload | service slapd force-reload | ||
service apache2 restart | service apache2 restart | ||
| − | </ | + | </source> |
| + | |||
| + | [[Category:Server]] | ||
Latest revision as of 11:47, 2 April 2017
SSL certificates are ordered from trustico https://www.trustico.co.nz/renewals/how-to-renew-ssl-certificate.php
Two wild certificates:
*.ticktock.nz (valid until 2nd May 2018)
*.radon.nz (valid until 1st June 2018)
Keys are located here
/etc/ssl/private/ticktock.nz.key /etc/ssl/private/radon.nz.key
Certificates located here, include the SSLCertificateChainFile
/etc/ssl/certs/ticktock.nz.pem /etc/ssl/certs/radon.nz.pem /etc/ssl/certs/RapidSSL.pem
Renewal Process
openssl genrsa -des3 -out radon.nz.key.withpass 2048
openssl genrsa -des3 -out ticktock.nz.key.withpass 2048
# need to enter a passphrase
# but then do the following to remove it
openssl rsa -in radon.nz.key.withpass -out radon.nz.key
openssl rsa -in ticktock.nz.key.withpass -out ticktock.nz.key
openssl req -new -key radon.nz.key -out radon.nz.csr
openssl req -new -key ticktock.nz.key -out ticktock.nz.csr
# Country Name (2 letter code) [AU]:NZ
# State or Province Name (full name) [Some-State]:Otago
# Locality Name (eg, city) []:Arrowtown
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Radon Computing Limited
# Organizational Unit Name (eg, section) []:
# Common Name (e.g. server FQDN or YOUR name) []:*.radon.nz
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []: Ticktock (for ticktock.nz one)
# use radon.nz.csr to renew certificate with trustico
# a resulting "pem" will be provided. save this as radon.nz.pem
# also the certificate chain will be provided. save this as RapidSSL.pem
# move radon.nz.key to /etc/ssl/private/
# move ticktock.nz.key to /etc/ssl/private/
# move radon.nz.pem to /etc/ssl/certs/
# move ticktock.nz.pem to /etc/ssl/certs/
# move RapidSSL.pem to /etc/ssl/certs/
# run "apache2ctl configtest" to check before restarting apache
# Apache virtual host configuration set to the certificate files
SSLEngine on
SSLCertificateFile /etc/ssl/certs/radon.nz.pem
SSLCertificateKeyFile /etc/ssl/private/radon.nz.key
SSLCertificateChainFile /etc/ssl/certs/RapidSSL.pem
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ticktock.nz.pem
SSLCertificateKeyFile /etc/ssl/private/ticktock.nz.key
SSLCertificateChainFile /etc/ssl/certs/RapidSSL.pem
Restart Services
Check configuration then restart services including sldap
apache2ctl configtest
service slapd force-reload
service apache2 restart
