Requirements:-
We need a dedicated IP for the particular domain
How to make the dedicated IP for a domain
goto whm
Main-> IP Functns -> change sites ip address Use the Free IP
How to find out the Free Ip Main >> IP Functions >> Show IP Address Usage
-----------------
First we need to create a CSR (certificate signing request) and give that to the cert provider (Geotrust, Verisign, etc.) CSR you can create from your WHM [Main >> SSL/TLS >> Generate a SSL Certificate and Signing Request]. We will get the ourdomainname.crt from Signing Authority.
In command line:-
* do not provide any password for authentication , if we provide password while generating a csr, every time the web server is restarted, you'd have to provide a password.This is a bad choice.
cd /home/tuxunited/cert
1. Generating a key
#openssl genrsa -out www.tuxunited.com.key 2048
Generating RSA private key, 2048 bit long modulus ....................................................................................+++ ....................................................+++ e is 65537 (0x10001)
2. Generating csr
# openssl req -new -key www.tuxunited.com.key -out www.tuxunited.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Kerala
Locality Name (eg, city) []:El TVPM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TUXUNITED PVT LTD:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.tuxunited.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
This .csr file send to the certificate signing authority for getting .crt and .ca-budle
CA Bundle and .key will automatically generate in our sever once we make the CSR.
Once we received this we can install ssl for our domain [Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain] paste the .csr and CA certificates (.key will automatically come once you paste the .crt) FINALLY CLICK SUBMIT
For Command Prompt
ourdomainname.crt file to /usr/share/ssl/certs/ OR /etc/ssl/certs/ directory
public key = ourdomainname.crt
private key = .key[/usr/share/ssl/private/ or /etc/ssl/private/]
private key file permission should be readable by root. [ie , drwx------ 2 root root 4096 Jul 9 23:36 private/]
Next We need to install the Inter mediate Certificate[ It is optional]
You need to install the Intermediate CA certificates for browsers to trust your certificate. The Intermediate CA certificates are in the form of SERVERNAME.ca-bundle.
In Virtual Host section for your configuration file, you need to do the following.
Copy the SERVERNAME.ca-bundle file to
files[/usr/share/ssl/certs OR /etc/ssl/certs/ ]
Add the following line to the SSL section of the httpd.conf
SSLCACertificateFile /etc/httpd/conf/SERVERNAME.ca-bundle --> if all are in the same locatin
If in different location
*SSLCertificateFile /usr/share/ssl/certs/urdomainname.com.crt
*SSLCertificateKeyFile /usr/share/ssl/private/ourdomainname.com.key
*SSLCACertificateFile /usr/share/ssl/certs/ourdomainname.com.cabundle
FINALLY RESTART APACHE
To check the SSL Certificate
http://www.digicert.com/help/
commands
openssl s_client -connect domainname:443
ERRORS
1. You'll also get an error if you try to access an URL securlely that doesn't match the hostname.
If for example you generate a cert fo https://yourdomain.com
It'll throw up an error if you go to: https://www.yourdomain.com
Because the 2nd domain has a www. in it, but the cert was generated for the hostname without the www.
2.browser showed "This Connection is Untrusted"
any idea ??? please (use the correct .crt and host name)
Ans:- Try to uninstall and reinstalled your ssl once again may this fix for you !!
12-07-2010
3. Dont have blue / green tab on url bar.
ANs:- You need to make sure all your links on the page use https:// and not http://
without this you will not get a fully secured connection
No comments:
Post a Comment