Howto install GeoTrust RapidSSL certificate on Debian Lenny / Squeeze / Wheezy Linux

Thursday, 25th March 2010

I faced the task of generating official Validated SSL Certificates by in mydaily duties as a System Administrator at cadiaholding.com . Though generating self-signedSSL certificate is comparatively easy task. It was a pain in the ass setting Apache version 2.2.9-10+lenny6to correctly serve pages through https:// protocol over openssl version 0.9.8g-15+lenny6.I’ll try to go through the whole process of Generating the certificate in order to help some other Debianusers out there to face less setbacks in such a simple task as installing a Trusted SSL Certificate issued(bought) by RapidSSL. Even though this article will mostly deal with SSL certificate issued by RapidSSL,it should be not a problem to apply this methodogy with Verisign or some of the other Geotrust issuedSecure Socket Layer certificates.

In generating the Validated certficate I used enom which is a domain name,ssl certificates, email and hosting company whole-saler.
Fron emon’s website after logging in and using the web interface, there are two major things required to fill inin order to issue your Trusted SSL certificate.

1. Fill in in a form a CSR file, this is usually generated on the Linux server using the openssl.
To issue the CSR file required by Enom use the following commands:

a. First we generate an DES3 RSA encrypted key which we will use next to generate the opeensl CSR file required by ENOM.
debian:~# /usr/bin/openssl genrsa -des3 -out www.domain.com.key 2048
Enter pass phrase for www.domain.com.key:

You’ll be required to fill in a pass-phrase that will be later be required to fill in before Apache servers starts or restarts,so make sure you fill something you either remember or you keep the password stored in a file.
You have to change also the www.domain.com.key in accordance with your domain name.
Now as we already have a proper generated DES3 RSA key afterwards it’s necessery to generate the CSR file with the openssl command line frontend.
So here is how:

debian:~# /usr/bin/openssl req -new -key /home/hipo/www.domain.com.key -out /home/hipo/www.domain.com.csr

Again in the above example change all the paths and file names as you wish.
It’s necessery that the end user fill in a number of questions related to the Certificate Signing Request.
Herein I’ll list what kind of prompts will emerge after executing the above command:

Enter pass phrase for /home/hipo/www.domain.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note that you’ll hav eto fill in the pass phrase previously entered during the generation of the www.domain.com.key file.
In case if you’d like to read more thoroughly on the subject of howto create a Certificate Signing Request or (CSR) as we called it on multiple times, you can read About Certificate Signing Request (CSR) Generation Instructions – Apache SSL more in depth here

2. Hopefully following the above instructions you’ll now have a file named www.domain.csrJust open the www.domain.scr and copy paste it’s content to the ENOM website CSR * webform.

3. Further on select your Webserver type on Enom’s website:In our case we have to select Apache + ApacheSSL

4. What follows next is filling in your company contact information This is also required for proper certificate generation, you have to think twice before you fill in this data, take a note this can’t be changed later on without issuing a brand SSL new certificate.

Apart from the 3 major above requirements to fill in Enom there are some few more radio buttons to use to make some selections according to your personal preferences, however I won’t take time to dig in that and I’ll leave this to you.
After all the above is fulfilled you’ll have to submit your certificate details and choose an email address to which you will receive in a minute a RapidSSL Certificate Request Confirmation

Following a link from the email, will show you some basic information about the certificate about to be generated. That’s your final chance to cancel the issued Trusted Certificated.
If you’re absolutely sure the information about to enter the certificate is correct then you’ll have to follow a link and approve the certificate.

You’ll be informed that you’ll receive your certificate either through Certifier website (e.g. Enom’s website) or via another email.
I thought it’s more probable I receive it via email but anyways I was wrong. More thank 4 hours has passed since the certificate was issued and is available via Enom’s interface but I haven’t received nothing on my mail.
Therefore my friendly advice is to check about your brand new shiny Trusted Certificate on Emom’s website. I had mine ready in about 10 minutes after the CSR was issued.

Assuming that you’ve succesfully obtained the SSL Trusted certificate from RapidSSL what follows is setting up the certificate.
Initially I tried using documentation from RapidSSL website called Installing your SSL Certificate / Web Server Certificate / Secure Server Certificate from RapidSSL.com
I tried to configure one of my Virtualhost as shown in their example inserting in my /etc/apache/sites-available/www.domain.com file, few directives within the VirtualHost something like the shown below

SSLEngine on
# domain.com.crt cointains the Trusted SSL certificate generated and obtained by you from RapidSSL
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
# www.domain.com.key contains the file used to generate the CSR file as described earlier in this post
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key

It is also possible insetad of using the SSLCertificateFile and SSLCertificateKeyFile directvies directives in Apache config to use:

 

Another alternative is to use

SSLCertificateFile /etc/ssl/certs/your-domain-name.crt
SSLCertificateKeyFile /etc/ssl/certs/your-domain-name.key
SSLCACertificateFile /etc/ssl/certs/gd_bundle.crt

The key file is the one generated earlier on the server and handed to the SSL regisrar, the files:

your-domain-name.crt and gd_bundle.crt files are provided by RapidSSL or from whatever SSL registrater the SSL was purchased.

After trying the above configuration and restarting apache with:

/etc/init.d/apache2 restart

Apache failed to start, it might be helpful to somebody out there the error I had in my apache error.log:
The error.log red the following:

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

After some 30 minutes or an hour of Googling on the error I came to the conclusion that the error is caused, becauseApache is supposed to work with .PEM files instead of the classical .CRT and .KEY files asnormally approached in most of the other Unix operating systems.

It took me a bit more of reading on the internet to find out that actually the .pem files so widely adopted in Debian simply contain both the www.domain.com.key file and the www.domain.com.crt key simply pasted one after another, this I also observed from the default Apache self-signed certificate that I believe comes with debian /etc/apache2/ssl/apache.pem .
So I copied both the content of my www.domain.com.key and www.domain.com.crt and store it in one file:
/etc/apache2/ssl/www.domain.com.pem

Also the following configuration:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www.domain.com.pem

had to go in your
/etc/apache2/sites-enabled/www.domain.com

Last thing that’s left is to restart your Apache;

/etc/init.d/apache2 restart

Apache will prompt you for your certificate password entered by you during the www.domain.com.key generation. Type your password and with a bit of luck and hopefully with God’s help you’ll be having a Trusted Certificate on your webserver.

Last step is to check if the certificate is okay accessing your domain https://www.domain.com.

Well this is the end of the article, hope you enjoy.If you do please leave your comments, any corrections are also welcomed 🙂

Share this on:

Download PDFDownload PDF

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

30 Responses to “Howto install GeoTrust RapidSSL certificate on Debian Lenny / Squeeze / Wheezy Linux”

  1. Jenny Lavigna says:
    Firefox 3.8 Firefox 3.8 Ubuntu 9.25 Ubuntu 9.25
    Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8

    Wow… good information.

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Two other handy commands which are helpful in case of new SSL issuing are:
      # openssl x509 -text -in servernamecert.pem # Review information about the issued certificate (This can be checked also in the browser after the certificate is accepted)
      # openssl req -noout -text -in server.csr # Check information about the new certificate issuing request

      View CommentView Comment
  2. hip0 says:
    Opera 10.10 Opera 10.10 GNU/Linux x64 GNU/Linux x64
    Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.2.15 Version/10.10

    You might change the Apache + ApacheSSL. If you’re using Apache 2 you’ll need to use the Apache2 instead Webserver type on Enom’s website. If you’re using Webserver type Apache + OpenSSL just choose that one. BTW I’m experiencing some problems with the rapidssl certificate “stucking”. I’m currently discussing this issue with the support at enom. I’ll post further what caused the “Process” status being stucked. And the certificate for a certain domain to be cancelled with “Rejected by Customer” error message.

    View CommentView Comment
  3. Vera Cornwell says:
    Firefox 3.5.3 Firefox 3.5.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    What a fantastic blog. I spend days on the internet reading blogs, about tons of different subjects. I have to first of all give kudos to whoever created your theme and second of all to you for writing what i can only describe as an amazing post. I honestly believe there is a skill to writing articles that only a few posses and frankly you have it. The combination of informative and quality content is definitely extremely rare with the large amount of blogs on the internet.

    View CommentView Comment
  4. Russ Picariello says:
    Opera 8.50 8.50 Opera 8.50 8.50 Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50

    Hi buddy, your blog’s design and style is straightforward and thoroughly clean and i love it. Your website posts are great. Please keep them coming. Greets!!?!!

    View CommentView Comment
  5. Marianela Baab says:
    Internet Explorer 7.0 Internet Explorer 7.0 Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

    Great post. Thanks!

    View CommentView Comment
  6. Sherman Vangelder says:
    Firefox 3.0.14 Firefox 3.0.14 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)

    Just what we wanted to read, many thanks for posting it.

    View CommentView Comment
  7. Leanora Katsbulas says:
    Internet Explorer 8.0 Internet Explorer 8.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)

    been reading ur site around a few days. really love what you posted. by the way i’m conducting a study relating to this area. do you happen to know other great sites or online forums that I can get more? thanks in advance.

    View CommentView Comment
  8. Isno says:
    Firefox 3.5.3 Firefox 3.5.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    Hello!I am checking your blog for some weeks now. I have to say that it is very easy to read . It is already added in my favourite list and i will make sure that i will follow it frequently. Thanks for the inputs . Furthermore, i really like your theme and the way you have organised the contents of your site . Can i ask the name of your template ? Thanks

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Hi the temlate I used is a modified version of the default template of wordpress.

      Regards,
      Georgi

      View CommentView Comment
  9. Tisha Bisio says:
    Opera 9.64 Opera 9.64 Windows XP Windows XP
    Opera/9.64(Windows NT 5.1; U; en) Presto/2.1.1

    Very Nice website. I just finished mine and i was looking for some ideas and your website gave me some. May i ask you whether you developed the website by youself?

    Thank you

    View CommentView Comment
  10. Gebze says:
    Opera 9.64 Opera 9.64 Windows XP Windows XP
    Opera/9.64(Windows NT 5.1; U; en) Presto/2.1.1

    Hello admin do you have other archives ? I liked article developing pro my friend … ..

    View CommentView Comment
  11. Landwirtschafts 2011 says:
    Firefox 3.0.14 Firefox 3.0.14 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)

    Good blog, I will recommend it to my friends

    View CommentView Comment
  12. Ted Chemin says:
    Firefox 3.5.3 Firefox 3.5.3 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    I very significantly enjoy your web site the following, thank you so significantly you’ve helped me out significantly Smile spread the really like.

    View CommentView Comment
  13. Valorie Humprey says:
    Firefox 3.5.3 Firefox 3.5.3 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    I am going to share this with all of my friends! and thus, Continue the great work.. and even, Thanks a lot on your insightful articles this unique infos extremely usefull; but also, Everyone ought to take the time to put up articles nearly as good as this one and not saturate the web with nothing.!

    View CommentView Comment
  14. Coupon For Hostgator says:
    Opera 9.64 Opera 9.64 Windows XP Windows XP
    Opera/9.64(Windows NT 5.1; U; en) Presto/2.1.1

    I think this is among the most significant info for me. And i am glad reading your article. But wanna remark on some general things, The website style is great, the articles is really great : D. Good job, cheers

    View CommentView Comment
  15. Branislav Viest says:
    Firefox 3.6.15 Firefox 3.6.15 Ubuntu 10.10 Ubuntu 10.10
    Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15

    Perfect!! You save me!

    View CommentView Comment
  16. Caitlyn Haggis says:
    Firefox 3.5.3 Firefox 3.5.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    I wanted to develop a word to thank you for these splendid steps you are giving out on this website. My long internet investigation has now been honored with wonderful facts to exchange with my company. I ‘d point out that most of us site visitors actually are definitely endowed to be in a decent network with so many lovely professionals with very beneficial ideas. I feel quite happy to have encountered the web site and look forward to many more fabulous times reading here. Thanks a lot once again for all the details.

    View CommentView Comment
  17. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    One small note here that might be helpful.
    In Common Name prompt during during csr generation it’s necessery to enter the exact name of hostname (domain name) of the website for which the certificate is being generated.

    View CommentView Comment
  18. apple ipad future says:
    Firefox 3.5.3 Firefox 3.5.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    Its very hard for me to read through this writing mainly because there are random images on the web page.

    View CommentView Comment
  19. Florinda Grassia says:
    Firefox 3.5.3 Firefox 3.5.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

    I used to be more than happy to search out this internet-site.I wished to thanks in your time for this glorious learn!! I undoubtedly enjoying each little little bit of it and I’ve you bookmarked to take a look at new stuff you blog post.

    View CommentView Comment
  20. Leora Jurkiewicz says:
    Firefox 3.0.14 Firefox 3.0.14 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)

    Cool Website buddy. Thank you for offering us your work. I will put this on my Facebook page for my friends to come and read it as well.

    View CommentView Comment
  21. Gry says:
    Internet Explorer 7.0 Internet Explorer 7.0 Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

    Heaaaahhhh it is!

    View CommentView Comment
  22. admin says:
    Firefox 25.0 Firefox 25.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0

    SSLCertificateFile /etc/apache2/ssl/mygamesfbcom.crt
       SSLCertificateKeyFile /etc/apache2/ssl/mygamesfbcom.key
       SSLCACertificateFile /etc/apache2/ssl/mygamesfbcom.csr
     

    View CommentView Comment
  23. google says:
    Safari 6.0.3 Safari 6.0.3 Mac OS X 10.8.3 Mac OS X 10.8.3
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/536.28.10 (KHTML, like Gecko) Version/6.0.3 Safari/536.28.10

    With Google and Windows Mobile dial, you can bundle services and applications into one small, powerful device. Google API development skills include the integration of Google Maps with existing web systems. The new Google Penguin algorithm update has emphasized the importance of a web content writer in generating good website content and in article marketing promotional campaigns.

    View CommentView Comment

Leave a Reply

CommentLuv badge