Howto install GeoTrust RapidSSL certificate on
Debian Lenny 5.0
I faced the task of generating official Validated SSL Certificates
by
in my daily duties as a System
Administrator at cadiaholding.com . Though generating
self-signed SSL certificate is comparatively easy task. It was a
pain in the ass setting Apache version 2.2.9-10+lenny6 to correctly
serve pages through https:// protocol over openssl version
0.9.8g-15+lenny6. I'll try to go through the whole process of
Generating the certificate in order to help some other Debian users
out there to face less setbacks in such a simple task as installing
a Trusted SSL Certificate issued (bought) by RapidSSL. Even though
this article will mostly deal with SSL certificate issued by
RapidSSL, it should be not a problem to apply this methodogy with
Verisign or some of the other Geotrust issued Secure Socket Layer
certificates.
In generating the Validated certficate I used
enom which is a domain name, ssl
certificates, email and hosting company whole-saler.
Fron emon's website after logging in and using the web interface,
there are two major things required to fill in in order to issue
your Trusted SSL certificate.
1. Fill in in a form a CSR file, this is usually generated on
the Linux server using the openssl.
To issue the CSR file required by Enom use the following
commands:
a. First we generate an DES3 RSA encrypted key which we will use
next to generate the
opeensl CSR file required by
ENOM.
debian:~# /usr/bin/openssl genrsa -des3 -out
www.domain.com.key 2048
Enter pass phrase for www.domain.com.key:
You'll be required to fill in a pass-phrase that will be later be
required to fill in before Apache servers starts or restarts, so
make sure you fill something you either remember or you keep the
password stored in a file.
You have to change also the
www.domain.com.key in accordance
with your domain name.
Now as we already have a proper generated DES3 RSA key afterwards
it's necessery to generate the CSR file with the openssl command
line frontend.
So here is how:
debian:~# /usr/bin/openssl req -new -key
/home/hipo/www.domain.com.key -out
/home/hipo/www.domain.com.csr
Again in the above example change all the paths and file names as
you wish.
It's necessery that the end user fill in a number of questions
related to the Certificate Signing Request.
Herein I'll list what kind of prompts will emerge after executing
the above command:
Enter pass phrase for /home/hipo/www.domain.com.key:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note that you'll hav eto fill in the pass phrase previously entered
during the generation of the
www.domain.com.key file.
In case if you'd like to read more thoroughly on the subject of
howto create a Certificate Signing Request or (CSR) as we
called it on multiple times, you can
read About Certificate Signing Request (CSR) Generation
Instructions - Apache SSL more in depth here
2. Hopefully following the above instructions you'll now have a
file named www.domain.csr Just open the www.domain.scr and copy
paste it's content to the ENOM website
CSR *
webform.
3. Further on select your Webserver type on Enom's
website: In our case we have to select Apache + ApacheSSL
4. What follows next is filling in your company contact
information This is also required for proper certificate
generation, you have to think twice before you fill in this data,
take a note this can't be changed later on without issuing a brand
SSL new certificate.
Apart from the 3 major above requirements to fill in Enom there are
some few more radio buttons to use to make some selections
according to your personal preferences, however I won't take time
to dig in that and I'll leave this to you.
After all the above is fulfilled you'll have to submit your
certificate details and choose an email address to which you will
receive in a minute a
RapidSSL Certificate Request
Confirmation
Following a link from the email, will show you some basic
information about the certificate about to be generated. That's
your final chance to cancel the issued Trusted Certificated.
If you're absolutely sure the information about to enter the
certificate is correct then you'll have to follow a link and
approve the certificate.
You'll be informed that you'll receive your certificate either
through Certifier website (e.g. Enom's website) or via another
email.
I thought it's more probable I receive it via email but anyways I
was wrong. More thank 4 hours has passed since the certificate was
issued and is available via Enom's interface but I haven't received
nothing on my mail.
Therefore my friendly advice is to check about your brand new shiny
Trusted Certificate on Emom's website. I had mine ready in about 10
minutes after the CSR was issued.
Assuming that you've succesfully obtained the SSL Trusted
certificate from RapidSSL what follows is setting up the
certificate.
Initially I tried using documentation from RapidSSL website called
Installing your SSL Certificate / Web Server Certificate / Secure
Server Certificate from RapidSSL.com
I tried to configure one of my Virtualhost as shown in their
example inserting in my /etc/apache/sites-available/www.domain.com
file, few directives within the VirtualHost something like the
shown below
SSLEngine on
# domain.com.crt cointains the Trusted SSL certificate generated
and obtained by you from RapidSSL
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
# www.domain.com.key contains the file used to generate the CSR
file as described earlier in this post
SSLCertificateKeyFile
/etc/apache2/ssl/www.domain.com.key
After trying the above configuration and restarting apache
with:
/etc/init.d/apache2 restart
Apache failed to start, it might be helpful to somebody out there
the error I had in my apache error.log:
The error.log red the following:
[warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
After some 30 minutes or an hour of Googling on the error I came to
the conclusion that the error is caused, because Apache is supposed
to work with
.PEM files instead of the classical
.CRT
and
.KEY files as normally approached in most of the other
Unix operating systems.
It took me a bit more of reading on the internet to find out that
actually the
.pem files so widely adopted in Debian simply
contain both the
www.domain.com.key file and the
www.domain.com.crt key simply pasted one after another, this
I also observed from the default Apache self-signed certificate
that I believe comes with debian
/etc/apache2/ssl/apache.pem
.
So I copied both the content of my
www.domain.com.key and
www.domain.com.crt and store it in one file:
/etc/apache2/ssl/www.domain.com.pem
Also the following configuration:
SSLEngine on
SSLCertificateFile
/etc/apache2/ssl/www.domain.com.pem
had to go in your
/etc/apache2/sites-enabled/www.domain.com
Last thing that's left is to restart your Apache;
/etc/init.d/apache2 restart
Apache will prompt you for your certificate password entered by you
during the
www.domain.com.key generation. Type your password
and with a bit of luck and hopefully with God's help you'll be
having a Trusted Certificate on your webserver.
Last step is to check if the certificate is okay accessing your
domain https://www.domain.com.
Well this is the end of the article, hope you enjoy.If you do
please leave your comments, any corrections are also welcomed
:)