Select Page

Contents

Overview

This process generates a new certificate signing request (CSR), named with the common name you enter below and a host.key.

Once you have done this you need to open the CSR file (cat fileName) and copy the contents. You will need to paste this information in the next step.

 

The CSR file will look something like the outline below.

-----BEGIN CERTIFICATE REQUEST-----
fnbx;dgkjbnfnox;fdlgbnlofgkbndfglmnb BLAH lots of unreadable test.....

-----END CERTIFICATE REQUEST-----

Once you have copied the certificate information you can proceed to step 2 which is ‘Submit the CSR’.

If the request is successful, the certificate authority will email a link to download  an identity certificate that has been digitally signed with the private key of the certificate authority. This may take a couple of days.

You can then do step 3 – ‘Installing the cert and key’.

Generating the CSR

a. For Unix

Create a host key:

openssl genrsa -out host.key 2048

Generate a CSR:

openssl req -new -nodes -key host.key -out myserver.fos.auckland.ac.nz.csr

Then enter these details replacing myserver.fos.auckland.ac.nz with the real domain name of your server or virtual host.

Country Name (2 letter code) [AU]:NZ 
State or Province Name (full name) [Some-State]:Auckland
Locality Name (eg, city) []:Auckland
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The University of Auckland
Organizational Unit Name (eg, section) []:Faculty of Science
Common Name (eg, YOUR name) []:myserver.fos.auckland.ac.nz
Email Address []:webmaster@cs.auckland.ac.nz
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

When you fill in the details, common name refers to the domain name. Remember to enter the country code NZ in capitals, or Thawte will reject the request.

b. For Windows IIS 7/7.5

The steps below can be used for both stand alone and IIS web farm servers:

1) Open IIS and choose server name e.g.

Image:200.png

2) Select Server Certificates and on the actions select ‘Create Certificate Request’ e.g.

Image:201.png

3) Fill in the required details and choose next e.g.

Image:202.png

4) It is suggested by Micrsoft to keep the defaults i.e.:

Image:203.png

5) Choose where you want the text file to be saved. The contents of the file is what needs to be sent to the Certificate Provider (information on this mentioned under Certificates Provider section below).

6) Once a certificate is received from the Certificate Provider, select server certificates (part 2 above) and click Complete Certificate Request. A window will open requesting to select the location of the file received from the Certificate Provider. You will also need to choose a friendly name for the certificate chosen above. This name will appear under server certificates and also in the SSL certificate drop-down menu under site bindings for a website. (note: For IIS Web farm, it is recommended that this step should be done on the IIS web server where the CSR was generated).

7) This step is for IIS web server situations. Click on the friendly name given above and select export. In the export to field, select a location for the file to be saved. Also enter a password. Once done, copy the file to the other IIS Web server. Select ‘Import’ under Server Certificates on the server where the file was copied and point it to the location where you copied the file. Enter the password that was used during the export above.

 

 

Submit the CSR

The process for sending the Certificate Signing Request out, to have a signed certificate returned, is done online.

  • Visit https://cert-manager.com/customer/AusCERT/ssl
  • Click the “Certificate enrollment” link
  • You will see a form asking you to enter an Access Code and E-mail. These details are in SecretServer (Secret ID 6300)
  • Click the Check access code button, the form will expand to show you more fields:

  • Certificate Type: AusCERT SSL Certificate
  • Server Type: For Apache, choose “Apache/ModSSL”. For IIS, choose “Microsoft IIS” for the correct version of IIS
  • CSR: Copy and paste the contents of the Certificate Signing Request (CSR) that you generated using the steps at the top of this document
  • Click the “Get Common Name from CSR” button to have the Common Name field automatically completed (is a good double check to make sure the Common Name is correctly read)
  • Scroll to the bottom of the Subscriber Agreement text box, then check I Agree.
  • Click the “Submit” button
  • Allow few days for delivery by email

 

Installing the Cert

After submitting the CSR, you will receive an email from the Certificate Services Manager with links to download the signed cert that has been issued.

For Unix

Transfer the cert and key to the remote server

  • In the email you received after submitting the CSR, click the “X509 Certificate only, Base64 encoded” link.
  • The cert will download to your computer
  • “Secure copy” the cert from your computer to the remote server where it should be installed. E.g. (remember the : at the end of the following line is required):
 scp /path/to/cert_you_just_downloaded.crt yvette-admin@webcluster1.sit.auckland.ac.nz:
  • Log in the remote server. Where you logged into should be the cert you scp‘d. You should be able to see it if you list the directory’s contents with ls
  • Locate the key that was generated during the process at the beginning of this document, and scp the key to the remote server if necessary

Test the new cert and key

Once the cert and key are both on the remote server, test that the cert and key match

 openssl s_server -CAfile  /etc/apache2/ssl/ssl.crt/AusCERTbundle.crt -cert /path/to/cert_you_uploaded.crt -key  /path/to/key_you_uploaded.key

If the cert and key match, you will see (the most important line is the final one – ACCEPT):

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

Install the cert and key

Note: These instructions are for sites that are having an SSL cert renewed. If this is the first time the site will be using SSL, then you will also need to add a new VirtualHost config for port 443 which isn’t documented here.

The next step is to copy the new cert and key into the correct place on the server.

Locate the Apache config for the site, and inspect the .host config to see where the site’s cert and key are currently located. The lines you are looking for will look similar to this:

SSLCertificateFile /etc/apache2/ssl/ssl.crt/example.auckland.ac.nz.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key/example.auckland.ac.nz.key

It’s recommended that you replace the old files by renaming them using the following convention:

mv /etc/apache2/ssl/ssl.crt/example.auckland.ac.nz.crt /etc/apache2/ssl/ssl.crt/example.auckland.ac.nz.exp20110131.crt
mv /etc/apache2/ssl/ssl.key/example.auckland.ac.nz.key /etc/apache2/ssl/ssl.key/example.auckland.ac.nz.exp20110131.key

Where exp201113031 refers to the expiry date of the old certificate (in this example 31 Jan 2011).

After renaming the old files, rename the new cert and key to the location of the old cert and key (keeping the exact same filenames). After this step, the new cert and key will be in the exact same place as the old cert and key were.

Final Test and reload the server

Once the certs are in the correct place, check that Apache is happy.

 apache2ctl -t

This will tell you that the directives are correct, but won’t guarantee that Apache won’t fail when you restart.

Reload Apache

 /etc/init.d/apache2 reload

Make sure that Apache is running (there should be more than ~5 processes)

 pgrep apache

And repeat on the next cluster node.

Once all nodes have had Apache reloaded, visit the site in your browser and view the cert’s expiry details.

See also

Skip to toolbar