HOWTO: Instructions for installing an SSL certificate from instantssl.com (and other chained SSL certificates I imagine)Author: Greg Swallow - greg_at_skynetbc.com
Licence: GPL
Updated: Sept 7, 2004
Please post any comments. Someone else can make this a howto if it seems to work fine for everyone else.I am using SME 6.0b3 and this seems to work fine for me. Most of this you can find on the contribs.org forums, but I couldn't find anywhere the part about the template fragment for httpd.conf so I had to figure that part out.
1. Make the CSRopenssl req -new -nodes -keyout newserver.key -out newserver.csr
Country Name (2 letter code) [AU]:
CAState or Province Name (full name) [Some-State]:
British ColumbiaLocality Name (eg, city) []:
SurreyOrganization Name (eg, company) [Internet Widgits Pty Ltd]:
MyCompany LtdOrganizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
www.yourdomain.comEmail Address []: email@yourdomain.com
A challenge password []:
An optional company name []:
NOTE: (Updated Sept 8th)The Common Name that you enter can't contain an asterisk eg *.yourdomain.com unless you are buying a 'Wildcard' certificate (much more expensive). I am using osCommerce software that forces people to use 'www.' but if your site doesn't do that, you may want both
https://yourdomain.com and
https://www.yourdomain.com to work, or if you need
https://something.yourdomain.com to work then you need a 'Wildcard' SSL certificate.
2. Submit the CSR to instantssl.compico newserver.csr
(and select and paste the whole thing into the form on their website)
3. After you get an email back with your certificate and another file called ca.txt*** Backup the files you change if you want to ***
a. Copy the text from the certificate you just got into:
/etc/httpd/conf/ssl.crt/server.crt
and
/home/e-smith/ssl.crt/yourhostname.yourdomainname.crt (double check what your file is named)
b. Copy the newserver.key file to replace the old server.key
cp newserver.key /etc/httpd/conf/ssl.key/server.key
cp /home/e-smith/ssl.key/yourhostname.yourdomainname.key
(double check what your file is named)
4. The chained SSL part:Copy the ca.txt file you got by email (the chained ssl certificate) to /etc/httpd/conf/
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
pico /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL10SSLD
Add in a this single line of text to that file:
SSLCACertificateFile /etc/httpd/conf/ca.txt
5. Security / Restarting
(Updated Sept 8th)Ownership/Security of the crt and key files
chown root.root /etc/httpd/conf/ssl.key/server.key
chown root.root /etc/httpd/conf/ssl.crt/server.crt
chown root.root /home/e-smith/ssl.key/yourhostname.yourdomainname.key
chown root.root /home/e-smith/ssl.crt/yourhostname.yourdomainname.crt
chown root.root /etc/httpd/conf/ca.txt
chmod 400 /etc/httpd/conf/ssl.key/server.key
chmod 644 /etc/httpd/conf/ssl.crt/server.crt
chmod 400 /home/e-smith/ssl.key/yourhostname.yourdomainname.key
chmod 644 /home/e-smith/ssl.crt/yourhostname.yourdomainname.crt
chmod 644 /etc/httpd/conf/ca.txt
Expand the template & restart the service
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
service httpd restart
service httpd-admin restart
6. Should work fine - post your comments please