Difference between revisions of "Coral: apache free server cert"
(Created page with "<div id="top" style="margin:0;padding: 0px 0px 0px 5px; color: #000; background-color: #FFFFEB; border: 1px solid darkslateblue;"><span id="top" style="margin:0;padding: 0px;font...")
Latest revision as of 13:36, 12 November 2011
Apache - Free Server Certificate
A free server certificate using the service from http://www.startssl.com/ is a better choice than a self-signed certificate. Please note that The Uniform Server developers have no relation or affiliation with this site. The material is included here only to provide a better alternative to a self-signed certificate. Other choices likely are available.
StartSSL (StartCom) is a public certification authority providing digital certificates for free! They have their root certificate in all major browsers, which means that certificates issued by StartSSL are trusted by default. Major browsers include Firefox, Internet Explorer, Gogole Chrome, Safari and Opera. The term free means just that, no hidden catches or trials, so The Uniform Server support now includes support for StartCom.
Obtaining a free server certificate requires a number of steps. First you need to have a registered domain name, then you create a certificate-signing request and obtain a personal ID certificate by registering with StartCom. With this in place, you can login to StartCom and have your certificate signed. Finally you install this certificate on your server. This page covers each step in more detail.
Register a domain name
Register a domain name with a registrar of your choice. The information you supply pertains to the domain you are registering. Of importance for obtaining a free certificate is the contact e-mail address you supply. I am referring to the address where a registrar can contact you. This e-mail address will be used by StartCom to verify who you are (domain name). Alternatively, if your domain name is active (site has a mail-server) the site email address can be used for verification.
Note: Your registrar contact e-mail address allows you to obtain a signed certificate before making your site live. This allows you to test your site locally with a signed certificate and confirm that Apache’s SSL Vhost server verification chain works.
Create an account at StartSSL
Creating an account at StartSSL can be done in advance. You are asked for certain details that identify you. This information is used for creating a personal identification (ID) certificate that is installed into your browser. One purpose of this certificate is to automatically log you into your StartSSL account.
- Go to [https://www.startssl.com/?app=12/] website
- Click Sign up
- Fill in all fields in the sign up form and click Continue
- An authentication code will be e-mailed to you.
- Copy and paste it into the Complete Registration form. Click Continue
- Choose the level of security required and click Continue
- Allow the pop up to install security certificate into your browser
- Click Install
- If prompted by your firewall, allow outside access. (Certificate authority)
- Click Finish
Note: Backup your client certificates! [Check this link] and follow the instructions appropriate for your browser.
Creating a certificate signing request (CSR)
Generating a certificate-signing request is similar to generating a self-signed certificate. The only difference is to change Hostname from localhost to your registered domain name. For a free StartCom certificate, this field is the only one that is part of the certificate. If you change any of the other fields, the class of the certificate changes as well as its cost, and will require further validation. These instructions cover only the free certificate.
UniController: Server Configuration > Apache > Generate Certificate
This generates your new server key (server.key) and CSR (server.csr)
It's important to save these files to a safe and secure location (example: UniServer\certs) as follows:
Note 1: The empty file server.crt is where you will copy your signed certificate. Folder UniServer\certs is used only to store your original certificates. It keeps them as a separate group.
Note 2: Folder UniServer\certs is just an example. Ideally you would save its final content to a pen drive, writable CD or another PC for safekeeping.
Sign certificate at StartSSL
Login to StartSSL
- Go to https://www.startssl.com/?app=12/ website
- Click Authenticate
- Click Control Panel
- Click Validations Wizard tab (top menu)
- From drop-down menu choose Domain Name Validation . -- Click continue
- Enter the URL of your domain name to be validated
- Select an e-mail from the list (select last entry). Note: The last entry is your registrar contact e-mail address. -- Click continue button.
- An authentication code is sent to the selected e-mail address.
- Copy this authentication code and paste it into Verification Code: Box. -- Click continue button.
- Click Finish
- Now click the Certificates Wizard tab
- From the Certificate Target dropdown menu select Webserver SSL/TLS Certificate -- Click continue button.
- Generate Private Key form displayed. Click Skip - We are using our own key.
- Submit Certificate Request (CSR) form opens
- Open file UniServer\certs\server.csr
- Copy and past its content into the box displayed.
- Click continue button.
- Message displayed Certificate Request Received -- Click continue button.
- Select your domain name (from dropdown list) and use www as the subdomain.
- Your signed certificate is generated and displayed.
- Copy the displayed content and save it to file
Download StartCom CA Certificates - Information
Note: This section is for information only. The required certificates are preinstalled. A signed certificate requires a verification chain. To implement this on Apache, two additional certificates are required. Download these from StartSSL
- At StartSSL, log into your control panel.
- Download ca.pem Save to folder UniServer\certs.
- Download sub.class1.server.ca.pem Save to folder UniServer\certs.
Note: If you have a higher validated server certificate you need to use the class2 or class3 intermediate CA certificate.
Copy the two files server.key and server.crt to Apache folder server_certs
- Copy UniServer\certs\server.key to folder UniServer\usr\local\apache2\server_certs
- Copy UniServer\certs\server.crt to folder UniServer\usr\local\apache2\server_certs
Edit SSL Configuration file
Two lines require enabling in Apache’s SSL configuration file as follows:
Edit file: UniServer\usr\local\apache2\conf\extra\ssl.conf
Locate these two lines:
#SSLCertificateChainFile C:/UniServer/usr/local/apache2/server_certs/sub.class1.server.ca.pem #SSLCACertificateFile C:/UniServer/usr/local/apache2/server_certs/ca.pem
Remove the # to enable as shown below:
SSLCertificateChainFile C:/UniServer/usr/local/apache2/server_certs/sub.class1.server.ca.pem SSLCACertificateFile C:/UniServer/usr/local/apache2/server_certs/ca.pem
Note: Your path to folder UniServer may be different.
Before going live with your secure server you can test it locally. To do this your domain name (example fred.com) must resolve to an IP address. This is done through an entry in your hosts file.
- Edit file: C:\WINDOWS\system32\drivers\etc\hosts
- Add this line: 127.0.0.1 fred.com
- Start the Apache server
- Click View ssl button
- The secure test page should be displayed with no alerts.
Note: Replace fred.com with the hostname you used when creating your CSR. Be sure to remove this line when you are ready to go live.
Where to next
Apache SSL Introduction and overview.
Self-signed Self-signed test certificate details.