SSL Part 2: Generate CSR

From The Uniform Server Wiki
Revision as of 17:59, 9 June 2008 by Ric (talk | contribs) (New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 2: Home | [[...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

MPG UniCenter

SSL Part 2: Home | Lock Down | No IP | hMailServer | Config hMailServer | PHP mail function | Generate CSR | CAcert | CAcert Signing Process

Generate CSR
Signed Certificate Project
Uniform Server 3.5-Apollo

I assume you have undated Uniform Server 3.5-Apollo to run mod_ssl if not check this page running mod_ssl on Uniform Server for details.

You can skip this page it you have already created a self-signed certificate for your domain and have not deleted file server.csr this is required to obtain a signed certificate from CAcert.

For this project I created a new domain mpg123.no-ip.org because of this I needed to create a new self-signed certificate and CSR (Certificate signing request) the following details this procedure:

Preparation

Open the folder *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen and delete the following files by running clean.bat found in this folder.

  • .rnd
  • server.pem
  • server.csr
  • server.key
  • server.crt

Creating a key, certificate and CSR

To create a Key, Certificate and CSR the following batch files are executed in sequence.

Batch file to run

mpg1.bat Creates a private key and a CSR (Certificate Signing Request)

mpg2.bat Removes Passphrase from private Key

mpg3.bat Create a Self-Signed Certificate for testing (personal server use only)

These batch files create three files server.key, server.crt used by the server and server.csr unsigned certificate.

Top

Run mpg1.bat

Note 1: Pass Phrase is a password however it can be several words in length hence a phrase. You need to supply one although we will remove it later so I suggest keep it short for example “fred”.

Note 2: When prompted for a "Common Name” provide the domain name of your web server (e.g. mpg123.no-ip.org).

The batch file when run looks similar to this:

Screen output Comments

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
.............................................++++++
writing new private key to 'server.pem'
Enter PEM pass phrase:fred
Verifying - Enter PEM pass phrase:fred
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Enter a pass phrase e.g.fred

This will not be displayed.

Remember keep it short will be removed later

Country Name (2 letter code) [GB]:
State or Province Name or County (full name) [Cambridgeshire]:
Locality Name (eg, city or town) [Cambridge]:
Organization Name (eg, company) [Unicenter]:
Organizational Unit Name (eg, section) [Demo Example Mike Gleaves]:
Common Name (eg, your websites domain name) []:mpg123.no-ip.org
Email Address []:

Press enter to accept each default or enter your information.

Note: CAcert will remove this with the exception of Common Name

You must enter a Common Name

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

Not used Press enter

Three files are created .rnd, server.csr and server.pem

Top

Run mpg2.bat

This batch file removes the pass phrase from the RSA private key.

In a commercial environment you would not remove this pass phrase however for a personal web server it is desirable to do so. With it in place each time you start up the Apache Server a pop-up dialog is displayed prompting you to enter the pass phrase. This would be a problem if you set your server to auto-reboot after a system crash, you need to be around to enter it hence the reason for its removable.

Action: When requested enter pass phrase fred. Note this will not be displayed.

Result: Creates the server keyfile server.key

Top

Run mpg3.bat

This creates a self-signed certificate that expires after ten years if you prefer to have a shorter time change the batch file to reflect the value you want.

Note: This is reduced to six months by CAcert (other free CA's have a limit of three months)

Action: No action required.

Result: Creates the self-signed server certificate file server.crt

Top

Copy the Certificate and Key

Copy the two server files as shown below:

Copy file server.key to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key

Copy file server.crt to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt

Top

Test

You now have a secure server with a self-signed certificate. A quick test, run the following using your domain name:

Test Result
 1) Start the servers using Server_Start.bat   Normal server operation with apanel displayed.
 2) Type http://mpg123.no-ip.org/  Displays Site 1 home page
 5) Type https://mpg123.no-ip.org/

 a) Pop-up displays Website Certified by an Unknown Authority - Click Accept temporarily this session 
 b) (If enabled) Authentication Required - Type in name and password - click Ok
 c) Padlock closed and page Site 3 home page displayed

Note: If you wish to use wildcards at No-IP they will charge a small fee, however DynDNS provides this for free with their free account.

Summary

With the above completed you now have a fully tested secure server. The server certificate server.crt in folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt will eventually be replaced with a signed certificate from CAcert.

The content of file server.csr is the unsigned certificate that will be submitted to CAcert for signing. Before that’s possible you need to open an account and allow them to verify your domain name, this is covered on the next two pages.

Top


Ric