SSL Part 2: Generate CSR
I assume you have undated Uniform Server 3.5-Apollo to run mod_ssl if not check this page running mod_ssl on Uniform Server for details.
You can skip this page it you have already created a self-signed certificate for your domain and have not deleted file server.csr this is required to obtain a signed certificate from CAcert.
For this project I created a new domain mpg123.no-ip.org because of this I needed to create a new self-signed certificate and CSR (Certificate signing request) the following details this procedure:
Open the folder *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen and delete the following files by running clean.bat found in this folder.
Creating a key, certificate and CSR
To create a Key, Certificate and CSR the following batch files are executed in sequence.
|Batch file to run|
mpg1.bat Creates a private key and a CSR (Certificate Signing Request)
mpg2.bat Removes Passphrase from private Key
mpg3.bat Create a Self-Signed Certificate for testing (personal server use only)
These batch files create three files server.key, server.crt used by the server and server.csr unsigned certificate.
Note 1: Pass Phrase is a password however it can be several words in length hence a phrase. You need to supply one although we will remove it later so I suggest keep it short for example “fred”.
Note 2: When prompted for a "Common Name” provide the domain name of your web server (e.g. mpg123.no-ip.org).
The batch file when run looks similar to this:
Loading 'screen' into random state - done
Enter a pass phrase e.g.fred
This will not be displayed.
Remember keep it short will be removed later
Country Name (2 letter code) [GB]:
Press enter to accept each default or enter your information.
Note: CAcert will remove this with the exception of Common Name
You must enter a Common Name
Please enter the following 'extra' attributes
Not used Press enter
Three files are created .rnd, server.csr and server.pem
This batch file removes the pass phrase from the RSA private key.
In a commercial environment you would not remove this pass phrase however for a personal web server it is desirable to do so. With it in place each time you start up the Apache Server a pop-up dialog is displayed prompting you to enter the pass phrase. This would be a problem if you set your server to auto-reboot after a system crash, you need to be around to enter it hence the reason for its removable.
Action: When requested enter pass phrase fred. Note this will not be displayed.
Result: Creates the server keyfile server.key
This creates a self-signed certificate that expires after ten years if you prefer to have a shorter time change the batch file to reflect the value you want.
Note: This is reduced to six months by CAcert (other free CA's have a limit of three months)
Action: No action required.
Result: Creates the self-signed server certificate file server.crt
Copy the Certificate and Key
Copy the two server files as shown below:
Copy file server.key to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.key
Copy file server.crt to folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt
You now have a secure server with a self-signed certificate. A quick test, run the following using your domain name:
|1) Start the servers using Server_Start.bat||Normal server operation with apanel displayed.|
|2) Type http://mpg123.no-ip.org/||Displays Site 1 home page|
|5) Type https://mpg123.no-ip.org/||
a) Pop-up displays Website Certified by an Unknown Authority - Click Accept temporarily this session
Note: If you wish to use wildcards at No-IP they will charge a small fee, however DynDNS provides this for free with their free account.
With the above completed you now have a fully tested secure server. The server certificate server.crt in folder *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt will eventually be replaced with a signed certificate from CAcert.
The content of file server.csr is the unsigned certificate that will be submitted to CAcert for signing. Before that’s possible you need to open an account and allow them to verify your domain name, this is covered on the next two pages.