SSL Part 2: CAcert Signing Process
 |
SSL Part 2: Home | Lock Down | No IP | hMailServer | Config hMailServer | PHP mail function | Generate CSR | CAcert | CAcert Signing Process |
|
Signing Process |
With our domain verified and CSR (certificate signing request) created its time to look at CAcert's signing process. In reality its just a two-way copy and paste exersise. The following is a continuation from the previous page hence the section numbering
Step 3) Signing Process
The file server.csr is referred to as a CSR (certificate signing request) it contains our unsigned server certificate. The following provides detailed steps required to get it signed at CAcert:
|
1) Login Go to CAcert's home page, to the right under under My Account click Password Login At the login page enter your Email Address and Pass Phrase click Login. |
|
|
2) New Certificate To the right expand the Server Certificates menu click on New |
|
|
3) Paste CSR into form Using a text editor open the file server.csr located in folder: *\Uniform Server\udrive\home\admin\www\plugins\uc_mod_ssl\key_cert_gen and copy the contents to form shown on the right. Click Submit this starts the signing process. |
|
|
4) Request for conformation Details in your CSR are checked all items are removed other than the CommonName. Confirm this is correct by clicking Submit. |
|
|
5) Certificate generation After a short time your signed certificate is displayed and a conformation email sent to your registration email address. Using a text editor open the file server.crt (Location: *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt ), delecte it's content. Copy your signed server certificate (see right) into it and save. For the certificate to take effect re-start your server. |
|
|
6) Viewing Certificates In step 2) you can click view, this displays all certificate you own. Clicking on the Common name will display the certicate. Check a box click renew or revoke/delete to mantainfn your certificate. |
|
Summary
Obtaining a signed certificate really is that easy copy and paste twice.
Real world experience
I have included this section because things do not always run smoothly when this happens you need support. I was extremely impressed with CAcert’s support team and would like to express my thanks to Teus and Philipp.
The registration process was relatively easy I confess to having several attempts at a valid pass phrase.
First experience obtaining a signed server certificate, I originally used my registered domain name and pointed the MX records to my ISP’s mail sever the whole process ran flawlessly.
My real goal was to use a free dynamic IP service such as DynDNS and No-IP. This requires running a local mail server and that’s where I had some problems. Verification failed using OM3, thinking CAcert blocked the above services I put in a support request and found they don’t. OM3 is still in beta; hence I tried Mercury mail transport as an alternative. This passed the mail probe test however I noticed a few strange characters in the conformation link. I removed these and obatained validation.
Thinking there was a problem sent in another support request, the reply and solution was fast and spot on. This is where I become a little red faced; I was not using a mail client for reading the email. Being lazy I used a text editor to directly pickup the information from the account file, whoops including those strange (MIME) characters. From the sparse inform I sent CAcert support they suggested I use a mail client; spot on they probably realised what I had done. I checked using a mail client confirming my problems were self-inflicted. Note for Xamp users you will have no problems using Mercury mail transport.
Wanting the whole process sequence to be a smooth and uneventful experience when using Uniform Server I decided to include hMailServer. That decision was correct, installed with no problems, easy to set-up and it sits there working. One side effect! I could not resist the temptation to play with a new bit of kit hence the PHP mail function page.
Conclusion
I had several objectives for this project. Primary objective run a secure server with a genuinely free-signed server certificate amply met by CAcert. Secondary objective introduce new material providing real alternatives in particular mail server and a solution to having a dynamic IP address. I met this target using hMailServer this certainly will remain on my PC as for No_IP it does what it is intended to do however because they charge for a wildcard domain its back to DynDNS for me.
I am personally unhappy with the lockdown section, security is of prime importance and I feel this section is to open and general. Would liked to have been specific and state your PC is now secure however for the reasons I provided in the section not a chance.
| |
Ric |