Norwegian version of this page

SSL

WARNING: This page is currently not being maintained, and contains outdated information. You should refrain from following any instructions below. Instead, please refer to the Norwegian version for the time being, which is up-to-date: /tjenester/it/sikkerhet/sertifikater/kokebok.html

An English translation will follow at a later point.

 

SSL (Secure Socket Layer) is a protocol for secure transmission of data over the Internet. SSL encrypts all data which is sent between the web browser and the web server, and by using digital keys you make sure that the data arrives safely to the recipient. 

Recipe for ordering and use of SSL-certificates (Uninett)

UiO is authorized to issue certificates under the domain uio.no

Get started

You need:

  • OpenSSL 0.9.X or newer

All instances of 'www.foo.uio.no' in the text should be replaced with the name/URL that the certificate should be for. In this regard we need the full domain name (FQDN), ex www.admin.uio.no or universitas.uio.no

Important: If you copy the contents from the CSR-file in windows after creating it on a *nix-computer, you must  use Wordpad and not Notepad.

Generating the key and the CSR

Start with creating the file www.foo.uio.no.cnf. A typical example would be:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
utf8 = yes

[ dn ]
C = NO
L = Oslo
O = Universitetet i Oslo
OU = USIT
CN = www.foo.uio.no

In [req] you can set the default_bits to higher, but beware that some services are have problems with too high bitrates. 2048 is a safe choice.

Here you need to change OU and CN.
OU is Organizational Unit and CN is Common Name or domain name, 'www.foo.uio.no' in our example.

If you are ordering certificat for multiple DNS-names (aliases) we need to expand the .cnf-file:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
utf8 = yes
req_extensions = v3_req

[ v3_req ]
subjectAltName = @alt_names

[ dn ]
C = NO
O = Universitetet i Oslo
OU = USIT
CN = www.foo.uio.no

[alt_names]
DNS.0 = www.foo.uio.no
DNS.1 = foo.uio.no

Change OU and CN as the previous example. CN should be the same as DNS.0. in addition we have DNS.1 as an alias. if you need multiple alias' you add DNS.2, DNS.3 etc.

Then you create an RSA-key and a CSR (Certificate Signing Request) with OpenSSL. Save all files a place you can find again. You don't need to create the key and CSR on the same machine that the certificate is for.

maskin.uio.no# /local/bin/openssl req -new -config www.foo.uio.no.cnf -keyout www.foo.uio.no.key -out www.foo.uio.no.csr
Generating a 2048 bit RSA private key
............+++
.+++
writing new private key to 'www.foo.uio.no.key'
-----

Next we need to protect the private key. Choose a secure password and remember it. It can be changed later if you remember the old password. Take a backup of www.foo.uio.no.key.

maskin.uio.no# /local/bin/openssl rsa -in www.foo.uio.no.key -des3 -out www.foo.uio.no-enc.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The encrypted key will be stored as www.foo.uio.no-enc.key.

You can view the key in cleartext with:

maskin.uio.no# /usr/bin/openssl rsa -noout -text -in www.foo.uio.no.key
...[b?ttevis av output]

Do not save the private key in cleartext.

You should now reassure yourself that you have a proper backup of the private key.

To use the automated ordering form, there are some simplicities that have to be considered. It is only for multidomain, so no wildcard domains are posible, it has to be encrypted with sha256. If you need special certs you need to contact us at www-drift@usit.uio.no

Then you send in the order

When the certificate is created it will be sent to you in an email — save it as www.foo.uio.no.crt.

Adding the certificate to the server

you need:

  • The private key (should be password-protected): www.foo.uio.no.key
  • The signed certificate: www.foo.uio.no.crt (recieved in the email)
  • CA certificate (Certificate Chain in the email) DigiCertCA.pem

We recoment to run apache from RedHat, and the newest RHEL available to you. You can save the certificate files wherever you like, but it is neatest to put them in:

/etc/httpd/conf/ssl.crt/
/etc/httpd/conf/ssl.key/

If you need to run RHEL5 and apache 2.2 from Store you move the files to:

/site/opt/apache2.2/conf/ssl.crt/
/site/opt/apache2.2/conf/ssl.key/

(path-specified in the distributed httpd.conf). Then you run:

maskin.uio.no# ln -s /site/opt/apache2.2/conf/ssl.crt/www.foo.uio.no.crt /site/opt/apache2.2/conf/ssl.crt/server.crt 
maskin.uio.no# ln -s /site/opt/apache2.2/conf/ssl.key/www.foo.uio.no.key /site/opt/apache2.2/conf/ssl.key/server.key

...so Apache2.2 finds the files, to secure the files:

maskin.uio.no# chmod 440 /site/opt/apache2.2/conf/ssl.crt/www.foo.uio.no.crt
maskin.uio.no# chmod 400 /site/opt/apache2.2/conf/ssl.key/www.foo.uio.no.key

The Certificate Chain file should be saved as DigiCertCA.pem in /site/opt/apache2.2/conf/ssl.crt/

If no SSL-config exist you need to copy the default config:

cp -i /local/opt/apache2.2/conf/extra/httpd-ssl.conf /site/opt/apache2.2/conf/

... and change the necessary values.

Important: if you use a certificate from UNINETT you must change SSLCACertificateFile to use the one from DigiCert:

SSLCACertificateFile /site/opt/apache2.2/conf/ssl.crt/DigiCertCA.pem

Add this to /etc/httpd.conf:

ServerName www.foo.uio.no
ErrorLog /site/opt/apache2.2/logs/ssl.error_log
TransferLog /site/opt/apache2.2/logs/ssl.access_log

and

# Include local SSL-config (make sure the path is correct):
Include /site/opt/apache2.2/conf/httpd-ssl.conf

Start the SSL-server:

maskin.uio.no# /local/etc/init.d/httpd start
Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog)
Some of your private key files are encrypted for sequrity resasons.
IN order to read them you have to provide us with the pass phrase. 

Server www.foo.uio.no:443 (RSA)
Enter pass phrase:

 

Other tasks and info about certificates

CSR

The content of your CSR will look something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwgZUxCzAJBgNVBAYTAk5PMQ8wDQYDVQQIEwZOb3J3YXkxDTAL
BgNVBAcTBE9zbG8xGzAZBgNVBAoTElVuaXZlcnNpdHkgb2cgT3NsbzENMAsGA1UE
CxMEVVNJVDEUMBIGA1UEAxMLdGVzdC51aW8ubm8xJDAiBgkqhkiG9w0BCQEWFXdl
Ym1hc3RlckB1c2l0LnVpby5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
pLBeDow+X0ZfFrEnYPsljVmI45IZTakVpqqh/0JXNfffUA6JA/scbpBcOLtstgo6
XPK3AXvX9/dHbrMFkMB/MxQjZdANGz+IBTMjEhmrP/a0bBImMyGribMN021kln6S
t8QJkFy0sXIRKFzGLAp19EnM0w5J9WthHaCZcSu8oScCAwEAAaAAMA0GCSqGSIb3
DQEBBAUAA4GBACnD/K+jihjIP6SKRUJa4Y7kdxyzh6ydV9ZOQFUKJsPTLmkeuIb2
7hHFStjnWjy7Zd4XratKb4MwO0k/7h+TyYTL+j6hoAPhqQA0/y2zndehx4bhUUNc
KLhnBZIsg93/Iwt9bW9rJmrhLkjHAW0mRQa0y3O9jArQKFofE+k6bqxu
-----END CERTIFICATE REQUEST-----

When you order, you have to send the whole content, from and including ----BEGIN... to and including END CERTICATE REQUEST-----

Years of validity

Lifespan for a SSL-certificate is one, two or three years. You can choose this when you order.

How to change passphrase for the private key

You can change the passphrase like this:

maskin.uio.no# /local/bin/openssl rsa -des3 -in www.foo.uio.no.key -out www.foo.uio.no.key.new
read RSA key
Enter PEM pass phrase:
writing PEM pass phrase:
Verifying password - Enter PEM pass phrase:

maskin.uio.no# mv www.foo.uio.no.key.new www.foo.uio.no.key

Check lifespan for a SSL-certificate

maskin.uio.no# /local/bin/openssl x509 -startdate -enddate -noout < www.foo.uio.no.crt
notBefore=Apr 16 12:00:51 2007 GMT
notAfter=Apr 18 16:23:16 2008 GMT
 

 

Published Mar. 30, 2015 11:16 AM - Last modified Feb. 20, 2023 4:31 PM
E-mail this page