SUNScholar/Secure Internet Connections/S02

From Libopedia
Jump to navigation Jump to search
 NEXT
 PREVIOUS

Step 2. Apply for a signed certificate

Application

Send the file, %hostname%.csr in the /etc/ssl/certs folder to a recognised certificate authority for signing.

Try to shop around for the best prices. See: http://www.sslshopper.com

Activation

Assuming that the supplied signed certificate from your chosen SSL registrar above, is called verisign.cer and is stored in the /root folder, follow the procedure below as the root user to activate the signed certificate.

sudo -i
cd /root
cp verisign.cer /etc/ssl/certs/%hostname%.crt

Replace %hostname% with the hostname of your server.

To extract details of the signed certificate, type the following.

openssl x509 -text -in /etc/ssl/certs/%hostname%.crt

See example extraction below.

root@ar1:/etc/ssl/certs# openssl x509 -text -in /etc/ssl/certs/ar1.sun.ac.za.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            29:48:0a:37:5a:d7:bc:89:c8:87:61:a3:e3:74:75:c5
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
        Validity
            Not Before: Oct 23 00:00:00 2012 GMT
            Not After : Oct 24 23:59:59 2013 GMT
        Subject: C=ZA, ST=Western Cape, L=Stellenbosch, O=Universiteit Stellenbosch, OU=JS Gericke Library, CN=ar1.sun.ac.za
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:2a:22:98:c8:62:31:4b:6a:75:fd:7c:db:29:
                    0c:c4:5a:c4:93:bb:34:2a:72:2f:2a:cb:95:e8:60:
                    43:6d:72:f8:0b:e8:12:4c:8c:f3:47:13:69:2e:f8:
                    7b:cc:23:33:4d:06:fb:4d:a4:2f:34:2c:c4:0b:bc:
                    4a:73:bb:a2:ab:a1:88:59:a7:81:b8:85:b4:9b:c0:
                    92:2a:86:03:68:38:30:f7:ef:31:1b:8f:79:a7:12:
                    0d:fc:4a:3a:ab:62:03:07:e5:c0:c9:3a:c4:af:94:
                    6f:dd:87:d5:80:5e:41:b6:92:25:5b:7d:bc:f7:a4:
                    f9:82:ef:36:74:8d:a6:fa:39:7b:aa:23:ea:1d:97:
                    b1:c7:e3:a4:82:3f:19:88:33:56:34:1f:20:02:a0:
                    f7:fd:2e:2a:ec:a9:87:e7:26:1f:93:41:b0:65:f0:
                    1f:da:12:66:96:97:93:5f:42:bf:b6:bc:9b:7c:74:
                    6f:9c:09:6c:51:f6:fb:e2:78:4b:97:96:12:77:d2:
                    4a:ed:75:aa:e3:db:05:e5:8a:e5:3c:ea:a5:dd:34:
                    20:8f:27:e4:30:2e:58:17:30:dd:1c:06:ae:30:de:
                    89:08:7e:a5:a1:48:24:0a:be:5e:4e:fb:9f:1f:dc:
                    52:d0:51:df:99:c4:ab:fb:5c:b0:1d:72:cf:be:26:
                    d6:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:ar1.sun.ac.za
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://www.verisign.com/cps

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier: 
                keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5

            Authority Information Access: 
                OCSP - URI:http://ocsp.verisign.com
                CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer

    Signature Algorithm: sha1WithRSAEncryption
         02:14:7a:e5:21:81:4d:e9:6f:3a:45:38:cf:f5:0c:7c:88:0b:
         73:58:aa:d7:f9:c3:9e:32:2a:fa:76:15:a5:1d:15:4e:4c:44:
         11:d5:7c:25:c9:5f:f9:45:f9:a4:11:90:40:42:68:d4:28:7d:
         ed:08:67:6d:6c:3b:6e:d5:e0:cd:28:c7:54:7d:e5:61:cc:9d:
         5e:ab:0b:30:30:37:8e:55:ec:51:e6:f7:ff:d5:b4:fb:05:79:
         6e:46:44:1b:c8:4f:4d:6f:d5:53:d9:42:d7:00:93:38:0b:a0:
         48:99:ef:0c:15:29:16:e3:36:ca:e7:4c:61:72:23:36:69:89:
         cb:34:a0:7e:82:65:6f:35:d8:78:1a:d6:fd:34:60:c6:12:64:
         8d:76:85:a4:c0:88:17:7a:44:6e:95:3d:59:0d:96:1f:90:37:
         cd:02:b7:d2:77:d7:45:a0:57:03:b8:67:24:81:07:3d:f2:7f:
         07:6a:68:71:1f:72:df:77:2e:22:bf:ad:72:e0:bb:0b:4d:0a:
         0c:63:0e:9d:60:85:2f:eb:7a:c7:65:50:bb:59:06:4b:4a:5f:
         1f:2a:e2:75:2c:e9:f9:18:fc:f0:6d:e7:22:38:71:53:ea:f1:
         4b:66:dc:7b:8c:3a:45:b2:a6:e3:4d:2c:be:f9:2c:c2:3a:66:
         30:58:66:5f
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIQKUgKN1rXvInIh2Gj43R1xTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIxMDIz
MDAwMDAwWhcNMTMxMDI0MjM1OTU5WjCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTEVMBMGA1UEBxQMU3RlbGxlbmJvc2NoMSIwIAYDVQQKFBlV
bml2ZXJzaXRlaXQgU3RlbGxlbmJvc2NoMRswGQYDVQQLFBJKUyBHZXJpY2tlIExp
YnJhcnkxFjAUBgNVBAMUDWFyMS5zdW4uYWMuemEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC6KiKYyGIxS2p1/XzbKQzEWsSTuzQqci8qy5XoYENtcvgL
6BJMjPNHE2ku+HvMIzNNBvtNpC80LMQLvEpzu6KroYhZp4G4hbSbwJIqhgNoODD3
7zEbj3mnEg38SjqrYgMH5cDJOsSvlG/dh9WAXkG2kiVbfbz3pPmC7zZ0jab6OXuq
I+odl7HH46SCPxmIM1Y0HyACoPf9LirsqYfnJh+TQbBl8B/aEmaWl5NfQr+2vJt8
dG+cCWxR9vvieEuXlhJ30krtdarj2wXliuU86qXdNCCPJ+QwLlgXMN0cBq4w3okI
fqWhSCQKvl5O+58f3FLQUd+ZxKv7XLAdcs++JtbxAgMBAAGjggF9MIIBeTAYBgNV
HREEETAPgg1hcjEuc3VuLmFjLnphMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWg
MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlz
aWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2
MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGC
fh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJl
LUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3DQEB
BQUAA4IBAQACFHrlIYFN6W86RTjP9Qx8iAtzWKrX+cOeMir6dhWlHRVOTEQR1Xwl
yV/5RfmkEZBAQmjUKH3tCGdtbDtu1eDNKMdUfeVhzJ1eqwswMDeOVexR5vf/1bT7
BXluRkQbyE9Nb9VT2ULXAJM4C6BIme8MFSkW4zbK50xhciM2aYnLNKB+gmVvNdh4
Gtb9NGDGEmSNdoWkwIgXekRulT1ZDZYfkDfNArfSd9dFoFcDuGckgQc98n8Hamhx
H3Lfdy4iv61y4LsLTQoMYw6dYIUv63rHZVC7WQZLSl8fKuJ1LOn5GPzwbeciOHFT
6vFLZtx7jDpFsqbjTSy++SzCOmYwWGZf
-----END CERTIFICATE-----

Check CSR

Click on the following link to check the CSR:

https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp

Example listing of SSL certs

root@ir1:/etc/ssl/certs# ls -l scholar.sun.ac.za.*
-rw-r--r-- 1 root root 1864 2010-09-21 13:42 scholar.sun.ac.za.crt
-rw-r--r-- 1 root root  749 2010-09-15 09:31 scholar.sun.ac.za.csr
-rw-r--r-- 1 root root  245 2010-09-15 09:31 scholar.sun.ac.za.gendh
-rw-r--r-- 1 root root  887 2010-09-15 09:31 scholar.sun.ac.za.key
-rw-r--r-- 1 root root 1969 2010-09-15 09:31 scholar.sun.ac.za.pem
-rw-r--r-- 1 root root 3957 2012-10-01 09:35 scholar.sun.ac.za.pkcs12
-rw-r--r-- 1 root root  512 2010-09-15 09:31 scholar.sun.ac.za.rand