Difference between revisions of "SUNScholar/Secure Internet Connections/S02"
Jump to navigation
Jump to search
m |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
<center> | <center> | ||
| − | + | '''[[SUNScholar/Secure_Internet_Connections/S03|NEXT]]''' | |
| + | |||
| + | '''[[SUNScholar/Secure_Internet_Connections/S01|PREVIOUS]]''' | ||
</center> | </center> | ||
==Step 2. Apply for a signed certificate== | ==Step 2. Apply for a signed certificate== | ||
| Line 10: | Line 12: | ||
===Activation=== | ===Activation=== | ||
Assuming that the supplied signed certificate from your chosen SSL registrar above, is called '''verisign.cer''' and is stored in the '''/root''' folder, follow the procedure below as the '''root''' user to activate the signed certificate. | Assuming that the supplied signed certificate from your chosen SSL registrar above, is called '''verisign.cer''' and is stored in the '''/root''' folder, follow the procedure below as the '''root''' user to activate the signed certificate. | ||
| + | sudo -i | ||
| + | |||
cd /root | cd /root | ||
| − | cp verisign.cer /etc/ssl/ | + | cp verisign.cer /etc/ssl/certs/%hostname%.crt |
{{HOSTNAME}} | {{HOSTNAME}} | ||
| Line 128: | Line 132: | ||
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
</pre> | </pre> | ||
| + | |||
===Check CSR=== | ===Check CSR=== | ||
Click on the following link to check the CSR: | Click on the following link to check the CSR: | ||
| Line 142: | Line 147: | ||
-rw-r--r-- 1 root root 512 2010-09-15 09:31 scholar.sun.ac.za.rand | -rw-r--r-- 1 root root 512 2010-09-15 09:31 scholar.sun.ac.za.rand | ||
</pre> | </pre> | ||
| + | [[Category:System Administration]] | ||
Latest revision as of 11:46, 28 May 2016
NEXT
PREVIOUS
Contents
Step 2. Apply for a signed certificate
Application
Send the file, %hostname%.csr in the /etc/ssl/certs folder to a recognised certificate authority for signing.
Try to shop around for the best prices. See: http://www.sslshopper.com
Activation
Assuming that the supplied signed certificate from your chosen SSL registrar above, is called verisign.cer and is stored in the /root folder, follow the procedure below as the root user to activate the signed certificate.
sudo -i
cd /root
cp verisign.cer /etc/ssl/certs/%hostname%.crt
Replace %hostname% with the hostname of your server.
To extract details of the signed certificate, type the following.
openssl x509 -text -in /etc/ssl/certs/%hostname%.crt
See example extraction below.
root@ar1:/etc/ssl/certs# openssl x509 -text -in /etc/ssl/certs/ar1.sun.ac.za.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:48:0a:37:5a:d7:bc:89:c8:87:61:a3:e3:74:75:c5
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Validity
Not Before: Oct 23 00:00:00 2012 GMT
Not After : Oct 24 23:59:59 2013 GMT
Subject: C=ZA, ST=Western Cape, L=Stellenbosch, O=Universiteit Stellenbosch, OU=JS Gericke Library, CN=ar1.sun.ac.za
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:2a:22:98:c8:62:31:4b:6a:75:fd:7c:db:29:
0c:c4:5a:c4:93:bb:34:2a:72:2f:2a:cb:95:e8:60:
43:6d:72:f8:0b:e8:12:4c:8c:f3:47:13:69:2e:f8:
7b:cc:23:33:4d:06:fb:4d:a4:2f:34:2c:c4:0b:bc:
4a:73:bb:a2:ab:a1:88:59:a7:81:b8:85:b4:9b:c0:
92:2a:86:03:68:38:30:f7:ef:31:1b:8f:79:a7:12:
0d:fc:4a:3a:ab:62:03:07:e5:c0:c9:3a:c4:af:94:
6f:dd:87:d5:80:5e:41:b6:92:25:5b:7d:bc:f7:a4:
f9:82:ef:36:74:8d:a6:fa:39:7b:aa:23:ea:1d:97:
b1:c7:e3:a4:82:3f:19:88:33:56:34:1f:20:02:a0:
f7:fd:2e:2a:ec:a9:87:e7:26:1f:93:41:b0:65:f0:
1f:da:12:66:96:97:93:5f:42:bf:b6:bc:9b:7c:74:
6f:9c:09:6c:51:f6:fb:e2:78:4b:97:96:12:77:d2:
4a:ed:75:aa:e3:db:05:e5:8a:e5:3c:ea:a5:dd:34:
20:8f:27:e4:30:2e:58:17:30:dd:1c:06:ae:30:de:
89:08:7e:a5:a1:48:24:0a:be:5e:4e:fb:9f:1f:dc:
52:d0:51:df:99:c4:ab:fb:5c:b0:1d:72:cf:be:26:
d6:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:ar1.sun.ac.za
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://www.verisign.com/cps
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
Signature Algorithm: sha1WithRSAEncryption
02:14:7a:e5:21:81:4d:e9:6f:3a:45:38:cf:f5:0c:7c:88:0b:
73:58:aa:d7:f9:c3:9e:32:2a:fa:76:15:a5:1d:15:4e:4c:44:
11:d5:7c:25:c9:5f:f9:45:f9:a4:11:90:40:42:68:d4:28:7d:
ed:08:67:6d:6c:3b:6e:d5:e0:cd:28:c7:54:7d:e5:61:cc:9d:
5e:ab:0b:30:30:37:8e:55:ec:51:e6:f7:ff:d5:b4:fb:05:79:
6e:46:44:1b:c8:4f:4d:6f:d5:53:d9:42:d7:00:93:38:0b:a0:
48:99:ef:0c:15:29:16:e3:36:ca:e7:4c:61:72:23:36:69:89:
cb:34:a0:7e:82:65:6f:35:d8:78:1a:d6:fd:34:60:c6:12:64:
8d:76:85:a4:c0:88:17:7a:44:6e:95:3d:59:0d:96:1f:90:37:
cd:02:b7:d2:77:d7:45:a0:57:03:b8:67:24:81:07:3d:f2:7f:
07:6a:68:71:1f:72:df:77:2e:22:bf:ad:72:e0:bb:0b:4d:0a:
0c:63:0e:9d:60:85:2f:eb:7a:c7:65:50:bb:59:06:4b:4a:5f:
1f:2a:e2:75:2c:e9:f9:18:fc:f0:6d:e7:22:38:71:53:ea:f1:
4b:66:dc:7b:8c:3a:45:b2:a6:e3:4d:2c:be:f9:2c:c2:3a:66:
30:58:66:5f
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIQKUgKN1rXvInIh2Gj43R1xTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIxMDIz
MDAwMDAwWhcNMTMxMDI0MjM1OTU5WjCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTEVMBMGA1UEBxQMU3RlbGxlbmJvc2NoMSIwIAYDVQQKFBlV
bml2ZXJzaXRlaXQgU3RlbGxlbmJvc2NoMRswGQYDVQQLFBJKUyBHZXJpY2tlIExp
YnJhcnkxFjAUBgNVBAMUDWFyMS5zdW4uYWMuemEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC6KiKYyGIxS2p1/XzbKQzEWsSTuzQqci8qy5XoYENtcvgL
6BJMjPNHE2ku+HvMIzNNBvtNpC80LMQLvEpzu6KroYhZp4G4hbSbwJIqhgNoODD3
7zEbj3mnEg38SjqrYgMH5cDJOsSvlG/dh9WAXkG2kiVbfbz3pPmC7zZ0jab6OXuq
I+odl7HH46SCPxmIM1Y0HyACoPf9LirsqYfnJh+TQbBl8B/aEmaWl5NfQr+2vJt8
dG+cCWxR9vvieEuXlhJ30krtdarj2wXliuU86qXdNCCPJ+QwLlgXMN0cBq4w3okI
fqWhSCQKvl5O+58f3FLQUd+ZxKv7XLAdcs++JtbxAgMBAAGjggF9MIIBeTAYBgNV
HREEETAPgg1hcjEuc3VuLmFjLnphMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWg
MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlz
aWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2
MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGC
fh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJl
LUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3DQEB
BQUAA4IBAQACFHrlIYFN6W86RTjP9Qx8iAtzWKrX+cOeMir6dhWlHRVOTEQR1Xwl
yV/5RfmkEZBAQmjUKH3tCGdtbDtu1eDNKMdUfeVhzJ1eqwswMDeOVexR5vf/1bT7
BXluRkQbyE9Nb9VT2ULXAJM4C6BIme8MFSkW4zbK50xhciM2aYnLNKB+gmVvNdh4
Gtb9NGDGEmSNdoWkwIgXekRulT1ZDZYfkDfNArfSd9dFoFcDuGckgQc98n8Hamhx
H3Lfdy4iv61y4LsLTQoMYw6dYIUv63rHZVC7WQZLSl8fKuJ1LOn5GPzwbeciOHFT
6vFLZtx7jDpFsqbjTSy++SzCOmYwWGZf
-----END CERTIFICATE-----
Check CSR
Click on the following link to check the CSR:
https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp
Example listing of SSL certs
root@ir1:/etc/ssl/certs# ls -l scholar.sun.ac.za.* -rw-r--r-- 1 root root 1864 2010-09-21 13:42 scholar.sun.ac.za.crt -rw-r--r-- 1 root root 749 2010-09-15 09:31 scholar.sun.ac.za.csr -rw-r--r-- 1 root root 245 2010-09-15 09:31 scholar.sun.ac.za.gendh -rw-r--r-- 1 root root 887 2010-09-15 09:31 scholar.sun.ac.za.key -rw-r--r-- 1 root root 1969 2010-09-15 09:31 scholar.sun.ac.za.pem -rw-r--r-- 1 root root 3957 2012-10-01 09:35 scholar.sun.ac.za.pkcs12 -rw-r--r-- 1 root root 512 2010-09-15 09:31 scholar.sun.ac.za.rand
