Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
creating_valid_startssl_certificates [31.12.2011 11:27] – created Pascal Suter | creating_valid_startssl_certificates [27.10.2016 17:31] (current) – Pascal Suter | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Creating Validated | + | ====== Creating Validated |
this is just a bunch of steps i can't seem to remember each time i need a new certificate.. so i write it down in here :) | this is just a bunch of steps i can't seem to remember each time i need a new certificate.. so i write it down in here :) | ||
- | first of all you need to create a user account at startssl.com and download and install | + | I used to use startssl.com |
- | now you need to run the validations vizard and validate your ownership of the domain you need a certificate for | + | with most providers of simple domain verification certificates, |
===== SSL Certificate ===== | ===== SSL Certificate ===== | ||
to create an ssl certificate you need to first create a Certificate Signing Request on your server (it's running ubuntu in my case) | to create an ssl certificate you need to first create a Certificate Signing Request on your server (it's running ubuntu in my case) | ||
- | - create a key < | + | - create a key < |
- create the CSR < | - create the CSR < | ||
- | | + | |
+ | now go to the startssl.com webpage and enter the certificates wizard. chose web server ssl / tls certificate and continue | ||
+ | |||
+ | on the next screen choose skip | ||
+ | |||
+ | now on your server get the csr file contents | ||
+ | cat server.csr | ||
+ | copy and paste this into the textarea on the startssl page and follow the wizard | ||
+ | |||
+ | when you receive the pem encoded certificate copy and paste it back to your server. in the terminal window wher you have your server shell enter | ||
+ | cat > server.crt | ||
+ | then paste the certificate and hit return and then ctrl+D | ||
+ | |||
+ | For StartSSL, download the [[http:// | ||
+ | cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt | ||
+ | |||
+ | last but not least you need to make sure your apache ssl config is pointing to those files. make sure you have these lines in your virtual host configuration to enable and configure ssl for your site. of course you need to make sure the paths match your setup :) | ||
+ | < | ||
+ | SSLEngine on | ||
+ | SSLProtocol all -SSLv2 | ||
+ | SSLCipherSuite ALL: | ||
+ | SSLCertificateFile | ||
+ | SSLCertificateKeyFile / | ||
+ | </ | ||
+ | if you have a pem file add this line as well: | ||
+ | SSLCertificateChainFile / | ||
+ | if you had to compile your package like shown above, you can use this line | ||
+ | SSLCACertificateFile "/ | ||
+ | |||
+ | |||
+ | now **reload apache** | ||
+ | |||
+ | ==== sec_error_ocsp_unknown_cert ==== | ||
+ | shortly after updating (orp probalby also creating) a certificate with startssl firefox might not allow you to access the site, returning an error sec_error_ocsp_unknown_cert. this is because apparently startssl' | ||
+ |