In association with heise online

Steady, go!

In practice the procedure turns out to vary slightly from the theory. For one thing, StartSSL ignores any applicant data in the CSR and only processes the embedded key. Furthermore, in order to avoid triggering alerts in visitors' browsers, the respective web server needs to provide not only the certificate issued by StartSSL, but also an "intermediate certificate" from StartSSL – more about that later.

The starting point for our online certificate application is the "Express Lane" in the Certificate Control Panel at StartSSL. You must provide accurate and truthful information in the on-line form (or you could violate regulations, and your certificate may be suspended) and enter an email address. StartSSL then sends a "verification code", which you subsequently need to enter on your web pages, to this email address. Then, the server generates an SSL client certificate to be used for authentication on the domain owner's web pages. For this purpose, it first generates a pair of keys and then offers to install the certificate in the browser.

This is where the generation of the actual SSL certificate begins, which requires the respective domain name, in our case example.com. The domain name must be entered without the www or other prefixes – i.e. just example.com. StartSSL now suggests an email address to which it will send the verification email with an authentication code. In the next step, the Express Lane asks you to enter this code.

After that, StartSSL kindly offers to generate a pair of keys for the certificate. However, since the private key for protecting one's own server should never be given away or generated by someone else, the "Skip" option should be chosen and the Certificate Signing Request generated earlier should be uploaded onto the server. The command

cat example.com.csr

outputs the request on the shell, from where it can be copied to the clipboard and then pasted into the form on the browser.

As already mentioned, StartSSL ignores any data contained in the CSR and enters its own organisation and unit information in the certificate instead. The dialogue does, however, politely prompt you for the name of the sub-domain for which the certificate is to be used, and enters this sub-domain as the common name. Typically, the form only requires you to add www. In addition, the certificate enters the alternative name example.com. This allows the certificate to be valid both for https://www.example.com and for https://example.com.

After that, StartSSL generates the certificate and offers it to you in base64-encoded form. To save the certificate on your own PC, you need to highlight the entire text including the

-----BEGIN CERTIFICATE-----

....

-----END CERTIFICATE-----

markers and insert it in the example.com.crt file.

Finish

Both the CRT file and the KEY file must now be stored in the appropriate directories of the SSL-enabled Apache web server, for instance as example.com.crt in /etc/ssl/certs/ and as example.com.key in /etc/ssl/private/. Furthermore, it might be necessary to adjust the paths in the Apache configuration:

SSLCertificateFile /etc/ssl/certs/example.com.crt

SSLCertificateKeyFile /etc/ssl/private/example.com.key

Since some of the certificates issued by StartSSL aren't available in all the browsers, the web server needs to provide the intermediate certificate (IM) StartSSL used to sign the SSL certificate. Only this step will allow all browsers to trace the new certificate back to a trustworthy authority. The required IM is situated in the sub.class1.server.ca.pem file on the StartSSL server. From there, it can be downloaded and saved in /etc/ssl/certs/. Entering

SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem

in the Apache configuration introduces the intermediate certificate to the web server. Now, a reboot of the Apache server is all that's left for the changes to take effect. All things being well, a subsequent visit to https://www.example.com will confirm that you are now the proud owner of a regular SSL certificate.

(dab)

Print Version | Permalink: http://h-online.com/-906862
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit