Using Commercial SSL Certificates in Orenosp
2009/5/20
Contents
- Purpose of This Document
- Introduction
- Preparation
- Part I: Creating a Certificate Signing Request (CSR)
- Part II: Installing the certificate into Orenosp
Purpose of This Document
Purpose:
This document will briefly explain how to use a commercially
available SSL certificate with Orenosp.
Better solution is now available:
Steps described in this document requires a series of complicated operations
involving Openssl utility program and related files. If you need more
complete management of SSL server certificates, either from private CAs or
commercial CAs, we recommend you look at the following new product:
Kousec Server Certificate Manager - Basic Edition
http://www.kousec.com/prod_cm.html
This product supports IIS and Apache, in addition to Orenosp/Orenosv.
For Private CAs / Self-issued Certificates:
If you want to create your own CA and issue certificates by yourself,
please look at the above product or "gencert", Orenosp-bundled small tool.
Using gencert program
- readme_en.txt : simple and straight usage
- gencert.txt : manual for gencert
Introduction
As more browsers are getting more strict on untrusted certificates,
we also recommend using commercially available SSL certificates for
Orenosp, especially when you have many end users.
For SSL certificates and use of multiple hostnames (domain names),
please also see the following documentation.
Multiple Hostnames Strategy for Orenosp V2
located on http://www.orenosv.com/orenospv2/
Requirements:
First you need to have the following two files. There is a zip package
that includes statically linked openssl.exe along with openssl.cnf file
on Orenosv.com (http://www.orenosv.com/misc/).
openssl.exe
openssl utility program. This is built statically from OpenSSL 0.9.7d
distribution.
openssl.cnf
An openssl configuration file needed when generating certificates et al.
This is based on openssl.cnf included in Openssl 0.9.7d distribution
(OPENSSL_HOME/apps/openssl.cnf).
Preparation
- Decide which directory to put these files. Hereafter we assume it's
c:\progs\openssl.
unzip openssl.zip to c:\progs\openssl
- set location of openssl.cnf file via an envionment variable
>cd c:\progs\openssl
>set OPENSSL_CONF=c:\progs\openssl\openssl.cnf
When you follow the procedures below, be sure to work in this environment
with OPENSSL_CONF correctly set.
Part I: Creating a Certificate Signing Request (CSR)
Basically, procedure for obtaining a certificate almost the same as
that of Apache. If your vendor asks you the type of server software
you are using, you can select Apache (2.x).
1) Generate a private key for your server
> openssl genrsa -des3 -out newkey.pem 1024
It will ask you:
- pass phrase for private key for new server certificate
This will do:
- create a file named "newkey.pem" in current directory
Note: you should never disclose this file to anyone.
Info: this private key includes its corresponding public key also.
Info: you can change the pass phrase later on. However you cannot
change the private key itself. You must generate a new private key
and follow the whole process to recreate a new certificate.
2) Generate a CSR (certificate signing request) for your server
2.1) Decide your multiple domain names (Multiple Domain Certificate)
Some vendors offer server certificates that can contain multiple domain
names. These certificates are ofen called "Multiple Domain Certificate"
or "UC Certificate (UCC)".
If you want to request such a certificate, you need to set multiple
domain names (i.e., hostnames) in subjectAltName field in openssl.cnf file.
Generally you should set primary hostname in Common Name and put all
possible hostnames including the primary hostname in subjectAltName list.
If you don't need multiple hostnames in a single certificate, you can
skip this step.
See one example below.
--- openssl.cnf ---
# common name is set to "www.example.com"
[ v3_req ]
# Extensions to add to a certificate request
# do not touch these two lines
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# put all possible hostnames on this line
subjectAltName=DNS:www.example.com,DNS:smtp.example.com,DNS:pop3.example.com,DNS:exchange.example.com,DNS:www.example.net
---
2.2) Generate a CSR using openssl.exe
> openssl req -new -days 365 -key newkey.pem -out newreq.pem -reqexts v3_req
It will ask you:
- pass phrase for private key for "newkey.pem" that you typed in step 1)
- values to many attributes in the new certificate
To give you just an example:
Country Name (C) = JP,US, (two-letter country code)
Organization Name (O) = you company name
Organizational Unit Name (OU) = (can be left blank, dept in your company)
Common Name (CN) = www.example.com (your primary hostname)
Other fields are optional and you can leave them blank.
- 'extra' attributes such as a challenge password and optional company name
should be left blank.
This will result in
- a file named "newreq.pem" created in current directory
2.3) Verify the output CSR
Lastly, verify that the values you entered are actually in the generated CSR.
The most important is to check to see if all of multiple domain names
are recorded in the CSR (if you set them).
> openssl req -in newreq.pem -noout -text
Look for the following part:
Requested Extensions:
...
X509v3 Subject Alternative Name:
DNS:www.example.com,DNS:smtp.example.com,DNS:pop3.example.com,DNS:exchange.example.com,DNS:www.example.net
Output:
newkey.pem : private key for server certificate (keep it safe and private)
newreq.pem : CSR (that you will send it to your certificate vendor)
3) Send the CSR to your vendor
Your CSR is in PEM format which is a text-based format.
Generally your vendor directs you to send it in an email or a web form.
- Open your CSR file (newreq.pem) in a text edit.
Note that this file's new line format is in Unix (\n only).
So you cannot open it up in notepad. Open it with wordpad or
a web browser so that new lines are correctly displayed.
- Copy the content of the file and paste it over to your email or web form.
You need to include beginning "-----BEGIN CERTIFICATE REQUEST-----" and
ending "-----END CERTIFICATE REQUEST-----".
Part II: Installing the certificate into Orenosp
1) Receiving and Storing the Certificate into a File
You will usualy receive your certificate and associated files from
your vendor's website.
If the vendor asks you the type of server software, select Apache 2.x.
You should receive
a) certificate file for your server
b) a file containing one or more certificates for intermediate CA's
c) [OPTIONAL] vendor's Secure Seal (HTML snippet to put on your https
web site if you want)
b) is often called 'certificate bundle'. Depending on your vendor
and type of certificates you buy, you may not receive b). In that case,
you can just install a).
Both files should be in PEM-format (text-based format).
For explanation purpose, let's call these files as follows:
(a) www_example_com.crt
(b) intermediate_ca_bundle.crt
2) Installing server certificate and optional certificate bundle fle
2-1) Create a single file containing both www_example_com.crt (a) and
intermediate_ca_bundle.crt (b).
Let's call this file as www_example_com_ca_bundle.crt (c).
[Windows]
> copy /b www_example_com.crt + intermediate_ca_bundle.crt www_example_com_ca_bundle.crt
[Linux]
> cat www_example_com.crt intermediate_ca_bundle.crt > www_example_com_ca_bundle.crt
The first certificate in the file must be your server certificate.
The next certificate in the file must be the certificate for the
intermediate CA who signed your server certificate. The last certificate,
if any, is for the root CA.
2-2) Copy the concatinated certificate file and private key file to ORENOSP's folder
ssl.crt folder
Certificate file (file (c) created in 2-1)
ssl.key folder
private key file (that you generated in Part I. you should change
the filename to make it more recognizable)
>copy www_example_com_ca_bundle.crt c:\orenosp\ssl.crt
>copy newkey.pem c:\orenosp\ssl.key\www_example_com.key
2-3) Specify Files' Location and Passphase in sproxy.conf
--- sproxy.conf ---
# In default config file, this parameter may not exist. Just add this.
proxy_ssl_mycertstore = file ssl.crt/www_example_com_ca_bundle.crt ssl.key/www_example_com.key
# Find this parameter and change pass phrase accordingly
proxy_ssl_passphrase =
--- end ---
2-4) Restart Orenosp