Using Commercial SSL Certificates in Orenosp 2009/5/20 Contents -------- - Purpose of This Document - Introduction - Preparation - Part I: Creating a Certificate Signing Request (CSR) - Part II: Installing the certificate into Orenosp Purpose of This Document ======================== Purpose: This document will briefly explain how to use a commercially available SSL certificate with Orenosp. Better solution is now available: Steps described in this document requires a series of complicated operations involving Openssl utility program and related files. If you need more complete management of SSL server certificates, either from private CAs or commercial CAs, we recommend you look at the following new product: Kousec Server Certificate Manager - Basic Edition http://www.kousec.com/prod_cm.html This product supports IIS and Apache, in addition to Orenosp/Orenosv. For Private CAs / Self-issued Certificates: If you want to create your own CA and issue certificates by yourself, please look at the above product or "gencert", Orenosp-bundled small tool. Using gencert program - readme_en.txt : simple and straight usage - gencert.txt : manual for gencert Introduction ============ As more browsers are getting more strict on untrusted certificates, we also recommend using commercially available SSL certificates for Orenosp, especially when you have many end users. For SSL certificates and use of multiple hostnames (domain names), please also see the following documentation. Multiple Hostnames Strategy for Orenosp V2 located on http://www.orenosv.com/orenospv2/ Requirements: First you need to have the following two files. There is a zip package that includes statically linked openssl.exe along with openssl.cnf file on Orenosv.com (http://www.orenosv.com/misc/). openssl.exe openssl utility program. This is built statically from OpenSSL 0.9.7d distribution. openssl.cnf An openssl configuration file needed when generating certificates et al. This is based on openssl.cnf included in Openssl 0.9.7d distribution (OPENSSL_HOME/apps/openssl.cnf). Preparation ============ - Decide which directory to put these files. Hereafter we assume it's c:\progs\openssl. unzip openssl.zip to c:\progs\openssl - set location of openssl.cnf file via an envionment variable >cd c:\progs\openssl >set OPENSSL_CONF=c:\progs\openssl\openssl.cnf When you follow the procedures below, be sure to work in this environment with OPENSSL_CONF correctly set. Part I: Creating a Certificate Signing Request (CSR) ==================================================== Basically, procedure for obtaining a certificate almost the same as that of Apache. If your vendor asks you the type of server software you are using, you can select Apache (2.x). 1) Generate a private key for your server > openssl genrsa -des3 -out newkey.pem 1024 It will ask you: - pass phrase for private key for new server certificate This will do: - create a file named "newkey.pem" in current directory Note: you should never disclose this file to anyone. Info: this private key includes its corresponding public key also. Info: you can change the pass phrase later on. However you cannot change the private key itself. You must generate a new private key and follow the whole process to recreate a new certificate. 2) Generate a CSR (certificate signing request) for your server 2.1) Decide your multiple domain names (Multiple Domain Certificate) Some vendors offer server certificates that can contain multiple domain names. These certificates are ofen called "Multiple Domain Certificate" or "UC Certificate (UCC)". If you want to request such a certificate, you need to set multiple domain names (i.e., hostnames) in subjectAltName field in openssl.cnf file. Generally you should set primary hostname in Common Name and put all possible hostnames including the primary hostname in subjectAltName list. If you don't need multiple hostnames in a single certificate, you can skip this step. See one example below. --- openssl.cnf --- # common name is set to "www.example.com" [ v3_req ] # Extensions to add to a certificate request # do not touch these two lines basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # put all possible hostnames on this line subjectAltName=DNS:www.example.com,DNS:smtp.example.com,DNS:pop3.example.com,DNS:exchange.example.com,DNS:www.example.net --- 2.2) Generate a CSR using openssl.exe > openssl req -new -days 365 -key newkey.pem -out newreq.pem -reqexts v3_req It will ask you: - pass phrase for private key for "newkey.pem" that you typed in step 1) - values to many attributes in the new certificate To give you just an example: Country Name (C) = JP,US, (two-letter country code) Organization Name (O) = you company name Organizational Unit Name (OU) = (can be left blank, dept in your company) Common Name (CN) = www.example.com (your primary hostname) Other fields are optional and you can leave them blank. - 'extra' attributes such as a challenge password and optional company name should be left blank. This will result in - a file named "newreq.pem" created in current directory 2.3) Verify the output CSR Lastly, verify that the values you entered are actually in the generated CSR. The most important is to check to see if all of multiple domain names are recorded in the CSR (if you set them). > openssl req -in newreq.pem -noout -text Look for the following part: Requested Extensions: ... X509v3 Subject Alternative Name: DNS:www.example.com,DNS:smtp.example.com,DNS:pop3.example.com,DNS:exchange.example.com,DNS:www.example.net Output: newkey.pem : private key for server certificate (keep it safe and private) newreq.pem : CSR (that you will send it to your certificate vendor) 3) Send the CSR to your vendor Your CSR is in PEM format which is a text-based format. Generally your vendor directs you to send it in an email or a web form. - Open your CSR file (newreq.pem) in a text edit. Note that this file's new line format is in Unix (\n only). So you cannot open it up in notepad. Open it with wordpad or a web browser so that new lines are correctly displayed. - Copy the content of the file and paste it over to your email or web form. You need to include beginning "-----BEGIN CERTIFICATE REQUEST-----" and ending "-----END CERTIFICATE REQUEST-----. Part II: Installing the certificate into Orenosp ================================================ 1) Receiving and Storing the Certificate into a File You will usualy receive your certificate and associated files from your vendor's website. If the vendor asks you the type of server software, select Apache 2.x. You should receive a) certificate file for your server b) a file containing one or more certificates for intermediate CA's c) [OPTIONAL] vendor's Secure Seal (HTML snippet to put on your https web site if you want) b) is often called 'certificate bundle'. Depending on your vendor and type of certificates you buy, you may not receive b). In that case, you can just install a). Both files should be in PEM-format (text-based format). For explanation purpose, let's call these files as follows: (a) www_example_com.crt (b) intermediate_ca_bundle.crt 2) Installing server certificate and optional certificate bundle fle 2-1) Create a single file containing both www_example_com.crt (a) and intermediate_ca_bundle.crt (b). Let's call this file as www_example_com_ca_bundle.crt (c). [Windows] > copy /b www_example_com.crt + intermediate_ca_bundle.crt www_example_com_ca_bundle.crt [Linux] > cat www_example_com.crt intermediate_ca_bundle.crt > www_example_com_ca_bundle.crt The first certificate in the file must be your server certificate. The next certificate in the file must be the certificate for the intermediate CA who signed your server certificate. The last certificate, if any, is for the root CA. 2-2) Copy the concatinated certificate file and private key file to ORENOSP's folder ssl.crt folder Certificate file (file (c) created in 2-1) ssl.key folder private key file (that you generated in Part I. you should change the filename to make it more recognizable) >copy www_example_com_ca_bundle.crt c:\orenosp\ssl.crt >copy newkey.pem c:\orenosp\ssl.key\www_example_com.key 2-3) Specify Files' Location and Passphase in sproxy.conf --- sproxy.conf --- # In default config file, this parameter may not exist. Just add this. proxy_ssl_mycertstore = file ssl.crt/www_example_com_ca_bundle.crt ssl.key/www_example_com.key # Find this parameter and change pass phrase accordingly proxy_ssl_passphrase = --- end --- 2-4) Restart Orenosp EOF