How to import a VeriSign Certificate into SUSE Enterprise Server 9 not running eDirectory
These steps document how to import a production VeriSign external certificate into SLES 9 not running eDirectory to enable SSL on Apache services. If this server is running eDirectory please see
How to import a Production VeriSign External Certificate into eDirectory 8.7.3 . These steps below are based on the mod_ssl implementation of Linux.
Overview:
1. First a keypair, public and private key, must be created as well as the CSR. Then the passphrase will be removed from the private key. The CSR (Certificate Signing Request) must be created with the appropriate key information. We will then send VeriSign this newly created CSR which they will sign and send back to us. It is actually our public key which they will append to. This will be ourSigned Certificate.
2. Remove the passphrase from the private key and submit the CSR.
3. To complete the certificate, the signed certificate received from VeriSign must be saved into the public key.
4. Services need to be configured to use the new certificates.
Together these items create the certificate with the proper certificate chain and allow for services to use the certificate for SSL enabled communications.
Steps:
A. Creating the CSR and private key files.
1. Open a terminal window and create the directory that will contain the completed certificates.
For our example we will create a directory called /etc/ssl/cert then make this directory only viewable by root (as root):
mkdir -m700 /etc/ssl/cert
2. Now run the command to create the public\private keys and CSR:
openssl req -new -out server.csr
NOTE: You will be prompted for the subject name, city, state, organization and organizational unit for this certificate. This part is
VERY IMPORTANT! These settings are permanent. The most important of these is subject name. It should reflect the name or URL that will be used to access this server. If your community will access secure services on this server using the URL www .domain.com then that will be the "cn" part of the subject name. The organzational unit and organization can be anything you like and are not tied to any eDirectory contexts. In our example the complete identifier will be cn=www. testnovell.com.ou=finance1.o=headquarters.L=provo.S=utah.C=us
For Verisign you will need to make sure and include the L, S and C (Location, State, Country) or else you will get an error requesting the certificate in a later step. VeriSign will drop the OU as they do not support this in the subject name. The critical part is the cn=_____. As stated earlier, it must match the name that will be used to access the service that will be using the certificate. If the names do not match, you will always get a Security Alert warning each time the certificate is accessed. See
TID 3028260 - What causes the security alert when using https and Internet Explorer?3. Lastly, remove the passphrase from the private key so we do not have to type it in everytime Apache starts:
openssl rsa -in privkey.pem -out server.key
We now have three files: privkey.pem (private key with passphrase), server.csr (our CSR file to be given to VeriSign) and server.key (private key with passphrase removed).
B. Submit the CSR
1. On Verisign's website navagate to where you are prompted to paste the CSR.
2. Open the server.csr file into vi and copy into memory. Make sure to include both the beginning and ending lines as well as all dashes ensuring there are no preceding nor trailing spaces. (Whatever edit is used it should be one that does not include any hidden lines or control characters.)
3. Paste the result into the CSR dialog. Since in this example we are installing the certificate for Apache we will select this as our application and web server as type of server. Then submit the information.
C. Copy the Signed Certificate into the directory previously created
Once you have received your email from VeriSign containing the Signed Certificate you are ready to save this information into the public certificte file created during the CSR creation (Step A above). Simply save all lines of the returned signed certificate in the email ,including the begin and add sections and all dashes, to /etc/ssl/crt/public.crt. Once done copy the private key, server.key to /etc/ssl/crt/private.key. You may now delete privkey.pem and server.csr.
If you are instructed to also install an Intermediate Authority you will need to copy this from the Verisign site to /etc/ssl/crt/intermedate.crt.
D. Enabling the application to use the new certificate
Which Apache conf file to modify and its location can depend on the version installed as well as what vendor installed it. Normally this file is httpd.conf.
In the example below Apache was installed via Novell's Open Enterprise Server.
Edit the /etc/apache2/vhosts.d/vhost-ssl.conf file.
In the Virtual Hosts section modify the following lines to reflect the name and path of the server's private and public (and intermediate if applicable) keys:
SSLCertificateFile /etc/ssl/crt/public.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
Also the following if using an intermediate:
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
For the httpd.conf
In the Virtual Hosts section add the following lines:
SSLCertificateFile /etc/ssl/crt/public.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
Also the following if using an intermediate:
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
D. Restarting the enabled services
Once the conf files have been modified Apache services need to be restarted: /etc/init.d/apache2 restart
.
Formerly known as TID# 10096437
NOVL100814