Norwegian version of this page

SSL

WARNING: This page is currently not being maintained, and contains outdated information. You should refrain from following any instructions below. Instead, please refer to the Norwegian version for the time being, which is up-to-date: /tjenester/it/sikkerhet/sertifikater/kokebok.html

An English translation will follow at a later point.

 

SSL (Secure Socket Layer) is a protocol for secure transmission of data over the Internet. SSL encrypts all data which is sent between the web browser and the web server, and by using digital keys you make sure that the data arrives safely to the recipient. 

Recipe for ordering and use of SSL-certificates (Uninett)

UiO is authorized to issue certificates under the domain uio.no

Get started

You need:

  • OpenSSL 0.9.X or newer

All instances of 'www.foo.uio.no' in the text should be replaced with the name/URL that the certificate should be for. In this regard we need the full domain name (FQDN), ex www.admin.uio.no or universitas.uio.no

Important: If you copy the contents from the CSR-file in windows after creating it on a *nix-computer, you must  use Wordpad and not Notepad.

Generating the key and the CSR

Start with creating the file www.foo.uio.no.cnf. A typical example would be:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
utf8 = yes

[ dn ]
C = NO
L = Oslo
O = Universitetet i Oslo
OU = USIT
CN = www.foo.uio.no

In [req] you can set the default_bits to higher, but beware that some services are have problems with too high bitrates. 2048 is a safe choice.

Here you need to change OU and CN.
OU is Organizational Unit and CN is Common Name or domain name, 'www.foo.uio.no' in our example.

If you are ordering certificat for multiple DNS-names (aliases) we need to expand the .cnf-file:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
utf8 = yes
req_extensions = v3_req

[ v3_req ]
subjectAltName = @alt_names

[ dn ]
C = NO
O = Universitetet i Oslo
OU = USIT
CN = www.foo.uio.no

[alt_names]
DNS.0 = www.foo.uio.no
DNS.1 = foo.uio.no

Change OU and CN as the previous example. CN should be the same as DNS.0. in addition we have DNS.1 as an alias. if you need multiple alias' you add DNS.2, DNS.3 etc.

Then you create an RSA-key and a CSR (Certificate Signing Request) with OpenSSL. Save all files a place you can find again. You don't need to create the key and CSR on the same machine that the certificate is for.

maskin.uio.no# /local/bin/openssl req -new -config www.foo.uio.no.cnf -keyout www.foo.uio.no.key -out www.foo.uio.no.csr
Generating a 2048 bit RSA private key
............+++
.+++
writing new private key to 'www.foo.uio.no.key'
-----

Next we need to protect the private key. Choose a secure password and remember it. It can be changed later if you remember the old password. Take a backup of www.foo.uio.no.key.

maskin.uio.no# /local/bin/openssl rsa -in www.foo.uio.no.key -des3 -out www.foo.uio.no-enc.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The encrypted key will be stored as www.foo.uio.no-enc.key.

You can view the key in cleartext with:

maskin.uio.no# /usr/bin/openssl rsa -noout -text -in www.foo.uio.no.key
...[b?ttevis av output]

Do not save the private key in cleartext.

You should now reassure yourself that you have a proper backup of the private key.

To use the automated ordering form, there are some simplicities that have to be considered. It is only for multidomain, so no wildcard domains are posible, it has to be encrypted with sha256. If you need special certs you need to contact us at www-drift@usit.uio.no

Then you send in the order

When the certificate is created it will be sent to you in an email — save it as www.foo.uio.no.crt.

Adding the certificate to the server

you need:

  • The private key (should be password-protected): www.foo.uio.no.key
  • The signed certificate: www.foo.uio.no.crt (recieved in the email)
  • CA certificate (Certificate Chain in the email) DigiCertCA.pem

We recoment to run apache from RedHat, and the newest RHEL available to you. You can save the certificate files wherever you like, but it is neatest to put them in:

/etc/httpd/conf/ssl.crt/
/etc/httpd/conf/ssl.key/

If you need to run RHEL5 and apache 2.2 from Store you move the files to:

/site/opt/apache2.2/conf/ssl.crt/
/site/opt/apache2.2/conf/ssl.key/

(path-specified in the distributed httpd.conf). Then you run:

maskin.uio.no# ln -s /site/opt/apache2.2/conf/ssl.crt/www.foo.uio.no.crt /site/opt/apache2.2/conf/ssl.crt/server.crt 
maskin.uio.no# ln -s /site/opt/apache2.2/conf/ssl.key/www.foo.uio.no.key /site/opt/apache2.2/conf/ssl.key/server.key

...so Apache2.2 finds the files, to secure the files:

maskin.uio.no# chmod 440 /site/opt/apache2.2/conf/ssl.crt/www.foo.uio.no.crt
maskin.uio.no# chmod 400 /site/opt/apache2.2/conf/ssl.key/www.foo.uio.no.key

The Certificate Chain file should be saved as DigiCertCA.pem in /site/opt/apache2.2/conf/ssl.crt/

If no SSL-config exist you need to copy the default config:

cp -i /local/opt/apache2.2/conf/extra/httpd-ssl.conf /site/opt/apache2.2/conf/

... and change the necessary values.

Important: if you use a certificate from UNINETT you must change SSLCACertificateFile to use the one from DigiCert:

SSLCACertificateFile /site/opt/apache2.2/conf/ssl.crt/DigiCertCA.pem

Add this to /etc/httpd.conf:

ServerName www.foo.uio.no
ErrorLog /site/opt/apache2.2/logs/ssl.error_log
TransferLog /site/opt/apache2.2/logs/ssl.access_log

and

# Include local SSL-config (make sure the path is correct):
Include /site/opt/apache2.2/conf/httpd-ssl.conf

Start