Apache - Training - Requesting an SSL Certificate
The following is a guide to requesting SSL certificates through the InCommon Certificate Authority (CA).
Step 1: Request an Access Code
More than likely, they will just add your email address to our existing access code, which is UWM-AUX-4855
Step 2: Generate a CSR
You need to have shell access to the server that you are requesting a certificate for. Once you have gained that access, you may login and change directory to /var/www/ssl-crt. Once there, run the following command:
openssl req -new -newkey rsa:2048 -nodes -out default_sa_uwm_edu.csr -keyout default_sa_uwm_edu.key -subj \"/C=US/ST=Wisconsin/L=Milwaukee/O=UW-Milwaukee/OU=Student Affairs/CN=default.sa.uwm.edu\"
Change all of the variables saying default_sa_uwm_edu to the domain you are requesting. This will create two files for you in the directory. You will need the information from the file ending in .csr in the next step.
Step 3: Logging into InCommon Certificate Manager
Once you have an access code, you may login to the InCommon Certificate Manager for campus. Enter in your email address and access code on the following page:
Step 4: Fill in InCommon SSL Request Form
Now begin to fill out the request form. The information below can be used as a guide.
- Certificate Type: InCommon SSL
- Common Name: example.sa.uwm.edu
- Server Software: Apache/ModSSL
- Certificate Term: 1 year for development, 3 years for production
- Certificate Request (CSR): Paste in the contents of default_sa_uwm_edu.csr
Development LAMP Server
Then press Submit. You will be notified once the certificate has been issued by an email from Certificate Services Manager.
Step 5: Setting up your server for SSL
Once you get the email saying enrollment is successful, it will provide you with a few links. You want to download the first one, named X509 Certificate only, Base64 encoded.
Please ensure that you note down the "Self Enrollment Certificate ID" somewhere that will be kept safe. This is used in cases where we need to revoke certificates (such as the Heartbleed vulnerability). Typically, I name the certificates with the ID in front, e.g. 304176_git_sa_uwm_edu_cert.crt.
At this point, you should stop unless you're doing this for a non-Student Affairs server. All Student Affairs servers are managed through Puppet / RedHat Satellite Server and certificate deployment is automated.
Apache doesn't like the extension .cer so please rename it with the extension .crt. These should be uploaded to /var/www/ssl-crt with the intermediate certificate (replacing the old ones, or archiving them away).
Now, go into the configuration file for this domain, typically this will be in /etc/httpd/conf.d/ssl.conf. Find the following lines in your configuration:
... and replace the values as follows:
- Replace SSLCertificateFile path with your X509 Certificate file you downloaded, more than likely in the format of example_sa_uwm_edu_cert.crt
- Replace SSLCertificateKeyFile path with the key file you generated earlier, likely in the format of example_sa_uwm_edu.key
- Replace SSLCertificateChainFile path with the intermediate certificate, usually called intermediate.crt
Save the file, then reload Apache with: systemctl restart httpd