Apache - Training - Requesting an SSL Certificate

The following is a guide to requesting SSL certificates through the InCommon Certificate Authority (CA).

Step 1: Request an Access Code

You must first obtain an access code from Identity and Access Management. You can use the form here to request one: http://www4.uwm.edu/iam/services/uwm_digital_cert_acc_code_rqst.cfm

More than likely, they will just add your email address to our existing access code, which is UWM-AUX-4855

Step 2: Generate a CSR

You need to have shell access to the server that you are requesting a certificate for. Once you have gained that access, you may login and change directory to /var/www/ssl-crt. Once there, run the following command:
openssl req -new -newkey rsa:2048 -nodes -out default_sa_uwm_edu.csr -keyout default_sa_uwm_edu.key -subj \"/C=US/ST=Wisconsin/L=Milwaukee/O=UW-Milwaukee/OU=Student Affairs/CN=default.sa.uwm.edu\"

Change all of the variables saying default_sa_uwm_edu to the domain you are requesting. This will create two files for you in the directory. You will need the information from the file ending in .csr in the next step.

Step 3: Logging into InCommon Certificate Manager

Once you have an access code, you may login to the InCommon Certificate Manager for campus. Enter in your email address and access code on the following page:

Step 4: Fill in InCommon SSL Request Form

Now begin to fill out the request form. The information below can be used as a guide.
  • Certificate Type: InCommon SSL
  • Common Name: example.sa.uwm.edu
  • Server Software: Apache/ModSSL
  • Certificate Term: 1 year for development, 3 years for production
  • Certificate Request (CSR): Paste in the contents of default_sa_uwm_edu.csr
  • Comments:
    List: saits-webteam@uwm.edu
    Development LAMP Server
Then press Submit. You will be notified once the certificate has been issued by an email from Certificate Services Manager.

Step 5: Setting up your server for SSL

Once you get the email saying enrollment is successful, it will provide you with a few links. You want to download the first one, named X509 Certificate only, Base64 encoded.

Please ensure that you note down the "Self Enrollment Certificate ID" somewhere that will be kept safe. This is used in cases where we need to revoke certificates (such as the Heartbleed vulnerability). Typically, I name the certificates with the ID in front, e.g. 304176_git_sa_uwm_edu_cert.crt.

At this point, you should stop unless you're doing this for a non-Student Affairs server. All Student Affairs servers are managed through Puppet / RedHat Satellite Server and certificate deployment is automated.

Apache doesn't like the extension .cer so please rename it with the extension .crt. These should be uploaded to /var/www/ssl-crt with the intermediate certificate (replacing the old ones, or archiving them away).

Now, go into the configuration file for this domain, typically this will be in /etc/httpd/conf.d/ssl.conf. Find the following lines in your configuration:
SSLEngine On
SSLCertificateFile /var/www/ssl-crt/site.crt
SSLCertificateKeyFile /var/www/ssl-crt/site.key
SSLCertificateChainFile /var/www/ssl-crt/intermediate.crt

... and replace the values as follows:

  • Replace SSLCertificateFile path with your X509 Certificate file you downloaded, more than likely in the format of example_sa_uwm_edu_cert.crt
  • Replace SSLCertificateKeyFile path with the key file you generated earlier, likely in the format of example_sa_uwm_edu.key
  • Replace SSLCertificateChainFile path with the intermediate certificate, usually called intermediate.crt
Save the file, then reload Apache with: systemctl restart httpd

Keywords:Saits, sa its, Student Affairs IT Services, secure, https, "green lock", incommon, comodo, security, digicert, cert, ca, incommon   Doc ID:45271
Owner:Help Desk K.Group:UW-Milwaukee Help Desk
Created:2014-11-25 11:09 CSTUpdated:2019-01-02 14:34 CST
Sites:UW-Milwaukee Help Desk, UW-Milwaukee Student Affairs IT
Feedback:  0   0