SSL Howto’s

Below you can find some guides which are use-able while validating and requesting SSL certificates.

Note

In all examples we use the domain ‘example.com’ replace this with the domain you want to issue a certificate for.

Generating private key and CSR using OpenSSL

Navigate to the folder where you want the certificates to be stored:

cd /etc/ssl/certs/

Option 1

Generate the private key and CSR separatily or use an existing private key:

openssl genrsa -des3 -out example.com.key 2048
openssl genrsa -out example.com.key 2048

When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key.

Option 2

Generate both the key and CSR:

openssl req -nodes -newkey rsa:2048 -keyout example.com.key -out example.com.csr

CSR fields

Note

It is very important that the details set in the SSL certificate match the WHOIS details of the domain name! See CSR fields for details.

Example of how to fill in the fields:

  • Country Name (2 letter code) [AU]: NL
  • State or Province Name (full name) [Some-State]: Overijssel
  • Locality Name (eg, city) []: Zwolle
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]: Example
  • Organizational Unit Name (eg, section) []: IT
  • Common Name (eg, YOUR name) []: example.com
  • Email Address []:
  • A challenge password []:
  • An optional company name []:

The Common Name contains the domain that clients will enter in their browser. In our example we used ‘example.com’ which means that the certificate from our example is NOT valid for ‘www.example.com’.

Hit enter when asked for the challenge password to skip it. If you do set one, then you will be prompted to enter it each time you (re-)start the webserver. The fields ‘Email Address’ and ‘An optional company name’ can also be left empty.

Certificate file permissions

OpenSSL has generated 2 files. The private key called ‘example.com.key’ and the CSR file ‘example.com.csr’.

Make sure that the permissions of both files are set in a way that no system user except ‘root’ can access them:

schmod 600 *.key *.csr

Calculate MD5 and SHA1 hash of a CSR

The MD5 and SHA1 hash can be calculated as follows:

Using OpenSSL

openssl req -in example.com.csr -outform DER|openssl md5
openssl req -in example.com.csr -outform DER|openssl sha1

Using PHP

function getBinaryCSR($csr)
{
  // Strip the first and laste line from the CSR
  $pemStart = "REQUEST-----";
  $pemEnd = "-----END";
  $csr = substr($csr, strpos($csr, $pemStart) + strlen($pemStart));
  $csr = substr($csr, 0, strpos ($csr, $pemEnd));

  // Decode Base64 encoded CSR back to its original binary form
  return base64_decode($csr);
}

$csr = getBinaryCSR($csr);
$md5 = md5($csr);
$sha1 = sha1($csr);

Using Comodo webtools

Alternatively use Comodo’s web utility:

  1. Open https://secure.comodo.com/utilities/decodeCSR.html
  2. Enter the CSR contents into the form
  3. Uncheck ‘Show Empty Fields’, ‘Show Common name’ and ‘Show Address’
  4. Check ‘Show CSR Hashes’
  5. Click ‘Decode’

Prepare Domain Control Validation (DCV)

Email

You will receive an e-mail on the address given as ‘approver_email_address’ with a link and a code. The given code has to entered at the web page of the link to complete the validation.

The email address should be:

admin-, administrator-, webmaster-, hostmaster-, or postmaster@domainname.tld

Or one of the email addresss which are registered in the WHOIS for the domainname.

File

Note

The following instructions are for Comodo products. They rely on a generated MD5 and SHA1 hash that can be verified by placing them in a file which can be served by the webserver.

validation is done by making a file accessible using the domain name. The file should be placed on the domain itself (no sub domain like www). There can also be no redirect from a sub domain to the domain itself.

The file name should be the MD5 hash of the CSR file and be in upper case:

httpː//example.com/8B944D500F035D8C02E7D57440BB0E78.txt

It contains a SHA1 hash of the same CSR file and includes the Comodo CA URL like this:

f261a2e4e63fdc189e82c879f1d5f4f26b4b34e5
comodoca.com

DNS

Note

The following instructions are for Comodo products. They rely on a generated MD5 and SHA1 hash that can be verified by placing DNS cname record.

validation works by creating the following CNAME record on your domain:

<MD5Hash>.example.com CNAME <SHA1Hash>.comodoca.com