SSL Howto’s¶
Below you can find some guides which are use-able while validating and requesting SSL certificates.
Note
In all examples we use the domain ‘example.com’ replace this with the domain you want to issue a certificate for.
Generating private key and CSR using OpenSSL¶
Navigate to the folder where you want the certificates to be stored:
cd /etc/ssl/certs/
Option 1
Generate the private key and CSR separatily or use an existing private key:
openssl genrsa -des3 -out example.com.key 2048
openssl genrsa -out example.com.key 2048
When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key.
Option 2
Generate both the key and CSR:
openssl req -nodes -newkey rsa:2048 -keyout example.com.key -out example.com.csr
CSR fields
Note
It is very important that the details set in the SSL certificate match the WHOIS details of the domain name! See CSR fields for details.
Example of how to fill in the fields:
Country Name (2 letter code) [AU]: NL
State or Province Name (full name) [Some-State]: Overijssel
Locality Name (eg, city) []: Zwolle
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Example
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: example.com
Email Address []:
A challenge password []:
An optional company name []:
The Common Name contains the domain that clients will enter in their browser. In our example we used ‘example.com’ which means that the certificate from our example is NOT valid for ‘www.example.com’.
Hit enter when asked for the challenge password to skip it. If you do set one, then you will be prompted to enter it each time you (re-)start the webserver. The fields ‘Email Address’ and ‘An optional company name’ can also be left empty.
Certificate file permissions¶
OpenSSL has generated 2 files. The private key called ‘example.com.key’ and the CSR file ‘example.com.csr’.
Make sure that the permissions of both files are set in a way that no system user except ‘root’ can access them:
schmod 600 *.key *.csr
Calculate MD5 and SHA1 hash of a CSR¶
The MD5 and SHA1 hash can be calculated as follows:
Using OpenSSL¶
openssl req -in example.com.csr -outform DER|openssl md5
openssl req -in example.com.csr -outform DER|openssl sha1
Using PHP¶
function getBinaryCSR($csr) { // Strip the first and laste line from the CSR $pemStart = "REQUEST-----"; $pemEnd = "-----END"; $csr = substr($csr, strpos($csr, $pemStart) + strlen($pemStart)); $csr = substr($csr, 0, strpos ($csr, $pemEnd)); // Decode Base64 encoded CSR back to its original binary form return base64_decode($csr); } $csr = getBinaryCSR($csr); $md5 = md5($csr); $sha1 = sha1($csr);
Using Comodo webtools¶
Alternatively use Comodo’s web utility:
Enter the CSR contents into the form
Uncheck ‘Show Empty Fields’, ‘Show Common name’ and ‘Show Address’
Check ‘Show CSR Hashes’
Click ‘Decode’
Prepare Domain Control Validation (DCV)¶
Email¶
You will receive an e-mail on the address given as ‘approver_email_address’ with a link and a code. The given code has to entered at the web page of the link to complete the validation.
The email address should be:
admin-, administrator-, webmaster-, hostmaster-, or postmaster@domainname.tld
Or one of the email addresss which are registered in the WHOIS for the domainname.
File¶
Note
The following instructions are for Comodo products. They rely on a generated MD5 and SHA1 hash that can be verified by placing them in a file which can be served by the webserver.
validation is done by making a file accessible using the domain name. The file should be placed on the domain itself (no sub domain like www). There can also be no redirect from a sub domain to the domain itself.
The file name should be the MD5 hash of the CSR file and be in upper case:
httpː//example.com/8B944D500F035D8C02E7D57440BB0E78.txt
It contains a SHA1 hash of the same CSR file and includes the Comodo CA URL like this:
f261a2e4e63fdc189e82c879f1d5f4f26b4b34e5
comodoca.com
DNS¶
Note
The following instructions are for Comodo products. They rely on a generated MD5 and SHA1 hash that can be verified by placing DNS cname record.
validation works by creating the following CNAME record on your domain:
<MD5Hash>.example.com CNAME <SHA1Hash>.comodoca.com