Creating a Certificate
Copyright 2002, 2003 Andy Barclay
OpenContent License (OPL)
Getting a Certificate for open source apache with mod_ssl
=========================================================
Assumptions
-----------
You want to purchase a 40 bit certificate for "www.unixpeople.com"
Pre-requisites
--------------
Install mod_ssl
Install Apache version 1.3.12 or later
Install OpenSSL
Step 1. Generate a 1024 bit RSA private key
-------------------------------------------
$ openssl genrsa -des3 -rand /etc/hosts -out www.unixpeople.com.key 1024
{used "its cool" as the pass phrase}
*** BACKUP this file to a floppy AND record the pass phrase ***
Step 2. Generate a Certificate Request
--------------------------------------
$ openssl req -new -key www.unixpeople.com.key -out www.unixpeople.com.csr
{This shows what you will be prompted for and what answers you should give}
*****************
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Walnut Creek
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Unixpeople, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.unixpeople.com
Email Address []:hostmaster@unixpeople.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
*****************
ALTERNATE Step 3. - self-sign the certificate
---------------------------------------------
$ /opt/ssl/bin/openssl x509 -req -days 3650 -in www.unixpeople.csr \
-signkey www.unixpeople.com.key -out www.unixpeople.com.crt
Step 3. Apply for your new cert at http://www.thawte.com
--------------------------------------------------------
Page 1
++++++
-Click on "SSL Certs"
-Click on "Buy a Server Cert" {over on the right hand side}
-Click on "Enroll for a SSL Cert" {about 1/2 way down the page}
-Select "SSL Server Certificate" and click Next
-Paste in the data from the certificate request file
-Select the Webserver type from the pulldown list as "Apache+mod_ssl"
-Choose payment type as "Credit Card - Real-time"
-Click Next
Page 2
++++++
-Select "Private (unlisted company)" from the pulldown under
"description of company"
-Put in "099997238" as the DUNS number
-Enter the following information for Authorizing Contact Person
********
Full name: Joe Blow
Official title: Chief Information Officer
Telephone: 650 555 1212
E-mail address: jim@unixpeople.com
********
-Enter the following information for Technical Contact/Webmaster
********
Full name: Jeff Black
Official title: Web Technology Specialist
Telephone: 650 555 1313
Email address: jblack@unixpeople.com
********
-Click Next
Page 3
++++++
-Enter your payment information, then click Next
*** RECORD your Certificate Request Code ***
Step 4. Generate an authorization letter
----------------------------------------
-Enter your Certificate Request Code at:
https://www.thawte.com/cgi/server/letter.exe
-Print the Authorization letter ON COMPANY LETTERHEAD
-Have Roy sign the letter
-Have the technical contact sign the letter
Step 5. Generate an output of the current "whois" information for unixpeople.com
---------------------------------------------------------------------------
-Enter "unixpeople.com" at:
http://www.networksolutions.com/cgi-bin/whois/whois
-Print this page
Step 6. Get a photocopy of the first page of the Certificate of Incorporation
-----------------------------------------------------------------------------
-This is available from the finance department
Step 7. Fax documentation to Thawte
To:
Thawte
From:
Jeff Black
Unixpeople Inc.
650 555 1313
Re:
Documents Required persuant to Cert. Request # USUNXI5
Total Pages: 6 (including cover)
Details:
Pages 1 and 2 - Letter of Authorization
Pages 3 and 4 - Whois output
Page 5 - Certificate of Incorporation