Jump to content

  • Step by Step: Ordering and Setting Up an SSL Certificate

    NTWT Official

    By NTWT Official

     Share

    On CentOS or RedHat Distributions

    Step One: Generate the Key and Certificate Request

    Warning: The following two commands overwrite files if they already exist. Be sure to make a copy of any residual files, including priv.key and com.csr before running (e.g., sudo cp /etc/pki/tls/req/example.domain.priv.key /etc/pki/tls/req/example.domain.priv.key.backup_date)

    • Generate the Private Key: 

      sudo openssl genrsa -out /etc/pki/tls/req/server.domain.com.priv.key 2048
      • Ex: sudo openssl genrsa -out /etc/pki/tls/req/myserver.domain.com.priv.key 2048

    • Generate the Certificate Signing Request (CSR): 

      sudo openssl req -new -key /etc/pki/tls/req/server.domain.com.priv.key -out /etc/pki/tls/req/server.domain.com.csr
      • Ex: sudo openssl req -new -key /etc/pki/tls/req/myserver.domain.com.priv.key -out /etc/pki/tls/req/myserver.domain.com.csr

    Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the **full domain name** (or public IP address if you do not have a domain) that you want to be associated with your server.

    The full list of prompts will look something like this (use generic placeholders):

    Country Name (2 letter code) [XX]: (Company Country) US
    State or Province Name (full name) []: (Company State) Pennsylvania
    Locality Name (eg, city) [Default City]: (Company City) Pittsburgh
    Organization Name (eg, company) [Default Company Ltd]: (Company Name) Example Org Inc.
    Organizational Unit Name (eg, section) []: (Optional, usually leave blank)
    Common Name (eg, your name or your server's hostname) []: ( Exact hostname/domain, most important field ) your-site.com
    Email Address []: ( Leave Blank )

    If asked for a challenge password or an optional company name, don't enter anything, just leave the fields blank.

    Step Two: Ordering / Renewing an SSL Certificate

    Login

    1. Go to your Certificate Authority's login page (e.g., https://www.your-ca-provider.com/login).
    2. Enter your account credentials (refer to your internal documentation for credentials).

    Ordering New SSLs

    1. Go to Certificates > Orders
    2. Select "Request a Certificate"
      1. Pick the appropriate certificate type (e.g., **RapidSSL Standard DV**).
    3. Paste the contents of the CSR file
    4. Keep "Include both your-domain and www.your-domain in the certificate" enabled.
    5. Select 1 year. This is the default duration choice.

     

    1. Under "Prove Control of your domain" > DCV verification method, pick a verification method.
      1. TXT:
        1. Requires a TXT record with a randomized code to be added to the DNS records.
        2. If we are the DNS host, this is the fastest route.
        3. You will want it added to the base domain (e.g. example.com not www.example.com).
      2. Email:
        1. Requires one of the email addresses listed on the administration of the domain to approve the order, via a link in the email.
        2. Clients may not be aware if the default addresses forward to them or not. If their email is listed on the domains admin records, the client can approve the ssl.
      3. File:
        1. Requires the webhost to upload a file in a specific location with a randomized code.
        2. It appears that this would need the file on the domain being verified, meaning the A record would already need to be pointed. That would make this unsuitable for getting the SSL before go-live.
        3. Reference Link to CA's File Validation KB
    2. After getting approval, install the cert.

    Renewals

     

    1. Go to Certificates > Expiring Certificates.

       

    2. Find the row with the same common name for the site you are getting the SSL for.
    3. Click the Renew button.
    4. Enter the CSR from /etc/pki/tls/req/server.domain.com.csr
    5. Double check the common name.
    6. Keep Include both your-domain and www.your-domain in the certificate checked.
    7. Select 1-year for How long do you need to protect your site?
    8. Change Prove Control over your domain to the method used last year.
    9. Add Technical Contact:
      1. First Name
      2. Last Name
      3. Title (or leave blank)
      4. Phone Number
      5. E-mail address
    10. Click the checkbox for I agree to the Certificate Services Agreement.
    11. Review all information above to make sure it is correct.
    12. Press Submit Certificate Request.
    13. Select the verification method (email or ask if any of the emails are available).
      1. If unable to use email, confirm the order via a TXT record.

    TXT DNS Record Instructions

    1. Place the order
    2. Contact support via chat and notify them that you would like to verify the order with a TXT record on the DNS. (The original link to a specific CA has been removed.)
    3. They will provide a code to add into the DNS record.
    4. Now add the TXT code
      1. If the client owns the domain and uses someone else's nameservers, then the client will need to do this.
        1. Reference your registrar's instructions for adding a TXT record. (Original link to GoDaddy KB removed.)
      2. If using your own name servers for the dns host, you can do this.
        1. See your provider for the correct nameservers. But typically they are ns1.provider.tld and ns2.provider.tld
    5. Check that the record has been added.
      1. Use a DNS lookup tool (e.g., mxtoolbox.com)
    6. Contact support again and ask them to confirm the order now. Once this is done, the order is complete.
    VERIFY THAT THE NEW CERTIFICATE HAS THE WWW SUBDOMAIN!

    Step Three: Incorporating the new Cert

    • Once the owner of the domain has confirmed the SSL Cert Request you will get an email that contains the cert, or check the portal to see if the cert has been issued / approved.

     

    • Copy the main certificate as: /etc/pki/tls/certs/server.domain.com.crt
    • Copy Key from /etc/pki/tls/req/server.domain.com.priv.key to /etc/pki/tls/private/server.domain.com.priv.key
      • cp /etc/pki/tls/req/server.domain.com.priv.key /etc/pki/tls/private/server.domain.com.priv.key
    • Copy the chain certificate into /etc/pki/tls/certs/server.domain.com.chain.crt
      • The chain certificate appears to be included in the zip file provided by the CA (e.g., your-domain_com_DigiCertCA.crt)

    Certificates generated before 7/30/2020 should have used the following intermediate certificate: 

    -----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQCKWiRs1LXIyD1wK0u6tTSTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMDYxMjIzMzNaFw0yNzExMDYxMjIzMzNaMF4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHTAbBgNVBAMTFFJhcGlkU1NMIFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n
+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28
OeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK
MFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki
f2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik
KB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw
HQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG
BmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcNAQELBQADggEBAH4jx/LKNW5ZklFc
YWs8Ejbm0nyzKeZC2KOVYR7P8gevKyslWm4Xo4BSzKr235FsJ4aFt6yAiv1eY0tZ
/ZN18bOGSGStoEc/JE4ocIzr8P5Mg11kRYHbmgYnr1Rxeki5mSeb39DGxTpJD4kG
hs5lXNoo4conUiiJwKaqH7vh2baryd8pMISag83JUqyVGc2tWPpO0329/CWq2kry
qv66OSMjwulUz0dXf4OHQasR7CNfIr+4KScc6ABlQ5RDF86PGeE6kdwSQkFiB/cQ
ysNyq0jEDQTkfa2pjmuWtMCNbBnhFXBYejfubIhaUbEv2FOQB3dCav+FPg5eEveX
TVyMnGo=
-----END CERTIFICATE-----

    Certificates generated after 7/30/2020 should use the following intermediate certificate instead: 

    -----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIQB5g2A63jmQghnKAMJ7yKbDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMDA3MTYxMjI1MjdaFw0yMzA1MzEyMzU5NTlaMFkxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKlJhcGlkU1NMIFRMUyBE
ViBSU0EgTWl4ZWQgU0hBMjU2IDIwMjAgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANpuQ1VVmXvZlaJmxGVYotAMFzoApohbJAeNpzN+49LbgkrM
Lv2tblII8H43vN7UFumxV7lJdPwLP22qa0sV9cwCr6QZoGEobda+4pufG0aSfHQC
QhulaqKpPcYYOPjTwgqJA84AFYj8l/IeQ8n01VyCurMIHA478ts2G6GGtEx0ucnE
fV2QHUL64EC2yh7ybboo5v8nFWV4lx/xcfxoxkFTVnAIRgHrH2vUdOiV9slOix3z
5KPs2rK2bbach8Sh5GSkgp2HRoS/my0tCq1vjyLJeP0aNwPd3rk5O8LiffLev9j+
UKZo0tt0VvTLkdGmSN4h1mVY6DnGfOwp1C5SK0MCAwEAAaOCAgswggIHMB0GA1Ud
DgQWBBSkjeW+fHnkcCNtLik0rSNY3PUxfzAfBgNVHSMEGDAWgBQD3lA1VtFMu2bw
o+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wewYDVR0fBHQwcjA3
oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9v
dENBLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
R2xvYmFsUm9vdENBLmNybDCBzgYDVR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcC
AjB+DHxBbnkgdXNlIG9mIHRoaXMgQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNj
ZXB0YW5jZSBvZiB0aGUgUmVseWluZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBh
dCBodHRwczovL3d3dy5kaWdpY2VydC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUA
A4IBAQAi49xtSOuOygBycy50quCThG45xIdUAsQCaXFVRa9asPaB/jLINXJL3qV9
J0Gh2bZM0k4yOMeAMZ57smP6JkcJihhOFlfQa18aljd+xNc6b+GX6oFcCHGr+gsE
yPM8qvlKGxc5T5eHVzV6jpjpyzl6VEKpaxH6gdGVpQVgjkOR9yY9XAUlFnzlOCpq
sm7r2ZUKpDfrhUnVzX2nSM15XSj48rVBBAnGJWkLPijlACd3sWFMVUiKRz1C5PZy
el2l7J/W4d99KFLSYgoy5GDmARpwLc//fXfkr40nMY8ibCmxCsjXQTe0fJbtrrLL
yWQlk9VDV296EI/kQOJNLVEkJ54P
-----END CERTIFICATE-----
    • Now edit following directives in /etc/httpd/conf.d/ssl.conf (replace the wildcard path with the new files):
      • For existing clients with multiple sites where the ssl.conf still has wildcard, check other files in the same directory for more specific VHosts. 
    • SSLCertificateFile /etc/pki/tls/certs/server.domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.domain.com.priv.key
SSLCertificateChainFile /etc/pki/tls/certs/server.domain.com.chain.crt
    /etc/httpd/conf.d/ssl.conf Example 
    Listen 443 https

SSLPassPhraseDialog      builtin
SSLSessionCache          shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed            startup file:/dev/urandom  256
SSLHonorCipherOrder      on
SSLCompression           off
SSLCryptoDevice          builtin
SSLRandomSeed            connect builtin
SSLProtocol              all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite           ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-A$

<VirtualHost _default_:443>
  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/server.domain.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.domain.com.priv.key
  SSLCertificateChainFile /etc/pki/tls/certs/server.domain.com.chain.crt
  <files>
    SSLOptions +StdEnvVars
  </files>
  <directory>
    SSLOptions +StdEnvVars
  </directory>
  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  AllowEncodedSlashes On
</VirtualHost>
    • Restart Apache: 
      systemctl restart httpd
      • If you get an error on this step, you may need to: 
        • yum install mod_ssl
     Share
    Go to kb articles


Coypright © 2008- New Team of Weapons and Tactics®. All rights reserved.
All logos and trademarks are property of their respective owners.

"New Team of Weapons and Tactics®", the New Team of Weapons and Tactics® logos, and its mascots (i.e.: the dog) are registered trademarks of the New Team of Weapons and Tactics® Organization in the United States of America. For further inquiries, contact our Operations Center via phone or by mail.

"PlayStation", the PlayStation logo, "DUALSHOCK" are registered trademarks or trademarks of Sony Interactive Entertainment Incorporated. "SONY", "XAVC S" and "BRAVIA" are registered trademarks or trademarks of Sony Corporation. Xperia is a trademark or registered trademark of Sony Mobile Communications AB. Microsoft®, Windows®, Windows NT®, Windows Server® and XBOX are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The Bluetooth® word mark and logos are registered trademarks owned by the Bluetooth SIG, Inc. and any use of such marks by Sony Interactive Entertainment Inc. is under license. Other trademarks and trade names are those of their respective owners. "Blu-ray Disc™", "Blu-ray™", and "Blu-ray 3D™" are trademarks of the Blu-ray Disc Association. Adobe®, PostScript® and Acrobat® are registered trademarks of Adobe Systems, Incorporated. App Store, iPad, iPhone, and Mac are trademarks of Apple Inc., registered in the U.S. and other countries. Website powered by Invision Community and software from DBMXPCA Technologies.

×
×
  • Create New...

Important Information

By using our website, you agree to our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.