Tue Feb 21 15:18:04 ICT 2017

All you need to know about CSIM certificates

In this document, I try to sumarize all the information I have gathered along the years, about certificates.

All the commands below are to be run on the machine that will use the certificate. For this example, we will use test.cs.ait.ac.th.

First step, create a private/public key

For the first two steps, I find the FAQ of mod_ssl to be a very good source of information.

openssl genrsa -out /usr/local/ssl/key/test.cs.ait.ac.th.key 2048

The minimum key length is now (year 2017) 2048 bits, you should not use shorter keys; Let's Encryot will refure to certify shorter keys.

We do not set a password on the provate key to allow the daemons to start automatically.

chmod 400 /usr/local/ssl/key/test.cs.ait.ac.th.key

The private key must be well protected, make it readonly. You may need to change the ownership to that of the daemon that will use the key; for example, LDAP key must belong to user ldap and FreeRadius key must belong to use freeradius.

Second step, create the certificate request

openssl req -new -key /usr/local/ssl/key/test.cs.ait.ac.th.key -out /usr/local/ssl/csr/test.cs.ait.ac.th.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Pathumthani
Locality Name (eg, city) []:Klong Luang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Asian Institute of Technology
Organizational Unit Name (eg, section) []:CSIM
Common Name (e.g. server FQDN or YOUR name) []:test.cs.ait.ac.th
Email Address []:olivier.nicole@cs.ait.ac.th

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The only compulsory information is the FQDN name (fully qualified). It must reflect the name of the service, in our example test.cs.ait.ac.th, that is the name that will be used across the network when making the connection and that is the name that will be tested and certified by the certificate.

While the next step is not always needed, it help making sure you are not making mistake, check that the .csr and .key files are related:

openssl req -noout -in /usr/local/ssl/csr/test.cs.ait.ac.th.csr -modulus |md5
affeeeeca2036788d070d7bdef0ea971
openssl rsa -noout -in /usr/local/ssl/key/test.cs.ait.ac.th.key -modulus | md5
affeeeeca2036788d070d7bdef0ea971

both MD5 should be the same.

Third step, install acme.sh

Create a directory ~on/.acme.sh and copy on@banyan:.acme.sh/acme.sh to that directory.

Also copy on@banyan:.acme.sh/renew; The renew Perl script needs the pakages p5-Mail-SendEasy and p5-File-Copy-Link, as well as Time::ParseDate from CPAN.

acme.sh needs to access the network, you need to create p[roxy configuration for vurl:

setenv http_proxy http://192.41.170.23:3128/
setenv https_proxy http://192.41.170.23:3128/

Fourth step, send the certificate request

~on/.acme.sh/acme.sh --issue --dns --signcsr --csr /usr/local/ssl/csr/test.cs.ait.ac.th.csr
[Tue Feb 21 15:59:54 ICT 2017] Copy csr to: /root/.acme.sh/test.cs.ait.ac.th/test.cs.ait.ac.th.csr
[Tue Feb 21 15:59:54 ICT 2017] Signing from existing CSR.
[Tue Feb 21 15:59:54 ICT 2017] Getting domain auth token for each domain
[Tue Feb 21 15:59:54 ICT 2017] Getting webroot for domain='test.cs.ait.ac.th'
[Tue Feb 21 15:59:54 ICT 2017] _w='dns'
[Tue Feb 21 15:59:54 ICT 2017] Getting new-authz for domain='test.cs.ait.ac.th'
[Tue Feb 21 16:00:02 ICT 2017] The new-authz request is ok.
[Tue Feb 21 16:00:02 ICT 2017] Add the following TXT record:
[Tue Feb 21 16:00:02 ICT 2017] Domain: '_acme-challenge.test.cs.ait.ac.th'
[Tue Feb 21 16:00:02 ICT 2017] TXT value: 'PHEthoYwZznDv_qD4nMJY57r4r00JPytkhk3h4ZymAk'
[Tue Feb 21 16:00:02 ICT 2017] Please be aware that you prepend _acme-challenge. before your domain
[Tue Feb 21 16:00:02 ICT 2017] so the resulting subdomain will be: _acme-challenge.test.cs.ait.ac.th
[Tue Feb 21 16:00:03 ICT 2017] Please add the TXT records to the domains, and retry again.
[Tue Feb 21 16:00:03 ICT 2017] Please add '--debug' or '--log' to check more details.
[Tue Feb 21 16:00:03 ICT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

Edit the zone file for cs.ait.ac.th DNS and add a line:

_acme-challenge.test 1 IN TXT "PHEthoYwZznDv_qD4nMJY57r4r00JPytkhk3h4ZymAk"

Note that the string PHE...ymAk must copy exactely the string sent by the acme.sh request above.

Note too that the TTL is set to 1.


Posted by Olivier | Permanent link