Thoughts of Digitalw00t
So after a day screwing with this and an hour on the live chat with hostgator, I think I got it working
Activating ssl on a hostgator account creates a static ip address (free for business accounts)
update cloudflare with new ip address
Setting up the shared cert:
http://support.hostgator.com/articles/ssl-certificates/ssl-setup-use/how-to-set-up-and-use-your-shared-ssl
Original page here written by Sander Van Vugt
Setting up a Certificate Authority
To manage certificate-related issues on Linux, you can use the openssl command. This command is used to create and manage certificates and certificate authority for your server. In this section, you’ll learn how to use the openssl command to create a certificate and a self-signed CA. In this example, the self-signed CA is the highest level in the CA hierarchy, so it will be a root-CA. The following procedure explains how to proceed:
mkdir certs newcerts private crl will create these directories for you. They serve the following purposes:Listing 1: Some important settings from the openssl.cnf file
HOME = /root/root-CA dir = /root/root-CA ... certificate = $dir/cacert.pem ... private_key = $dir/private/privkey.pem ...
Now that you have tuned the configuration file the proper way, you can create a self-signed certificate for the root-CA. The following command creates the certificate with a 1024-bits RSA key that is valid for 10 years:
openssl req -newkey rsa:1024 -x509 -days 3650 -keyout private/privkey.pem -out cacert.pem
The main command used here is the openssl command. This command has several parameters that operate as if they were independent commands. The parameter req in this example is used to create the self-signed certificate (check its man page to see everything it can be used for). To make sure there is no misunderstanding regarding the place where these keys are created, the parameter -keyout is used to specify where to put the private key and -out is used to define the location of the public keythat you create. All the other options are used to specify with what parameters the key must be created.
Creating the key will start an interface in which several questions are asked (see Listing 2). The most important of all these questions is the prompt for a passphrase. Since we are creating a root-CA in this example, using a passphrase is mandatory; otherwise, it would be possible for anyone who accessed your machine to create public key certificates signed by this CA, which would make this CA worthless.
Listing 2: While creating the public/private key pair, you are prompted for the associated owner information and a passphrase to protect the private key.
root@mel:~/root-CA# openssl req -newkey rsa:1024 -x509 -days 3650 -out cacert.pem -keyout private/privkey.pem Generating a 1024 bit RSA private key ....++++++ .....................++++++ writing new private key to 'private/privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Myself Email Address []:myself@example.com
Note: You should always watch the output of the openssl commands carefully. It’s not easy to see errors, but it is easy to make them through small typing mistakes. You should fix all errors before proceeding to the next step.
Congratulations! You now have your own root-CA. This makes it possible to create your own certificates and use them for any purpose. For example, think of server certificates that are used for secured email, or client certificates used to connect a notebook to a VPN gateway.
Creating the OpenSSL database and key pair
Before you can start creating your own certificates, you need to create the OpenSSL database. This database consists of two files where OpenSSL keeps track of all the certificates that it issued. You need to create these two files by hand before you start. Change to the home directory of your root-CA first. From there, use touch index.txt and then use echo 01 > serial to create this simple database.
cd /root/root-CA to go to the root directory that is used by your certificate authority. Next, enter the command openssl req -new -keyout private/mailserverkey.pem -out certs/mailserver_req.pem -days 365. In this example, I have used the name “mailserverkey,” which makes it easy to identify what the key is used for. Of course, you can use any name you like here. With this command, you have created a new key pair of which the private key is stored in /root/root-CA/private. The public key is dropped in /root/root-CA/certs. Listing 3 shows what happens while creating these keys.Listing 3: Creating a public and private key pair for your server.
root@mel:~/root-CA# openssl req -new -keyout private/mailserverkey.pem -out certs/mailserver_req.pem -days 365 Generating a 1024 bit RSA private key ..................++++++ .............++++++ writing new private key to 'private/mailserverkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:NB Locality Name (eg, city) []:Amsterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeCompany Organizational Unit Name (eg, section) []:somewhere Common Name (eg, YOUR name) []:Me Email Address []:me@somecompany.com Please enter the following 'extra' attributes to be sent with your certificate request. A challenge password []:novell An optional company name []:
Signing the key-pair
You have now created the CA and a key-pair that you need to get signed. If the CA that needs to sign the key would not run on your own server, you would now copy it to the server that does the signing. Since in this simple setup the CA is on the same server, you can sign the CA using the following command:
openssl ca -policy policy_anything -notext -out certs/mailservercert.pem -infiles certs/mailserver_req.pem
Make sure that you run this command from the root directory of the certificate authority as well. In this command, the default policy is used for signing the key. The name of this default policy is policy_anything and this is defined as a bunch of settings in the openssl.cnf configuration file. The option -notext is used to limit the amount of output produced by this command.
Then the name of the resulting certificate is given: certs/mailservercert.pem. This certificate can only be created because you created a signing request earlier with the name mailserver_req.pem. This mailserver_req.pem is in the certs directory. If you would need to sign a public key that is generated on another server, you only have to make sure that this public key is copied to this directory; the signing request would find it and the public-key certificate would be created without any problem. Listing 4 shows the output that is generated when signing this certificate:
Listing 4: Signing the certificate that was just created
root@mel:~/root-CA# openssl ca -policy policy_anything -notext -out certs/mailservercert.pem -infiles certs/mailserver_req.pem
Using configuration from /usr/lib/ssl/openssl.cnf, enter pass phrase for /root/root-CA/private/privkey.pem:. Check that the request matches the signature.
Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 15 09:32:12 2008 GMT Not After : Aug 15 09:32:12 2009 GMT Subject: countryName = NL stateOrProvinceName = Some-State localityName = Roosendaal organizationName = MyComp commonName = MyName emailAddress = myname@mycomp.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BD:17:8C:D3:BD:39:E8:59:B6:47:4A:A4:FF:A1:40:8C:30:73:CD:B2 X509v3 Authority Key Identifier: keyid:83:B5:79:F1:73:23:56:42:F1:17:B8:8A:AD:CA:B6:C9:E6:79:DC:5E Certificate is to be certified until Aug 15 09:32:12 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
You have now created the public/private key pair for your mail server and have signed it with your own self-signed root-CA. For more details on how to use the openssl command, check man openssl(1). Also note that all options, such as req and ca, have their own man page; check them for more specific details.
Original page is here written by Glen Kemp
One of the chores many network engineers face is the maintenance and renewal of SSL certificates. In my case this is mostly for VPN deployments, but many network appliances require a certificate for encrypted client-to-server communication. Given that I’m often met with deafening silence when I drop the bombshell that I’m going to need a cert, I’m guessing that this whole business is a bit of a black art to most. It’s perhaps no surprise when a lot of the existing resources on scary-sounding public key cryptography either assume elite ninja status or use principles that are too abstract from the practicalities. The goal here is to remedy that confusion somewhat, explain the basics and include some common real-world examples.
The common garden-variety certificates used by Web servers and associated devices consist of three parts:
When our subject server receives a connection request, it presents its signed public key so that the client may verify its identity. If the client trusts our public key, the ciphers are negotiated and the public key is used to encrypt the client session key. This session key can only be decrypted by our private key, and the rest of the secure socket connection can be completed.
At the creation of the private key, the common name (CN) is specified; in most cases this is the fully qualified domain name (FQDN) of the host, such as www.foo.com. If many servers require protection, it is often more economical and practical to create a wildcard certificate for all hosts on a given domain. This is also very helpful when you need several virtual identities such as “www.foo.com,” “mail.foo.com” and “ssl.foo.com” on a logical host, such as a load balancer. At key generation, instead of using a single FQDN for a specific host, the host portion is replaced with a wild card, such as “*.com.” As a result, the certificate is valid for anything on the DNS domain, but not usually any subdomains. Most modern client browsers support wild cards, but you may run into a few exceptions with embedded browsers or early versions of Internet Explorer.
A relatively obscure but useful feature is Subject Alternate Name (SAN). If you require the features of a wild card certificate but are expecting connections from legacy clients, some CAs will sign the subject public key with a number of valid alternate names. Even ancient client SSL implementations support this feature, which allows the subject public key fields as such:
Even if the client doesn’t understand the wild card in the subject common name, it should still match one of the alternative names and accept the certificate as valid.
The vast majority of client certificates are not issued by a root-level CA but by anintermediate certificate issuing CA. Essentially, the root-level CA signs the public key of an intermediate CA, permitting it to sign certificates on its behalf. This can happen several times, and you could end up with a chain of certificates several layers deep. In the below example, the subject’s certificate, “www.amazon.co.uk,” has been signed by the VeriSign Class 3 Secure Server CA – G2, which is in turn signed by the VeriSign root certificate.
The common intermediary certificates are embedded in client certificate stores, but many legitimate intermediaries from Internet service providers or domain registrars are not. The intermediary certificates need to be attached to the Web server so that the client can follow the chain until it finds a certificate signed by a trusted CA. In my experience, this is the No. 1 reason why users still receive certificate trust errors when connecting to a website that has a paid-for certificate. Certificate authorities provide a bundle of root and subordinate public keys that need to be imported into the Web server configuration. Many CAs provide online tools that check whether the intermediaries have been installed correctly. When importing your signed public key, it is worth checking whether the intermediaries require attention to avoid the inevitable support call.
The OpenSSL cryptographic toolkit is the engineer’s Swiss army knife for certificate management. The binaries are included in most *nix distributions and are also available forWindows. This powerful utility is worth learning to prevent remembering the nuances of native certificate management on multiple platforms. The “lite” version is sufficient for most day-to-day needs.
PFX files are commonly used in Microsoft environments; typically, the key is generated within Windows and then automatically signed by a domain-integrated CA. It is useful because the private key, the signed public key and the CA public key are bundled into a single file. The key is optionally encrypted with a passphrase to provide some level of protection should you wish to transfer the certificate across a public network. Using OpenSSL, the individual components can be exported and converted. These files contain no human-readable component.
The common x.509v3 certificates are encoded in one of two formats, PEM or DER, and are typically given either a .CRT or .CER file extension. The file extensions themselves do not tell you much about their format as they are used interchangeably, but the contents can give you a pointer.PEM files are Base-64 ASCII-encoded and are prefixed with “—- BEGIN CERTIFICATE —-” and suffixed with “—- END CERTIFICATE —-.” DER files are binary-encoded and are not human-readable.
When exporting a certificate from Windows, you are offered three common formats: DER, PEM and P12, although which is which is not very clear.
Many network appliances require certificates and keys to be imported in PEM format, but the Windows MMC certificate management snap-in will only permit private keys to be exported in P12 format.
This is only half the battle, since you will also need to extract the signed subject public key.
Extracting the Public Key in PEM format from a PFX file
The exported subject public key clearly shows the common name of the server it was issued to and the name of the root CA that signed it. It is important to check that you are manipulating the correct certificate (i.e., the one signed by a commercial CA and not an internal domain CA).
To reverse the process and combine a private key, public key and CA certificate into a single file, use the following command:
C:\cert>openssl pkcs12 -export -out NewPfx.pfx -inkey justPrivateKey.key -in justPublicKey.crt -certfile CACert.crt
Loading ‘screen’ into random state – done
Enter Export Password: <set new passphrase>
Verifying – Enter Export Password: <repeat new passphrase>
Another common requirement is to convert PEM encoded files to DER encoding:
C:\cert>openssl x509 -outform der -in justPublicKey.pem -out justPublicKey.der
Then, convert them back again:
C:\cert>openssl x509 -inform der -in justPublicKey.der -out justPublicKey.pem
It is worth noting that this process will typically strip out the plain-text-extended attributes and leave you with only the raw certificate between the “—- BEGIN CERTIFICATE —-” and “—- END CERTIFICATE —-” buffers.
Inevitably, you will end up in the situation where something is not working correctly. If that’s the case, the first step is to use OpenSSL’s native tools to check that your keys and certificates are correctly formatted.
To check a private key file:
C:\cert>openssl rsa -in justPrivateKey.key –check
To check a CSR:
The above example clearly shows the entire certificate subject. The two key pieces here are the “O=” (Organization) and the “CN=” (Canonical Name). The organization field must exactly match your registered organization name. For example, if you are incorporated as “Foo Company Plc (UK),” a submission for “Foo Company UK” will be rejected. Additionally, the domain name specified in the certificate must be registered by you or an authorized third party.
To verify a certificate (PEM or DER format):
C:\cert>openssl x509 -in CACert.crt -text -noout
In the instance below, I’ve the analyzed a VeriSign CA public key, but lots of useful information can be gathered from here and checked:
About the author: Glen Kemp is an enterprise solutions architect for a UK-based managed services provider. He designs and deploys network and application security tools, including access control, remote access, firewalls and other “keep the bad guys out” technologies. He is an experienced professional services consultant; delivering Elephants and not hunting Unicorns. He is also a guest blogger for the Packet Pushers Podcast and a Juniper Ambassador. Follow him on Twitter @ssl_boy.
Here’s how it’s done. I’ll be using my machine as an example. (minion.digitalw00t.com)
Create the csr:
openssl req -newkey rsa:2048 -subj /CN=minion.digitalw00t.com -nodes -keyout minion.digitalw00t.key -out minion.digitalw00t.csr
casert request a new server cert, copy/paste the contents of minion.digitalw00t.csr into the page and submit.