CREATE CERTIFIED WEBSITE USING VIRTUALMIN AND MANUAL SSH
STOP STOP STOP STOP STOP
if this is the first attempt, you will need to “validate” this domain name, which means having access to either
- webmaster@
- hostmaster@
- postmaster@
you have 60 seconds to get the access code emailed to you, so be sure to have NEAR-INSTANT access to one of these email addresses!
NOTE: be SURE to include the domain name and the www(dot) name 2016-04-30
NOTE: node.js may use the certs so be sure to check for that.
(to use domain name with subdomains (like comptonpesltrainers.com) use the wildcard:
- comptonpesltrainers.com
- *.comptonpesltrainers.com
we are using startssl.com
Filenames are not really important, but just remember what they are.
1) in VIRTUALMIN, create (OR CHANGE) domain name with ssl (option three under “Enabled Features”) option looks like: SSL website enabled?
1a) optionally remove ssl keys that were created in the “/home/XXXXXX.com” directory: rm -v ssl.key ssl.cert;
2) if new site make sure new site is available:
echo ‘new server tester’ > /home/myNewDomain.com/public_html/index.html
visit http://mynewDomain.com/
3) create private key AND csr (certificate request)
openssl req -newkey rsa:2048 \
-keyout myNewDomain.com-WITH-PASSPHRASE.key \
-out myNewDomain.com.csr ;
——————————————————-
Enter PEM pass phrase: temp
Verifying – Enter PEM pass phrase: temp
…….
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: AZ
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Compton P-ESL Online
Organizational Unit Name (eg, section) []: IT Dept
Common Name (eg, your name or your server’s hostname) []:
accentreduction.online,*.accentreduction.online
Email Address []: mark@comptonpeslonline_DOTTY_com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
—————————————————————————————————-
notice: to be sure to use both domain names at this point:
Common Name (eg, your name or your server’s hostname) []:
use both comptonpeslonline(dot)com and www(dot)comptonpeslonline(dot)com
4) remove the pass-phrase from previous step:
openssl rsa \
-in myNewDomain.com-WITH-PASSPHRASE.key \
-out myNewDomain.com.key ;
————————————————————————-
Enter pass phrase for myNewDomain.com-WITH-PASSPHRASE.key:temp
writing RSA key
—————————————————————————
here are our important files:
| File Name: | Usage: |
|---|---|
| myNewDomain.com.key | private key (our server only!) |
| myNewDomain.com.csr | “certification request key” to be given to startssl |
5) cat myNewDomain.csr; click-drag(copy) this into our paste buffer
6) go to https://startssl.com
- Client Certificate Login
- Certificates Wizard (second tab)
- Select Certificate Purpose: Web Server SSL/TLS Certificate, continue
select “IV SSL Certificate (2 years, display your name, wildcard support )
according to support, IV is for personal use, so long as i own the name
dont choose “DV SSL Certificate (1 year, display domain only)”
N-O-T-E: add all three: N-O-T-E (2016-10-13)
- myDomain.com
- www.myDomain.com
- *.myDomain.com
7) generate key ““Generated by Myself” -enter myNewDomain.com.csr copied value from prior step
7a) optionally delete these two files:
- myDomain.com-WITH-PASSPHRASE.key
- myDomain.com.csr are not needed anymore
8) download the two certification files and open ApacheServer.zip
9) upload (or click/copy & cat) two certification files to server:
1_root_bundle.crt
——-BEGIN CERTIFICATE——-
MIIF5TCCA82gAwIBAgIQal3D5TtOT9B7aR6l/OxkazANBgkqhkiG9w0BAQsFADB9
blah blah lbah blah blah blah (34 lines total)
Szc2kuPNbrV8PvbTLIXupfZFFj0d9mpaFg==
——-END CERTIFICATE——-
2_myNewDomain.com.crt
——-BEGIN CERTIFICATE——-
MIIF8DCCBNigAwIBAgIQP4WAwZmJITJAf9FkUPeqqjANBgkqhkiG9w0BAQsFADB4
blah blah blah blah blah (34 lines total)
8K1HEJBEpsZRg1fZVL1OmBoT7Zoifw6QEPND5Q0MRMpScCdD
——-END CERTIFICATE——-
10) vi /etc/httpd/conf/httpd.conf:
change this:
SSLEngine on
SSLCertificateFile /home/myDomain.com/ssl.cert
SSLCertificateKeyFile /home/myDomain.com/ssl.key
< / VirtualHost>
to this:
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /home/myNewDomain.com/2_myNewDomain.com.crt
SSLCertificateKeyFile /home/myNewDoman.com/myNewDomain.com.key
SSLCACertificateFile /home/myNewDomain.com/1_root_bundle.crt
< / VirtualHost>
| Line Prefix | What to do? | Value With Path |
|---|---|---|
| SSLProxyEngine on | New | |
| SSLCertificateFile | Change | 2_myNewDomain.com.crt |
| SSLCertificateKeyFile | Change | original key name |
| SSLCACertificateFile | New | 1_root_bundle.crt |
11) restart apache (DONT SKIP THIS STEP)
apachectl configtest ; ## DO THIS FIRST ! — 2016-09-20
systemctl restart httpd ;
12) USING FIREFOX and https, make sure the domain loads using the new secure protocol:
https://myDomain.com/
firefox is more strict on certificates than chrome is (for now anyways).
13) certify results:
https://www.geocerts.com/ssl_checker
OPTIONAL WAY OF REMOVING PASS-PHRASE:
1) cat DOMAIN.key (from earlier step)
2) toolbox—->Decrypt Private key paste DOMAIN.key and phrase here
3) mv DOMAIN.key to DOMAIN.key—ENCRYPTED-WITH-PHRASE
4) create new DOMAIN.key from step nine
USING NAMECHEAP CERTIFICATION – same as comodo:
xx_com.crt and xx_com.ca-bundle are in the zip file download, delete unneeded xx_com.p7b
in apache:
SSLCertificateFile /home/ajcomptonpesl.com/ajcomptonpesl_com.crt
SSLCertificateKeyFile /home/ajcomptonpesl.com/ssl.key
SSLCACertificateFile /home/ajcomptonpesl.com/ajcomptonpesl_com.ca-bundle
