DIGIPOWER Tutorials

Trang chủ | | Danh mục bài viết yêu thích | Liên hệ | Đăng nhập Trang chủ | | Danh mục bài viết yêu thích | Liên hệ | Đăng nhập
Tìm kiếm các bài viết theo từ khoá Liệt kê theo danh mục
Hướng dẫn triển khai, cài đặt chứng chỉ số SSL cho máy chủ chạy Kloxo (2048 bit)
Chi tiết bài viết

Lần cập nhật cuối
5th of June, 2014

Ý kiến người dùng (8 Bình chọn)
87% thumbs up 12% thumbs down

Làm thế nào bạn sẽ đánh giá câu trả lời này?
có ích
không hữu ích
This tutorial will show you how to setup a 2048-Bit SSL certificate in Kloxo (LxAdmin).

Kloxo Currently does not support creating 2048-bit CSR’s via the Planel. So we will need shell into the system to create the CSR.

1. Generate your Key

I recommend downloading “putty” to use to SSH into your server ( http://experts-hosting.info/downloads.php ) Just get the PuTTY for windows. Once you login as the root user you need to create a key. By default you are in the /root folder and you can create the key right there.

Next run this command to create the key.

openssl genrsa -out mydomain.com.key 2048
Next you want to copy the key and keep it saved for later when importing the the purchased SSL. Run this to display it and you can Highlight the output and then past it in notepad and save it for later use. (You maybe need to make your putty windows larger to see it.

cat mydomain.com.key
Here is an example:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1uNugrS6Ez8WuxEltcCY9LJIWkfGRF/zN3ObfMbj9SdFVFGv
5GTib077mFAVShh/QoCcBb7ghJYoEtbQlDP3two/CBKKuzrLtfesmxfmGOMqLTX1
kVGqDqdPvTxyrU5Ob7ket8O4GIb09aTFk2DFk0yQSUIGz60+05WMMUaUPi6nLXZa
This is an example. This is an example. This is an example. This is an example.
kcHz3Z3CzohdyH5slOHi2i8Cip5mydT3D81zOC0zK7YQIIDrl2hcK5Dt3EDOF5kZ
NdWKgnkEyB/sSJls3e8JSjZHRn/0NKOtaiDvMQIDAQABAoIBAEBE+1tqVDDHcLP4
V+/5L4YYAF3IE7uFewe9suZp0eoTmb+zQskrhzHFTKhsY0Gq+/zW3FM3mIzvIAMq
bm208US0cs+mRAnlduHwtpYYWsBcyNOGzPBunU8OqWGuv5mnzvvJQS+zAM+NJZyG
This is an example. This is an example. This is an example. This is an example.
l/uvj1RuLE0Nio1mc+BPJwSsngNYSpoTj/DrVDcCgYEAxhX6UaNJq4zZ5h0w5+II
fimf5kpswL6rBBF6GVaESpo5SbTixksOFj7h6mc0FKxCQaEG7Uqic5JksYypC2m/
DTK8WMUUEvVPpQLIpL6c1PmdXx4QzyNpImks4u21pbF0xUU9vbkaqk45XR+ipVOz
cV3ZsSA1wdHxbxfS7kq72LcCgYEA1w2vKgqWnuEv+awo0MdZmrbFr7//UowWsIn+
This is an example. This is an example. This is an example. This is an example.
X85H+rFPIKdpHTz26QZ7dCxv/RwamfqCfxSECI/9YKq8wlS/Ccszwkq3eNawFwWG
f3ocKx8CgYBBWfkBMReaQ0YEeXHTsYHzWKu0l60Z9IPVQk0625KGdaD3nQ0Et+N7
DrJgbQ5YmZJUsBgHoyJ5VLimkxK/6yXo5DtbjsSBgAY91SZp9mkS/POnsrj9KavC
sFzBwp84SilMU1dWLg4Kai4OKrFoU4VzqF4CyJmcK+hJPu771YNPDQ==
-----END RSA PRIVATE KEY-----
Several notes about this:
- This key will not be password protected. In our experience, password protected keys are a major pain in the neck to work with because they require you to enter in a password every time you start or restart apache. In additional security isn’t very necessary on a VPS when you are the only one with root access to your machine.
- The naming of the key can be important if you plan on having several secure domains on your VPS. It helps avoid confusion. For this demonstration, we’ll be using the domain “mydomain.com” but it could really be anything you’d like it to be.
- Last, we will be generating a 2048-bit encryption key here, but you could theoretically create one with stronger (or weaker) encryption if you’d like to. 2048-bit keys are standard.

2. Generate your CSR

Now that we’ve generated our Key, we need to generate what’s called a “Certificate Signing Request” or CSR. This request is the part that SSL companies (like Geotrust) need in order to provide you with a signed certificate. To generate a CSR, run the following command:

openssl req -new -key mydomain.com.key -out mydomain.com.csr
You will then be asked a series of questions (example below). Go ahead and modify the answers to suite yourself:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TN
State or Province Name (full name) [Berkshire]:Tunis
Locality Name (eg, city) [Newbury]:Tunis
Organization Name (eg, company) [My Company Ltd]:Experts Hosting
Organizational Unit Name (eg, section) []:mydomain.com
Common Name (eg, your name or your server's hostname) []:mydomain.com
Email Address []:webmaster@mydomain.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note that the “Challange Password” and “optional company name” fields were left blank.

After that, you should have a nice little .csr file. To view your CSR file, run the following command:

cat mydomain.com.csr
It will return what looks like a bunch of junk… but it’s actually encrypted code:

-----BEGIN CERTIFICATE REQUEST-----
MIIB+jCCAWMCAQAwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
MRQwEgYDVQQHEwtXYWxsYSBXYWxsYTEbMBkGA1UEChMSVml2aW8gVGVjaG5vbG9n
aWVzMRwwGgYDVQQLExNzZWN1cmUubXlkb21haW4uY29tMRwwGgYDVQQDExNzZWN1
THIS IS AN EXAMPLE THIS IS AN EXAMPLE THIS IS AN EXAMPLE THIS IS AN EXAMPLE THIS IS AN wEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBABk2
Wz+7jAa64T3toEjCt0vK6Sxix0B5ev9dBDtX+U+tAzjIt6dghqmRYiomDoYDhoHF
sNGCmrWChgooIOYGX63SZoWPEr50vLdGsOHnj36jzvDctTfi51rew3w75THGtnRL
c60CK7/0ORrgXsLla3WkaPZRABRzQdxR47U6sxMs
-----END CERTIFICATE REQUEST-----
This is the code that you need to copy and paste into the special instructions field when you order your SSL certificate from the SSL company.

When you order your SSL certificate. A verification message will need to be sent to “webmaster@mydomain.com” (the domain that is to be secured) in order to make sure we are ordering this SSL certificate at your request. You will need to verify the order as per the verification email instructions, then we will deliver the .cer file (your actual SSL certificate) to the email address that you ordered the certificate from our site with. You can also use this CSR for ordering from other places as well.

Log into Kloxo and click on teh SSL Certificate link.

Now click on the Add Upload Txt tab. Put in the name of what you want to call the Paid Certificate. Example mydomain.com Next in the Certificate Section Paste in the Certificate you got from the SSL company. Next in the Key Section Paste in the Key we copied earlier to notepad. Next for the CACert section if you have the CACert go ahead and put that in. However I believe most name brand SSL’s will have this info in the browsers and I don’t think you have to have it. However if you have the info by all means put it in there. Or if your having problems with your browser seeing the issuing company get the info and put it in. I just worked on a comodo ssl which worked ok for IE 7 but did not work in Firefox 3 with out have the CA Certificate.

Go ahead and click add

We are not back to the list of the SSL’s on the server. Click on the SSL we just added. In my case mydomain.com Next in the oval box that states

To assign this ssl certificate to a particular ipaddress, click here and then go into an ipaddress, and click on ssl certificate tab, and you can set one of these certificates to a particular ipaddress. The admin will need to have assigned you an exclusive ipaddress for you to access this feature.

click on the click here link.

Next click on the IP address we are using for the site that will have the SSL. Then click on Ssl Configuration Home tab. Select the SSL we are wanting to use. Then click update.

I have found that at times Apache still needs a restart to get things working right away. If you go back to Home and then down to the Server : Linux section and click on Services Then on the line that has the Name of httpd click on the last bubble on that line. It is the restart bubble. If you mouse over the bubble it will pop up with what it does.
Or, you can login to ssh, and type this commande :

/etc/init.d/httpd restart
You may also need to assign the domain to the ip address. If you have trouble with assigning the SSL try clicking on the configure domain tab under the ip address and assign that IP to the domain. Then restart apache and check the site for the correct SSL certificate.

Now go to your site Example https://mydomain.com and you should be good to go.

Here is a small glance on how SSL works :

Experts Hostin | SSL certificates
Các bài liên quan
Không có bài viết liên quan đã được tìm thấy.
File đính kèm
Không có File đính kèm nào được tìm thấy.

Tiếp tục

Knowledge Management