Generate key and csr
sudo sucd /etc/sslopenssl genrsa -des3 -out server.pass.key 2048# store the password in the Authentication fileopenssl rsa -in server.pass.key -out server.keyopenssl req -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Philadelphia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chemical Heritage Foundation
Organizational Unit Name (eg, section) []:Library
Common Name (e.g. server FQDN or YOUR name) []:hydra.chemheritage.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
mv server.key private/mv server.pass.key private/cd privatechown root:ssl-cert server.*chmod 640 server.*
Generally it's better to name the key and csr after the server itself, e.g. hydra-chemheritage-org.csr; you can rename them after creation.
referenced:
Generate self-signed cert
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Purchasing a godaddy cert for prod
Email the csr to Chuck / Ponce and ask them to buy you a cert. Specify number of years
Installing the cert
- Put the cert(s) in place on the server; check permissions
- There are 2. The cert itself and the gd_bundle (intermediate cert)
- fill in the ansible config values for ssl stuff
- run an ansible playbook that just does that apache setup
- First check/change 'hosts' in the top-level 'app-config.yml' playbook
- ansible-playbook -i hosts --tags "ssl" app-config.yml --ask-vault-pass
- NOTE/TODO! I'm currently refactoring this; won't need tag 'ssl' anymore because apache config stuff is getting its own nested role in apache-passenger/apache-config
- restart apache on server
- referenced: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#apache
Forcing all traffic to SSL