To administer your WestHost account, please enter your
Domain Name or Server Manager Username.

WestHost: Professional Website Hosting Company








Results 1 to 8 of 8
  1. #1
    Junior Member
    Join Date
    Sep 2004
    Posts
    19

    Default How do I install my own SSL certificate

    Ive just purchased my own secure certificate and want to install it.

    I have Open SSL already functioning for the shared certificate and can see 3 directories

    ssl.crt
    ssl.csr
    ssl.key

    So now I have 2 certificates to install, a) my own private certificate and b) the Intermediate certificate from the issuer.

    What goes where and do I just overwrite the contents of the certificates already in those directories or upload new files.

    Obviously very new to this and only got this far reading help files but they don't actually help you through the install process, just get you this far.

    Advice appreciated!

  2. #2
    Junior Member
    Join Date
    Nov 2006
    Posts
    11

    Default Installing a chained certificate with intermediate files

    Hi,

    I went through this pain so I'm going to answer your question by doing my best to document what I had to go through here. I hope it helps you out but I must admit that I'm doing this for selfish motives (I want to document this in case I have to do this again sometime

    I purchased a chained SSL certificate from GoDaddy! (mostly because I didn't know any better) although once it is installed it does provide encryption. Unfortunately, major browsers don't recognize this form of certificate as automatically trusted so you get a box popping up to "warn" your site visitor that they must decide whether to trust your site. For that reason, I will most likely upgrade to something more substantial from a bigger name in order to lose that pop up warning once (and if) the business becomes more established.

    IMPORTANT: Before you get started please check the PHP version you are using (if you're not using PHP, you can ignore this note). This will affect your site's uptime because if you install a chained certificate and your a using the wrong version of PHP, everything that is dependent upon PHP will not work! That includes Joomla!
    Westhost will help you install the necessary version (PHP 5.1.2) if you tell them it is needed for a chained SSL certificate (Its not available from the Control Panel). It was a downgrade for me but I am running the latest stable version of Joomla 1.0.12 (upgraded myself) and it works fine with that version of PHP.

    As for the installation ... Here is what I had to do. Did it with help from Westhost staff, who were great!

    1.) Install Open SSL version 0.9.6 from the Westhost Control panel. On the first page it asks for the location of the server.key, server.crt, and server.csr files. Keep the defaults.
    2.) On the second page, it asks for information necessary to generate the certificate. Fill that in as follows:
    country code (use the standard code ... 'us' for United States)
    state (spell out the full name, no abbreviations on the state)
    city (same with the city, no abbreviations allowed)
    organization name (your own name if your company is a sole proprietor DBA) or company name if you are incorporated I believe
    Organizational unit name (company name goes here if DBA, or part of company)
    fully qualified domain name (no http:// but put the rest of your base domain ... for example 'www.mydomain.com')
    email address (use the owners personal email address at the domain listed above.)

    3.)IMPORTANT!!! This will create a private key file, which is encoded (server.key) in the default directory. This file is critical to keep. Back it up along with the corresponding server.crt and server.csr files! If you lose your key file, you lose your certificate and you will not be able to retrieve it.

    4.) Now go buy your chained certificate from GoDaddy!, or if you have the resources, do yourself a favor and buy a regular (not chained) SSL certificate from a highly trusted vendor.

    5.) When you purchase your SSL certificate, GoDaddy! will send you a mail with information on how you can create your certificate. You need to know to choose Apache as the web server type ... Note that Linux is an option as well, but choose Apache. You will go onto their site, and use the contents of the server.csr (Certificate Request File) that you created in step 2 to generate a certificate and if you are like me, you will expect to get back a server.crt (Security Certificate) file to replace the temporary (read fake) server.crt file that exists in your system. In the case of a non-chained certificate I think that is the case (someone who has created a non-chained certificate can confirm that if they so desire.

    6.) GoDaddy! sends you a www.yourdomainname.crt (Security Certificate) file, a gd_intermediate.crt file, and a gd_cross_intermediate.crt file along with a link to a set of WHOLLY UNSATISFACTORY instructions that will frustrate you unless you are in the know!

    So NOW WHAT ... I'll tell you!

    RIGHT NOW! BACK UP YOUR httpd.conf file before you mess with it. If your site goes south you can restore the old one and no issues!

    7.) Uncomment the following lines in the etc/httpd/conf/httpd.conf file and make sure they look exactly like this!

    ...
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    ...
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    ...
    SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
    ...
    SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
    ...

    IMPORTANT: DON'T change the names in the httpd.conf file to match the names of the files GoDaddy! sent you, change the names of the files
    GoDaddy! sent you to match what I've outlined above (I'll describe this explicitly below).


    8.) Now rename and place the files as follows ...

    Rename gd_intermediate.crt to ca.crt and put it in /etc/httpd/conf/ssl.crt/
    Rename www.yourdomainname.crt to server.crt and put it in the same place.
    As for the ca-bundle.crt file, I must admit I am not sure what file got renamed to that. I'll have to get back to you but seems like it must have been the gd_cross_intermediate.crt (but would not swear to it). if that does not work, try renaming a copy of gd_intermediate.crt.

    KEEP all these files in another safe place for later use in case they are lost from your server.

    That should do the trick (if you are using GoDaddy!) Simple 8 step process. Now maybe you can avoid the frustration and hairloss I had to go through. Hope this helps. If you run into other issues, call support. They are TOPS in my book!

  3. #3

    Default Just 2 files, Not 3

    I also purchased a certificate from Godaddy just last night. Gave up trying to install it and went to bed. Looks like I got great instructions here, but I only got 2 files from Godaddy, not three... hmmmm....

    I got the gd_intermediate_bundle file and the file that is named with my website address.

    Help?

    Thanks.
    Last edited by mramey; 06-09-2007 at 11:30 AM. Reason: Didn't title it

  4. #4

    Default One more question

    What exactly pops up warning your website visitors with this certificate? At what point to they see this pop-up? Does it pop-up just once?

    Thanks.

    Ok... so that was 3 questions.

  5. #5
    Junior Member
    Join Date
    Nov 2006
    Posts
    11

    Default Sorry for lack of response ...

    mramey

    Sorry I did not respond, thought notification was turned on for this, but apparently it was not. Did you figure out your issues? Sounds like you are trying to install a plain certificate, not a chained one... These are for chained only. If you still need help reply.

    Again, sorry I didn't chime in.

    Tom

  6. #6
    Junior Member
    Join Date
    Nov 2006
    Posts
    11

    Default

    The pop-up has the following text ...

    Information you exchange with this site cannot be viewed or changed by others. However there is a problem with the site's security certificate.

    The security certificate was issued by a company you have not chosen to trust. View the certificate to determine if you want to trust the certifying agency.

    This message pops-up when the user accesses an https page for the first time (pops-up once) when using Internet Explorer. This would not pop up if I purchased a non-chained certificate from a big name outfit, just can't afford it yet. Its on my list to upgrade.

    As for the number of files, I'll try to figure out if I'm confused and if so, what changes might need to be made to my instructions. It took so many tries to install the certificate that I may have messed up a step in these instructions. If that's the case, sorry!

    Also, if you got it to work, consider explaining what you did ... There is always a call to Westhost Support. They were great and helped me out!

  7. #7
    Junior Member
    Join Date
    Jan 2009
    Posts
    2

    Default

    Thanks to Westhost's excellent tech service, I'd like to update this thread with the latest information on installing a Godaddy secure certificate into your domain.

    Generate the key using the OpenSSL install on the 'Site Applications Install and manage' page.

    In SSH navigate to
    /usr/local/apache/conf/ssl.csr/

    Dump that file to your terminal screen:
    cat server.csr

    You will get something like:

    -----BEGIN CERTIFICATE REQUEST-----
    QQLEwJIUTEfMB0GA1UEAxMWd3d3LmNhcmRpbmFsZmx5ZXJzLmN v
    gfGFtcHNoaXJlMR8wHQYDVQQKExZDYXJkaW5hbCBGbHllcnMgT 25s
    bTIb3DQEJARYYa2VpdGhAY2FyZGluYWxmbHllcnMuY29tMIGfM A0G
    MBGFtcHNoaXJlMR8wHQYDVQQKExZDYXJkaW5hbCBGbHllcnMgT 25s
    aWLEwJIUTEfMB0GA1UEAxMWd3d3LmNhcmRpbmFsZmx5ZXJzLmN v
    bTSIb3DQEJARYYa2VpdGhAY2FyZGluYWxmbHllcnMuY29tMIGf MA0G
    aWLEwJIUTEfMB0GA1UEAxMWd3d3LmNhcmRpbmFsZmx5ZXJzLmN v
    fKsalDxEFLG4yiKWpWrpHI10Tic0pT2nIrT66BvpWbVLiyvz4E gDexCf5
    MIIwgawxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pcz ES
    z2sNXy9/cSwJlptjxABiUhE=
    -----END CERTIFICATE REQUEST-----

    Copy-paste that block of text into your Godaddy request window and select Apache as the server type. It will probably ask you this question two times.

    Click on the 'download certificate' to get the zip file with your certificates.

    You will get these files:
    www.your_domain.crt
    gd_bundle.crt

    Push both files into this folder using SFTP or FTP:
    /usr/local/apache/conf/ssl.crt

    Now go to the location where the configuration references to the SSL certificates are located:
    cd /etc/httpd/conf.d/

    Edit the ssl.conf file. This file is evidently referenced by the normal httpd/conf file:
    pico ssl.conf

    Look for (using /w... its around line 118)
    SSLCertificateFile

    and set it to match your domain certificate:
    SSLCertificateFile = /etc/httpd/conf/ssl.crt/www.your_domain.crt

    A few lines down find
    # SSLCertificateChainFile =

    Uncomment it and edit it to the chain file you got from Godaddy:
    SSLCertificateChainFile = /etc/httpd/conf/ssl.crt/gd_bundle.crt


    Restart Apache with
    apachectl restart

    and you should be up and running.

  8. #8
    Junior Member
    Join Date
    Jul 2009
    Location
    Laguna Beach, CA
    Posts
    2

    Default Setting Up a Chained SSL from Namecheap.com

    Here's my blow-by-blow with a chained certificate from Namecheap (they include an SSL cert free with new domains )

    Disclaimer: I wrote this down after the fact, so I might have left out a step or two. If so, and you figure out what is missing, please post a comment and I will amend this document (assuming I still have editor access to it ).

    What to have in place before beginning:
    1. Make sure there is a working "admin" email address, such as webmaster@your_domain.com (the Approver email address).

    Getting and generating the SSL certificates
    1. Use the WestHost Site Manager, go to Install & Manage and if not already installed, install OpenSSL (if it is installed, uninstall it and then re-install it [because the "Edit OpenSSL" tool doesn't work])
    2. Use the following as a template for filling out the form:

    Country Code: US
    State: California (full name, no abbreviations)
    City Name: Your City (full name, no abbreviations)
    Organization Name: RapidSSL.com
    Organizational Unit Name: Marketing (or something to that effect)
    Fully Qualified Domain Name: www.your_domain.com
    E-mail Address: your_username@some_email_domain.com

    3. Open a PuTTY (or similar SSH Terminal) session and do the following:

    cd /usr/local/apache/conf/ssl.csr
    cat server.csr

    4. Copy the file contents. It should look something like:

    -----BEGIN CERTIFICATE REQUEST-----
    MIIB7TCCAVYCAQAwgawxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEw pDYWxpZm9ybmlh
    MRUwEwYDVQQHEwxMYWd1bmEgQmVhY2gxFTATBgNVBAoTDFJhcG lkU1NMLmNvbTES
    ...
    2J4sB4+Uhl6/nwwJSZUa55dFmXOii1q7lTssIGCjDGXrHzwqbN2NEfOuyhGLzh Wg
    nCQSq18AVv1yGMmmWoerZsA=
    -----END CERTIFICATE REQUEST-----

    5. Go to www.namecheap.com and open the SSL Certificates/Your SSL Certificates list, login, and then click the Activate Now link on the one you want to activate. There, paste the server.csr file contents in the Enter csr box.

    6. In the Select web server [Please Select a Server Type] list box, select Apache + OpenSSL

    7. Submit the form, then select a "admin" email address such as webmaster@your_domain.com, submit. It will verify the address (which is why it's important that it be a working address) and wait for the email (sent to the admin email address) that will contain a new POSITIVESSL certificate. Copy this and paste it into a file named your_domain_com.crt, and upload that file to:

    /usr/local/apache/conf/ssl.crt

    8. chmod the file so only root has read access (and nobody has write access):

    chmod 400 your_domain_com.crt

    9. The email should also contain either a chain file (also called a bundle file) or a set of key files. If is one file with a ca-bundle extension, then go to step 10, otherwise (as was my case) you will need to create a chain file:

    a. Download the attached files from the email, unZIP them and then upload them to the following dir:

    /etc/httpd/conf/ssl.crt

    b. Open a PuTTY session and cd to the above dir. Then type the following:

    cat PositiveSSLCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt > ca.crt

    c. Go to step 11

    10. If the chain file was attached to the email then it will need to be download to your PC, and then uploaded to:

    /etc/httpd/conf/ssl.crt

    then, it's name will need to be changed to ca.crt (from yourdomain.ca-bundle )

    11. There might also be another file with a name like: www_yourdomain_com.crt. This file should have the same content as is copied in the body of the email. You can use either one (the file created from the email content, or the file that is attached). Note: in my case there were no files attached to the email. All I had was the certificate text in the email content. I had to submit a ticket to get the rest of the files (the link for downloading the bundle file directly wasn't working, either).

    12. Open the /etc/httpd/conf.d/ssl.conf file for editing and un-comment the SSLCertificateChainFile directive.

    13. Restart the web server.



    To get the certificate to work with a virtual host, try the following:

    NOTE: This will only work with one virtual host, and when implemented, the default host cannot use SSL (i.e. only ONE host, whether virtual or not, can use SSL)

    1. Back up the /etc/httpd/conf.d/ssl.conf file
    2. Open the /etc/httpd/conf.d/ssl.conf file in vim
    3. Find

    #DocumentRoot "/var/www/html"

    and change it to:

    DocumentRoot "/var/www/html/new_virtual_host_dir"

    3. Find (usually right below the DocumentRoot directive)

    ServerName default_domain.com:443

    and change it to:

    ServerName new_domain.com:443


    4. Save it and restart the web server.

    If it doesn't work (as it didn't my first time) be sure to check the ssl_error_log [default location: /var/log/httpd]

    The log told me that the ServerName in the ssl.conf file didn't match the CommonName in the RSA certificate--which was super easy to fix
    Last edited by GraphiteFingers; 07-24-2009 at 10:50 AM. Reason: Added note about Approver email address and SSH Terminal

Similar Threads

  1. Problem working with an SSL certificate authority
    By holtyboy in forum General Discussion
    Replies: 1
    Last Post: 07-23-2009, 03:51 PM
  2. Discount SSL GeoTrust/RapidSSL Certificates Available
    By WestHost - ZEsser in forum News / Announcements
    Replies: 0
    Last Post: 08-31-2007, 08:16 AM
  3. Using a custom ssl certificate
    By sam159 in forum E-mail / FTP Management
    Replies: 6
    Last Post: 04-17-2007, 05:36 PM
  4. SSL Certificate Shopping
    By Tom Howard in forum E-commerce
    Replies: 12
    Last Post: 12-31-2006, 04:12 PM
  5. Spamassassin upgrade isn't working - part 2
    By bstreet in forum E-mail / FTP Management
    Replies: 2
    Last Post: 06-10-2005, 02:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •