This instruction is about how to make and request StartSSL https://www.startssl.com/ ,and also document some common issue may occur while the process. There must needs done with the registration on StartSSL before read these instructions.
[toc]
openssl genrsa -aes256 -passout "pass:%keyPass%" -out "%fileName%.secure.key" %keyStrength%
Parameters : %keyPass% - key password : %fileName% - key file name : %keyStrength% - 1024, 2048 or 4096
openssl rsa -passin "pass:%keyPass%" -in "%fileName%.secure.key" -out "%fileName%.key"
In file btt.cfg, it have settings for self signed and also for sign request. All with wild card domain name setup. Although we cannot request for a wild card domain name without higher CA Class Level, but still works fine with lower Level Request.
First you need copy original OpenSSL config file, and then do following altering:
#####Add/Setup extensions for request
req_extensions = v3_req
Uncomment or add above line in [ req ] section
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternate_names
[ alternate_names ]
DNS.1 = *.mydomain.com
DNS.2 = mydomain.com
Uncomment or add [ v3_req ] and [ alternate_names ] sections in the config file
#####Add/Setup extensions for self-signed Cert (Optional for Self-Signed Cert) Skip this step if you have no need to produce a self-signed Cert
copy_extensions = copy
Uncomment or add above line in [ CA_default ] section
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
Uncomment or add above lines in [ v3_ca ] section Note: No need to add another section [ alternate_names ] if you have already add this section in the file.
####Generate a Request
openssl req -new -sha%shaStrength% -key "%fileName%.secure.key" -passin "pass:%keyPass%" -out "%fileName%.csr" -subj "/CN=%CN%" -config "%cfgFile%"
Parameters : %keyPass% - key password : %shaStrength% - 1, 128 or 256 : %cfgFile% - config file name
####Generate a Self-Signed Cert (Optional)
openssl req -new -x509 -sha%shaStrength% -days %crtDays% -key "%fileName%.secure.key" -passin "pass:%keyPass%" -out "%fileName%.crt" -subj "/CN=%CN%" -config "%cfgFile%"
Parameters : %crtDays% - cert validation days
Based on it using certificate authentication key pair for Login the browser or OS must pre-install Login usage cert/key pair CORRECTLY!
Cert/Key File: StartSSL.Auth\StartSSL.Auth.p12
Issue: Certificate file may occur wrong chain file path while installation, it may different between each environment. There just needs to remove some conflict certificate file in the certs database. URL: http://www.s-jpg.com/blog/?p=48 PDF: StartSSL.Auth\StartSSL login issues _ TheB1og.pdf
Simply open generated request file %fileName%.csr and paste content to StartSSL site by the request procedure. Then you will get a signed certificate file by StartCom, and save it as the file name %fileName%.crt.
Note: Open the crt file, there must have a signed path for your certificate file.
The root of the signed path "StartCom Certification Authority" which must exists in client local side, it called Trusted Root CA.
In the middle of signed path, there have Intermediate CA certificate "StartCom Class 1 Primary Intermediate Server CA" which not always exists in client local side. If not, client may see this crt file as a untrusted cert just because the missing Intermediate CA certificate.
In this case, you may need to download intermediate certificate prepare for your server which can provide for the client. You may find the corresponding cert from the official site https://www.startssl.com/certs/sub.class1.server.ca.crt.
- - StartCom Certification Authority
|
- - StartCom Class 1 Primary Intermediate Server CA
|
- - mydomain.com
SSLCertificateFile "%pathToYourFile%/%fileName%.crt"
SSLCertificateChainFile "%pathToYourFile%/sub.class1.server.ca.crt"
SSLCertificateKeyFile "%pathToYourFile%/%fileName%.key"
Here is an article (https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html) about each setting showing below.
# enable SSLv3, for supporting much legacy browser but suffer with POODLE attack
# SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
Note: If you still want to let more legacy browser support SSL setup like XP/IE6, you may need to enable SSLv3.
# HSTS header setup
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# force to https
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Note: This config need install module mod_rewrite and mod_headers.
https://www.ssllabs.com/ssltest/
openssl pkcs12 -export -inkey {KeyName}.key -in {CertName}.crt -certfile {ChainCert}.crt -passin "pass:{KeyPassword}" -passout "pass:{PfxPassword}" -out {PfxName}.pfx
See reference: https://www.openssl.org/docs/apps/pkcs12.html