SSL Cert Install
-
I am going to purchase and install and SSL Cert from instantssl.com but I am unsure how to generate the CSR. Likewise I am unsure how to install the cert after I do get it … I did do searching but got confused by what others were trying to accomplish. If someone is willing to assist me with accomplishing this I want to make a Wink Tutorial for it for other users in the future.
-
Some information for you.
This was done on m0n0wall so it should work with pfsense as wellM0n0wall doesn't support SSL certificate chaining ( and therefore doesn't support the use of intermediate certificates), so you cant use a Certficiate Authority like GoDaddy or Verisign that require intermediate certificate chaining. To get around this, you will have to use a Certificate Authority that doesn't require the use of Intermediate Certificate chaining. In my case, I went with Thawte.com and used their SSL123 certificate. At the time of this writing, Thawte charges $150 a SSL certificate per year.
Openssl.org can be installed on Windows or on Linux
Generate a new key request
/usr/bin/openssl genrsa -des3 -out mykey.key 1024
This command generates a 1024 bit RSA private key and stores it in the file mykeykey. When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.
M0n0wall requires the key to be in PEM format, so convert the private key we just generated into PEM Format
Openssl rsa –in mykey.key –out mypemkey.key –outform PEM
Generate the Certificate Request with this command
/usr/bin/openssl req -new -key mykey.key -out mycsr.csr -config /usr/local/ssl/openssl.cnf
Enter pass phrase for mykey.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
–---
Country Name (2 letter code) [AU]:yourcountrycode
State or Province Name (full name) [Some-State]:yourstate
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yourcompany
Organizational Unit Name (eg, section) []:yourunitname
Common Name (eg, YOUR name) []:myhost.mydomain.com <–--enter your domain name here
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Please do not enter your email address, challenge password or an optional company name when generating the CSR.
A public/private key pair has now been created. The private key (mykey.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (mycsr.csr), will be for certificate enrollment.
Copy and past the contents of your csr file into the enrollment form on Thawte’s webpage. The SSL certificate you need to buy from Thawte is called the SSL123 which doesn't require the use of Intermediate Certificates.
Choose ApacheSSL as the webserver so that you get your SSL Certificate in a X.509 PEM format that M0n0wall will understand (Certificate from Thawte is already in PEM format)
Put contents of (cut/paste) intermediate certificate at the end of your certificate and save into the box.
Now you need to upload any image files that were referenced in the html so that its stored locally, otherwise the end user will get prompted for files that are referenced outside the SSL
-
Some important info: Instantssl certs will still throw ssl errors unless you install the chain file. Last I looked pfSense didn't support the chain through the gui (I had some patches but they were buggy). It is possible to do throughthe cli with minimal effort.
nb
-
Yes, that's correct.
I'm using godaddy cert and chain file is needed.
Thank you -
Some important info: Instantssl certs will still throw ssl errors unless you install the chain file. Last I looked pfSense didn't support the chain through the gui (I had some patches but they were buggy). It is possible to do throughthe cli with minimal effort.
nb
Can you elaborate on how you do this through the cli? We have an ssl certificate signed by an intermediate, so we're getting the ssl errors for clients that don't explicitly trust the intermediate.
Thanks,
Brian -
Look at this. Just follow the instruction there.
http://forum.pfsense.org/index.php/topic,2966.0.html