The CMM website also has a https part, for which we use an officially signed certificate. You can find more information at http://helpdesk.ugent.be/webhosting/csr.php
The certificate is valid for 3 years and needs to be replaced before expiring! This is a SSL/TLS certificate and it has 2 parts: a public key and a private key. The private key is top secret and we generate that ourself. The public is generated from the private key. In order to have an official certificate, the public key needs to be signed by a 'certficate authority'. We use belnet to do that for us. Below you will find an explantation who to generate the keys and replace the existing onces.
If you have any problems, ask Ward.
Create new certificate
Their are 2 commenly used programs to generate certificates: openssl and gnutls. We will use gnutls as it is a bit more userfriendly. We need the binary called `certtool`. It's usually part of a package called gnutls-tools or something alike. To generate a new public/private key pair, we need a config:
# X.509 Certificate options # # DN options # The organization of the subject. organization = "Universiteit Gent" # The organizational unit of the subject. unit = "Center for Molecular Modeling" # The locality of the subject. locality = "Gent" # The state of the certificate owner. state = "O-VL" # The country of the subject. Two letter code. country = BE # The common name of the certificate owner. cn = "molmod.ugent.be" # A user id of the certificate owner. #uid = "clauper" # If the supported DN OIDs are not adequate you can set # any OID here. # For example set the X.520 Title and the X.520 Pseudonym # by using OID and string pairs. #dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" # This is deprecated and should not be used in new # certificates. # pkcs9_email = "none@none.org" # The serial number of the certificate serial = 007 # In how many days, counting from today, this certificate will expire. # 3 years = 1095 days expiration_days = 1095 # X.509 v3 extensions # A dnsname in case of a WWW server. dns_name = "molmod.ugent.be" dns_name = "cmm.ugent.be" # An IP address in case of a server. ip_address = "157.193.230.99" # An email in case of a person #email = "none@none.org" # An URL that has CRLs (certificate revocation lists) # available. Needed in CA certificates. #crl_dist_points = "http://www.getcrl.crl/getcrl/" # Whether this is a CA certificate or not #ca # Whether this certificate will be used for a TLS client #tls_www_client # Whether this certificate will be used for a TLS server tls_www_server # Whether this certificate will be used to sign data (needed # in TLS DHE ciphersuites). signing_key # Whether this certificate will be used to encrypt data (needed # in TLS RSA ciphersuites). Note that it is prefered to use different # keys for encryption and signing. encryption_key # Whether this key will be used to sign other certificates. #cert_signing_key # Whether this key will be used to sign CRLs. #crl_signing_key # Whether this key will be used to sign code. #code_signing_key # Whether this key will be used to sign OCSP data. #ocsp_signing_key # Whether this key will be used for time stamping. #time_stamping_key #a space separated list of key purpose OIDs to be added #key_purpose_oids = "1.3.6.1.5.5.7.3.1" "1.2.3.4.5.6" # Things for PKCS #10 certificate Requests # A challenge password for the request. #challenge_password = "My challenge password" # When generating certificate use extensions found in certificate request. #honor_crq_extensions # Other things. # A password to be used while encrypting/decrypting. #password = "my pass" # The next update (in days from now) for a CRL #crl_next_update = 30 # The CRL number extension #crl_number = 1 # A name for a PKCS #12 key #pkcs12_key_name = "Anonymous key"
Save this to a file named certtool.cfg. First generate a private key (do this on your local computer for the entrophy):
certtool -V --ecc --hash=SHA512 --sec-param=high --generate-privkey --outfile privkey.pem
Don't run this command molmod.ugent.be server. This needs enough random generate data, so never run it on a virtual machine! This file needs to be kept secret! Make sure the permission allow only reading by the user (and group). Now, we need to generate a request for signing:
certtool --generate-request --template certtool.cfg --load-privkey privkey.pem --outfile request.pem
The contents of the generated file `request.pem` needs to be copy & pasted to https://www.digicert.com/secure/requests/products?guest_key=bl9g5pmq0z9n52nt Select a validity period of 3 years and choose 'Server cerficate'. When you're requested is approved, you will receive the signed public keys by mail. Now copy, the private and the public keys to the molmod server. The should be placed like so:
- /etc/pki/tls/private/privkey.pem is the private key with permissions 440 and owner root, group ssl-certs
- /etc/pki/tls/certs/molmod_ugent_be.crt is the public key (world readable)
- /etc/pki/tls/certs/DigiCertCA.crt has any intermediate certificates (world readable)
- /etc/pki/tls/certs/full-chain.pem should have the full chain (molmod.ugent.be and any intermediates, cat the two files above in other words)
Todo: add list of everything that needs to change...
The certificate is used by apache, exim, openldap. There is a special group for it: ssl-certs.