|
@@ -6461,12 +6461,14 @@ You can obtain a free "official" (as in recognised by default by web browsers) S
|
6461
|
6461
|
|
6462
|
6462
|
When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/. Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods. So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key.
|
6463
|
6463
|
|
6464
|
|
-Firstly under the validations wizard validate your domain, which means sending an email to it and confirming a code.
|
|
6464
|
+Firstly you should have an Apache web site configutaion ready to go. See [[Setting up a web site]] for details.
|
|
6465
|
+
|
|
6466
|
+Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code.
|
6465
|
6467
|
|
6466
|
6468
|
Now we can generate the certificate request as follows.
|
6467
|
6469
|
|
6468
|
6470
|
#+BEGIN_SRC: bash
|
6469
|
|
-export HOSTNAME=mydomainname
|
|
6471
|
+export HOSTNAME=mydomainname.com
|
6470
|
6472
|
openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048
|
6471
|
6473
|
chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key
|
6472
|
6474
|
chmod 440 /etc/ssl/private/$HOSTNAME.key
|
|
@@ -6481,6 +6483,8 @@ openssl req -new -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOS
|
6481
|
6483
|
|
6482
|
6484
|
For the email address it's a good idea to use postmaster@mydomainname.
|
6483
|
6485
|
|
|
6486
|
+Use a random 20 character password, and keep a note of it. We'll remove this later.
|
|
6487
|
+
|
6484
|
6488
|
View the request with:
|
6485
|
6489
|
|
6486
|
6490
|
#+BEGIN_SRC: bash
|
|
@@ -6489,6 +6493,37 @@ cat /etc/ssl/requests/$HOSTNAME.csr
|
6489
|
6493
|
|
6490
|
6494
|
You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box. A confirmation will be emailed back to you normally within a few hours.
|
6491
|
6495
|
|
|
6496
|
+Then on the BBB.
|
|
6497
|
+
|
|
6498
|
+#+BEGIN_SRC: bash
|
|
6499
|
+mv /etc/ssl/requests/$HOSTNAME.csr /etc/ssl/certs/$HOSTNAME.crt
|
|
6500
|
+mkdir /etc/ssl/roots
|
|
6501
|
+mkdir /etc/ssl/chains
|
|
6502
|
+wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
|
|
6503
|
+wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
|
|
6504
|
+wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
|
|
6505
|
+wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
|
|
6506
|
+ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
|
|
6507
|
+ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
|
|
6508
|
+cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
|
|
6509
|
+test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
|
|
6510
|
+test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
|
|
6511
|
+#+END_SRC
|
|
6512
|
+
|
|
6513
|
+To avoid any possibility of the certificates being accidentally overwritten by self-signed ones at a later date you can create backups.
|
|
6514
|
+
|
|
6515
|
+#+BEGIN_SRC: bash
|
|
6516
|
+mkdir /etc/ssl/backups
|
|
6517
|
+mkdir /etc/ssl/backups/certs
|
|
6518
|
+mkdir /etc/ssl/backups/private
|
|
6519
|
+cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
|
|
6520
|
+cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
|
|
6521
|
+chmod -R 400 /etc/ssl/backups/certs/*
|
|
6522
|
+chmod -R 400 /etc/ssl/backups/private/*
|
|
6523
|
+#+END_SRC
|
|
6524
|
+
|
|
6525
|
+Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed. You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]].
|
|
6526
|
+
|
6492
|
6527
|
* Deprecated
|
6493
|
6528
|
|
6494
|
6529
|
The following items have been deprecated until such time as a successful installation is achieved.
|