瀏覽代碼

StartSSL certificate installation

Bob Mottram 11 年之前
父節點
當前提交
d7fa67fafe
共有 1 個文件被更改,包括 37 次插入2 次删除
  1. 37
    2
      beaglebone.txt

+ 37
- 2
beaglebone.txt 查看文件

@@ -6461,12 +6461,14 @@ You can obtain a free "official" (as in recognised by default by web browsers) S
6461 6461
 
6462 6462
 When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/.  Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods.  So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key.
6463 6463
 
6464
-Firstly under the validations wizard validate your domain, which means sending an email to it and confirming a code.
6464
+Firstly you should have an Apache web site configutaion ready to go.  See [[Setting up a web site]] for details.
6465
+
6466
+Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code.
6465 6467
 
6466 6468
 Now we can generate the certificate request as follows.
6467 6469
 
6468 6470
 #+BEGIN_SRC: bash
6469
-export HOSTNAME=mydomainname
6471
+export HOSTNAME=mydomainname.com
6470 6472
 openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048
6471 6473
 chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key
6472 6474
 chmod 440 /etc/ssl/private/$HOSTNAME.key
@@ -6481,6 +6483,8 @@ openssl req -new -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOS
6481 6483
 
6482 6484
 For the email address it's a good idea to use postmaster@mydomainname.
6483 6485
 
6486
+Use a random 20 character password, and keep a note of it.  We'll remove this later.
6487
+
6484 6488
 View the request with:
6485 6489
 
6486 6490
 #+BEGIN_SRC: bash
@@ -6489,6 +6493,37 @@ cat /etc/ssl/requests/$HOSTNAME.csr
6489 6493
 
6490 6494
 You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box.  A confirmation will be emailed back to you normally within a few hours.
6491 6495
 
6496
+Then on the BBB.
6497
+
6498
+#+BEGIN_SRC: bash
6499
+mv /etc/ssl/requests/$HOSTNAME.csr /etc/ssl/certs/$HOSTNAME.crt
6500
+mkdir /etc/ssl/roots
6501
+mkdir /etc/ssl/chains
6502
+wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
6503
+wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
6504
+wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
6505
+wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
6506
+ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
6507
+ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
6508
+cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
6509
+test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
6510
+test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
6511
+#+END_SRC
6512
+
6513
+To avoid any possibility of the certificates being accidentally overwritten by self-signed ones at a later date you can create backups.
6514
+
6515
+#+BEGIN_SRC: bash
6516
+mkdir /etc/ssl/backups
6517
+mkdir /etc/ssl/backups/certs
6518
+mkdir /etc/ssl/backups/private
6519
+cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
6520
+cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
6521
+chmod -R 400 /etc/ssl/backups/certs/*
6522
+chmod -R 400 /etc/ssl/backups/private/*
6523
+#+END_SRC
6524
+
6525
+Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed.  You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]].
6526
+
6492 6527
 * Deprecated
6493 6528
 
6494 6529
 The following items have been deprecated until such time as a successful installation is achieved.