Appies
[ Table of Contents ]

Secure Certificates

Appies™ Web Site Manager was created to work seamlessly with secure certificates and secure sites.  A secure certificate must be purchased from a recognized signing authority.  Once a site is secure and a certificate is installed, visiting https:// [domain] will no longer bring up the pop-up warning message. If you are installing an additional certificate or one for a customer on your server, jump to "Additional Certificates".

 Remember...

By default, when your Appies™ Web Site Manager is setup, the secure Web server is installed and active.  This means that content accessed with https:// will be secure, however without a certificate users will get the standard security pop-up window by the browser.  If you plan to use your secure server for reasons other than internal use (like running Appies) it is strongly suggested that you install a secure certificate.


Purchasing a Certificate. You first must choose where to get your certificate from.  There are now many signing authorities to choose from.  BDC sell GeoTrust certificates because of their reasonable costs, quick turn around, and well laid out Website.

 Remember...

The following instructions are for users with dedicated servers who have root access to the servers.  If you are a shared server customer, you must use support to generate the cert for you.  A nominal fee will apply.

Certificate Generation / Submission Instructions. Although these steps are outlined at the authorities Website, we will repeat them here and include helpful, server specific information where possible. Note: these instructions assume 1) you are getting a certificate for your master domain name and 2) your are getting a wildcard certificate so all subdomains will be secure as well.
 

  1. Create a RSA key for your Apache server:


    cd /etc/httpd/conf/ssl.key
     

  2. Type the following command to generate a private key that is file UNencrypted. You will NOT  be prompted for the password to access the file and also when starting your webserver:

openssl genrsa -out [domainname].key 1024

  1. Type the following command to create a CSR with the RSA private key (output will be PEM format):


    openssl req -new -key [domainname].key -out [domainname].csr

  2. When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

    Warning: Leave the challenge password blank.  If you do not, your server will not start automatically.  This is VERY important! Also, Do not enter extra attributes at the prompt.

    DN Field 

    Explanation

    Example

    Common Name  The fully qualified domain name for your web server. This must be an exact match. If you are getting a wildcard cert for your master domain, enter

    *.[domainname]

    the "*." before the domain is needed for a wildcard cert!

    If you intend to secure just the URL https://www.[domainname], then your CSR's common name must be www.[domainname]
    Organization  The exact legal name of your organization. Do not abbreviate your organization name.  GeoTrust 
    Organization Unit  Section of the organization  Marketing 
    City or Locality  The city where your organization is legally located.  Wellesley Hills 
    State or Province  The state or province where your organization is legally located. Can not be abbreviated.  Massachusetts 
    Country  The two-letter ISO abbreviation for your country.  US 

    Note: If you would like to verify the contents of the CSR, use the following command:

    openssl req -noout -text -in [domainname].csr
     

  3. Submit your CSR to the signing authority per their instructions. Cut and paste the CSR contents by typing

    more [domainname].csr

    Create a backup of your private key!
Make a copy of the private key file ([domainname].key) generated in step 3 and store it in a safe place! If you lose this file, you must purchase a new certificate.

* The private key file should begin with (when using a text editor)

-----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

To view the contents of the private key, use the following command:

openssl rsa -noout -text -in [domainname].key

Certificate Installation Instructions. Once you get your certificate back from the signing authority, you must then install it on your server. Here are detailed instructions for your Appies™ Web Site Manager.

 Remember...

These instructions are for your main domain on your Appies Web Site Manager dedicated server.  If you are installing a certificate for one of your customers on your server, see the section below entitled "Additional Certificates".

  1. Copy the certificate to /etc/httpd/conf/ssl.crt/ and name the file [domainname].crt. Make sure you do this in ASCII format.  You MUST be root user and have root access. The easiest and most secure way to do this is to ssh to your server:

    Note: Copy the entire contents of the certificate from (and including) the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Use your PCs cut and paste feature for this (control-c for cut on Windows). 

    cd /etc/httpd/conf/ssl.crt/
    vi [domainname].crt "i" for insert, then paste. ":" then "wq!" to save.
  2. Rename the .crt and .key files and make backups of the default ones. Your new crt and key files must be called just "server.crt" and "server.key" respectively.  Doing this, there is no need to change the httpd.conf file.

    cp /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.OLD
    cp /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.key/server.key.OLD
    cp /etc/httpd/conf/ssl.crt/[domainname].crt /etc/httpd/conf/ssl.crt/server.crt
    cp /etc/httpd/conf/ssl.key/[domainname].key /etc/httpd/conf/ssl.key/server.key


  3. Make sure the files are the correct permissions (600)

    chmod 600 /etc/httpd/conf/ssl.crt/server.crt
    chmod 600 /etc/httpd/conf/ssl.key/server.key


  4. Stop then Start your apache web server using the following commands:

    /etc/init.d/httpd stop
    /etc/init.d/httpd start

  5. Now test your Web server.  If all went correctly, you should be able to visit https://www.[domainname]and NOT get a security notice.
Additional Certificates. As a server owner, your can secure as many domain as you wish on your server.  Appies is configured to recognize secure domains in shared accounts.  Here are a few rules/limitations for secure domains:
  1. If you have a site with a secure domain, it must be on it's own shared account - it cannot be a virtual host on a shared account. This means it must have access to it's own Appies and setup as a shared server.
  2. Any website using it's own secure certificate must have it's own IP address. Secure certificates are only valid for Websites with a unique IP address.  You can upgrade a user if necessary to one of these packages.
  3. When a certificate is purchased, it is for a domain only.  If you have more than one domains on a Webserver with a secure certificate, only the domain the certificate was purchased for will be secure.
Generating / Installing Additional Certificates. Follow the directions above for generating, submitting and installing the secure certificates with the following changes:
  • replace the "*." with the subdomain like "www" if not a wildcart cert and purchase a standard cert, not the more costly one
  • when installing, name the crt and key file with the domain name you are using without any subdomain. For example, abc.com would be called "abc.com.crt" and "abc.com.key".  Do not rename these server.crt and server.key.
  • Tell Appies this domain is now secure. In your Appies, go to "Administration" >> "DNS Settings"  Look for the section called "Domains Using their Own Secure Certificate" and add the domain in that area.  Once you have multiple domains, simply add one domain per line in that textarea.
  • Reset conf file. You must now enter that customer's Appies administration area, select "Domain_Management" >> "Manage Domains" scroll to the bottom of the page and click the "process" button.  Now the domain will be secure and certified.
 Be Careful...

Do NOT add the domain into "Domains Using their Own Secure Certificate" until the certificate has been installed on the server. Otherwise, the webserver will not restart and it will produce an error.

 

[ Table of Contents ]
Copyright 2004-2007, Greentree Hosting, LLC.