Go Live Checklist: SSL Certification Setup
Overview
- For the Production environment it is necessary to purchase a signed certificate from a certificate authority (CA) such as Network Solutions, Go Daddy, GeoTruste, Thawte, and others.
- The following instructions are for OpenSSL and are available with minor variations on many sites across the internet.
- For full documentation of OpenSSL commands please visit www.openssl.org.
- If you are working in a Linux environment the OpenSSL package is probably already installed on your system. If not, install the package using the software management tool..applicable to your Linux distribution.
- If you are deploying on Windows there are two options:
- Install Apache PLUS OpenSSL (recommended if you will be using the Apache webserver)
- Download Windows binaries from www.openssl.org.
Step 1: Generate a Private Key
- The OpenSSL toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request).
- The first step is to create your RSA Private Key. This key is a 2048 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Step 2: Generate a CSR (Certificate Signing Request)
This section describes how to generate a CSR for the purpose of sending to a Certificate Authority (CA).
It is best to purchase a domain wide certificate (*.domainname.com instead of www.mydomain.com) . This will help prevent some browsers from sending users security warnings if the site is accessed with a different hostname, for example, www1.mydomain.com.
- Once the private key is generated a Certificate Signing Request can be generated.
- The CSR is then used in one of two ways.
- Preferred: the CSR will be sent to a Certificate Authority who will verify the identity of the requestor and issue a signed certificate.
- The second option is to self-sign the CSR, which will be demonstrated in the next section.
- During the generation of the CSR, you will be prompted for several pieces of information.
- These are the X.509 attributes of the certificate.
- One of the prompts will be for Common Name (e.g., YOUR name).
- It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
- If the website to be protected will be https://www.mydomain.com, then enter www.mydomain.com at this prompt.
- The command to generate the CSR is as follows:
openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:Mineola
Organization Name (eg, company) [My Company Ltd]:Solveda
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.mydomain.com
Email Address []:<valid email address in your organization>
Please enter the following 'extra' attributes
to be sent with your certificate request (these are not required)
A challenge password []:
An optional company name []:
Step 3: Remove Passphrase from Key
This section is important!
- One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started.
- Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash.
- mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either.
- It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase.
- If the private key is no longer encrypted, it is critical that this file only be readable by the root user!
- If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
The newly created server.key file has no more passphrase in it.
-rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
-rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org
Step 4: Installing the Private Key and Certificate
- When Apache with mod_ssl is installed, it creates several directories in the Apache config directory.
- The location of this directory will differ depending on how Apache was compiled.
- These paths will be different depending on your Linux distribution or if you are running Windows. Nothing is dependent on these paths.
- As long as Apache can read the files they can go anywhere on the file system.
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key
Step 5: Generating a Self-Signed Certificate
- At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
- To generate a temporary certificate which is good for 365 days, issue the following command:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key
Step 6: Configuring SSL Enabled Virtual Hosts
- These directives should be added when you install mod_ssl on your Apache server, you will just need to change the values accordingly.
SSLEngine on
SSLCertificateFile /path/to/file/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Step 7: Restart Apache and Test
SSL Verification
Recognize that some protocols below are http: and some are https:
Overview
- There are two main areas to focus on when verifying if the SSL and OFBiz/Apache configuration is setup correctly
- The primary testing is to ensure that your site switches correctly from the http protocol and the https protocol, and vice versa
Test switch to SSL
- go to http://www.your-domain-name.com
- hover over “My Account”
- the protocol should be “https” and the port number should NOT appear
- If the port number (typically 8443 or similar) DOES appear in the link then review the Correction Action below
Test switch from SSL
- go to https://www.your-domain-name.com
- hover over “Contact Us”
- the protocol should switch to “http” and the port number should NOT appear
- If the port number (typically 8080 or similar) DOES appear in the link then review the Correction Action below:
Correction Action
- It is most likely that the WEB_SITE database entity has the incorrect HTTP_PORT and HTTPS_PORT settings
- To view the attributes:
- select HTTP_PORT, HTTPS_PORT from WEB_SITE where WEB_SITE_ID = [yourwebsite]
- If these are setup to something other than blank, 80 or 443 then set to blank:
- update WEB_SITE set HTTP_PORT=””, HTTPS_PORT=””
- WHERE WEB_SITE_ID = [yourwebsite]
There are a few “layers” involved here but ultimately OFBiz will use HTTP_PORT and HTTPS_PORT settings from the WEB_SITE database entity.
The BigFish property file client-deployment.properties file is used within the “ant build” script to populate the Ofbiz property file url.properties.
The url.properties file will use the HTTP_PORT and HTTPS_PORT values to update the WEB_SITE database entity when running the “install seed” script. Since this is typically run only once when creating the initial instance the values in this file are not necessarily used.
Back to Top
