Server Certificate: Apache + mod_ssl + OpenSSL Section A: Procedures in Generating Key Pairs and CSR Step 1: To generate the Private Key 1. Select your random seed enhancers: Select five large and relatively random files from your server (Good choices are compressed log files). We refer them as file1, file2, file3, file4, file5 below. 2. Generate the Private Key with the following command: $./openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out your.key 1024 The process will prompt you for a pass phrase, please enter a secure password or leave it blank only if you absolutely trust your server machine. This password is need for starting your SSL server. 3. Backup and protect your Private Key: Backup your key on a diskette or other removeable media and store it in a secure place. Change permission of your key on server to 400 to prevent unauthorized reading. Page 1
Step 2: To generate the Request File 1. Generate the CSR with the following command: $./openssl req -new -key your.key -out your.csr 2. Enter the information for your certificate: when prompted for `Common Name, you MUST type your registered domain name here. For fields Country/Region, State/province and City/locality, please enter HK. 3. View the CSR request file: The certificate request is created and saved to a file your.csr. The contents should look like it: Page 2
Section B: Procedures of Submitting CSR to Hongkong Post for Certificate Generation Step 1: To access online Hongkong Post e-cert (Server) Certificate application form 1. Launch Hongkong Post e-cert (Server) web site: http://www.hongkongpost.gov.hk/5digital/dc3_fr.html You can view an overview of Hongkong Post e-cert (Server). 2. Access Online e-cert (Server) Application Form: On the left frame of the Overview page, click on the link New Application under e-cert (Server) for new application or click on the link Renew Certificate for the certificate renewal. For New Application For Renewal Application Page 3
The following figure is the online Hongkong Post e-cert (Server) Certificate application form: For renewal application, the online application form is below: Step 2: To complete the online Hongkong Post e-cert (Server) Certificate application form (Applicable for New & Renewal Application) 1. Paste the CSR data: open the CSR request file you have generated -> Copy and Page 4
Paste the contents of the request file into the text block of the Hongkong Post e-cert (Server) application form. 2. Enter SSL Server Name and PIN: In the Server Identity Authentication Information section, enter your registered SSL Server Name and the PIN. (The PIN is the 16-digit inside the PIN mailer we have distributed to you before.) Click the Submit button. 3. Complete the Submission of the Hongkong Post e-cert (Server) Application: Check the information for the application and click Submit. Page 5
The response page will be displayed: NOTE: Please write down the reference number for picking up your certificate later. Page 6
Section C: Procedures in Picking up Hongkong Post e-cert (Server) Certificate (Applicable for New & Renewal Application) (After receiving the email notification by Hongkong Post for server certificate pick-up, you can pick up your e-cert (Server) via Hongkong Post web site.) Step 1: To access Hongkong Post e-cert (Server) Certificate Pickup Page 1. Access Pick Up Certificate Page: On the left frame of the Overview page (http://www.hongkongpost.gov.hk/5digital/dc3_fr.html), click on the link Pick up Certificate under e-cert (Server). The Pick Up Certificate page will be displayed: Step 2: To access Hongkong Post e-cert (Server) Certificate Download Page 1. Enter Reference Number: Enter the reference number into the text box. (The reference number is the number generated online after you have submitted your application.) -> Click Submit. Page 7
2. View the Response Page: There are 2 sections in the page. Upper section contains the certificate details of your e-cert (Server): Lower section contains the download section for your e-cert (Server): Step 3: To Download your e-cert (Server) 1. Download Certificates: Click the link in Step 4 of the Response page for downloading your e-cert (Server), together with the certificates along the certification path (i.e. certificates of Hongkong Post e-cert CA and Hongkong Page 8
Post Root CA). They are in base-64 format. After downloading, you will obtain a file called DownloadCert.sh : (In case you don t have the Hongkong Post e-cert CA and Hongkong Post Root CA certificates, you can click the link in step1 and step 2. The two files are in binary format and should be imported into the client browsers for certificate validation.) Page 9
Section D: Procedures in Installing your Hongkong Post e-cert (Server) Certificate into your Apache Web Server Step 1: To extract your e-cert (Server) 1. View your downloaded file: Use a text editor to open the downloaded file DownloadCert.sh. The files should contain 3 certificates: (The following shows the portions of each certificate only.) 2. Extract your e-cert (Server): Extract the user certificate (BEGIN CERTIFICATE... END CERTIFICATE), save it as a file your.crt, making sure that there is no trailing space and should have the following format: Page 10
3. Installation: updating the your Apache configuration file as follows, SSLCertificateFile /path/to/your.crt SSLCertificateKeyFile /path/to/your.key Then start your Apache web server. Congratulation! You have successfully installed the Hongkong Post e-cert (Server) into your Apache We b Server. Page 11