e-cert (Server) User Guide For Apache Web Server



Similar documents
e-cert (Server) User Guide For Microsoft IIS 7.0

Server Certificate: Apache + mod_ssl + OpenSSL

e-cert (Server) User Guide For Microsoft Exchange Server 2010

To enable https for appliance

Installing an SSL certificate on the InfoVaultz Cloud Appliance

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

SWITCHBOARD SECURITY

SSL Certificates in IPBrick

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Browser-based Support Console

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

SSL Installing your new Certificate

How to: Install an SSL certificate

Creating a Free Trusted SSL Cert with StartSSL for use with Synctuary

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Application Note AN1502

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Securing Your Apache Web Server With a Thawte Digital Certificate

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate

SecuritySpy Setting Up SecuritySpy Over SSL

esync - Receiving data over HTTPS

Encrypted Connections

unigui Developer's Manual 2014 FMSoft Co. Ltd.

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Renewing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Clearswift Information Governance

Enterprise SSL Support

Marriott Enrollment Server for Web User Guide V1.4

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

Apache SSL Certificate Deployment Guide

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

How-to-Guide: SAP Web Dispatcher for Fiori Applications

HTTPS Configuration for SAP Connector

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Secure IIS Web Server with SSL

ECA IIS Instructions. January 2005

Exchange Reporter Plus SSL Configuration Guide

CA Nimsoft Unified Management Portal

C O N F I G U R I N G O P E N L D A P F O R S S L / T L S C O M M U N I C A T I O N

Generate CSR for Third Party Certificates and Download Unchained Certificates to the WLC

IceWarp SSL Certificate Process

LoadMaster SSL Certificate Quickstart Guide

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Securing Web Access with a Private Certificate Authority

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

NetApp Storage Encryption: Preinstallation Requirements and Procedures for SafeNet KeySecure

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

Using custom certificates with Spectralink 8400 Series Handsets

Setting Up SSL on IIS6 for MEGA Advisor

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

Steps to configure SiteMinder Policy Server to connect to CA Directory using LDAPS

IIS 6.0SSL Certificate Deployment Guide

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

Configuring TLS Security for Cloudera Manager

Creating Certificate Authorities and self-signed SSL certificates

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

jodbc Service and SQL Catalog

Securing the OpenAdmin Tool for Informix web server with HTTPS

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Wildcard Certificates

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

The IceWarp SSL Certificate Process

Configuring HTTPS support. Overview. Certificates

SSL GUIDE. Everything you need to know about SSL and securing your online business. For Apache Running Apache-SSL, mod_ssl, OpenSSL, ssleay

Microsoft IIS 4 Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

This section includes troubleshooting topics about certificates.

Low cost secure VPN MikroTik SSTP over OpenIXP (Indonesian Internet) ASTA INFORMATICS Faisal Reza

Integrating Apache Web Server with Tomcat Application Server

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Technical specification

webmethods Certificate Toolkit

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

SSL Interception on Proxy SG

Crypto Lab Public-Key Cryptography and PKI

Building a Secure RedHat Apache Server HOWTO

How to setup HTTP & HTTPS Load balancer for Mediator

SSL Insight Certificate Installation Guide

EMC Data Protection Search

Protect your CollabNet TeamForge site

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

EV Multi-Domain Certificate Enrollment Guide

Apache, SSL and Digital Signatures Using FreeBSD

EventTracker Windows syslog User Guide

# openssl genrsa -out /etc/ssl/private/ca.key 1024 Generating RSA private key, 1024 bit long modulus e is (0x10001

Deploying Certificates with Cisco pxgrid. Using Self-Signed Certificates with ISE pxgrid node and pxgrid Client

GlobalSign Enterprise Solutions Google Apps Authentication User Guide

Transcription:

e-cert (Server) User Guide For Apache Web Server Revision Date: Sep 2015

Table of Content A. Guidelines for e-cert (Server) Applicant... 2 B. Generating Certificate Signing Request (CSR)... 3 C. Submitting Certificate Signing Request (CSR)... 5 D. Installing Server Certificate... 10 Page 1

A. Guidelines for e-cert (Server) Applicant After receipt and approval of an e-cert (Server) application, Hongkong Post Certification Authority will send an e-mail with subject Submission of Certificate Signing Request (CSR) to request the applicant (i.e. the Authorized Representative) to submit the CSR at the Hongkong Post CA web site. This user guide is for reference by applicants of e-cert (Server) in generating their key pair and Certificate Signing Request (CSR) using Apache Web Server. The CSR containing the public key will then be submitted to Hongkong Post Certification Authority for certificate signing. If you lose the private key after the certificate is issued, you will be unable to install or use the certificate. Therefore, it is strongly recommended that you should backup the private key before the submission of the Certificate Signing Request (CSR). Page 2

B. Generating Certificate Signing Request (CSR) 1. This user guide uses the utility openssl that comes with the OpenSSL package as an example to generate the key pair and Certificate Signing Request (CSR). Since the directory path of the utility differs from one server to another, applicants should therefore refer to their server documentation for details. Type the following command at the prompt to generate a 2048-bit RSA private key (myserver.key) encrypted in Triple-DES (3DES). You will be prompted to enter and confirm a password. Note: Bit length smaller than 2048 may not be strong enough, while greater than 2048 may be incompatible with certain web browsers. It is recommended the bit length of the encryption key to be 2048 in order to support better security strength. Note: It is very important that you remember this password. You are required to provide this password when you start your Apache server. openssl genrsa des3 out myserver.key 2048 2. Type the following command at the prompt to generate the Certificate Signing Request (CSR) (myserver.csr) using the private key (myserver.key) generated above. You will be prompted for the password. openssl req new key myserver.key out myserver.csr Enter the following information when prompted for the following X.509 attributes of the certificate: Attribute Description Example Country Specify HK HK State or Province Specify Hong Kong Hong Kong Locality Specify Hong Kong Hong Kong Organization Specify organization name My Organization Organizational Unit Specify organizational unit My Organizational Unit Common Name Specify server name www.myserver.com Email Address Hit <Enter> to leave blank Page 3

You will be prompted for extra attributes (i.e. challenge password and optional company name). Hit <Enter> to leave these attributes blank. Note: Please make sure that the correct server name is entered in the Common Name field and HK in the Country Name field. Note: For application of e-cert (Server) with Multi-domain feature, please input the Common Name field with Server name used as Subject Name in the Certificate being filled in the application form. It is not necessary to specify any Additional Server Name(s) in the Subject Alternative Name of the CSR to be generated. It will be assigned by the Hongkong Post CA system automatically based on the information applied in the application form when the certificate is issued. For application of e-cert (Server) with "Wildcard" feature, please input the Common Name field with "Server Name with Wildcard" (including the wildcard component, i.e. the asterisk *, in the left-most component of the server name), e.g. *.myserver.com, being filled in the application form. Enter pass phrase for myserver.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HK State or Province Name (full name) [Some-State]:Hong Kong Locality Name (eg, city) []:Hong Kong Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Organization Organizational Unit Name (eg, section) []:My Organizational Unit Common Name (eg, YOUR name) []:www.myserver.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Page 4

C. Submitting Certificate Signing Request (CSR) 1. Click on the hyperlink in the e-mail with subject Submission of Certificate Signing Request (CSR) sent from Hongkong Post Certification Authority to access the Hongkong Post CA web site. 2. Type the Server Name, the Reference Number (9-digit) as shown on the cover of the PIN Envelope and the e-cert PIN (16-digit) as shown inside the PIN Envelope, and then click Submit. Page 5

3. Click Submit to confirm the application information. (If the information is incorrect, please contact Hongkong Post Certification Authority.) 4. Open the Certificate Signing Request (CSR) that you previously generated in Part B Step 2 with a text editor (e.g. Notepad) and copy the entire content including the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----". Page 6

5. Paste the content to the text box, and then click Submit. 6. Click Accept to confirm acceptance of the certificate. Page 7

7. Click to download the Hongkong Post e-cert (Server) Note: 1. You can also download your e-cert (Server) from the Search and Download Certificate web page. http://www.hongkongpost.gov.hk/en/sc 2. e-cert (Server) supporting OCSP will be issued by default starting from 1 September 2015. For e-cert (Server) supporting OCSP, Hongkong Post e-cert CA 1-15 should be installed on your server instead of "Hongkong Post e-cert CA 1-10" or "Hongkong Post e-cert CA 1-14". Click following link to download: http://www1.hongkongpost.gov.hk/root/ecert_ca_1-15_pem.crt 3. If SHA-1 e-cert (Server) with 1-year validity period is issued upon your written request, the Hongkong Post e-cert CA 1-10 certificate should be installed on your server instead of Hongkong Post e-cert CA 1-14 or Hongkong Post e-cert CA 1-15. Click following link to download: http://www1.hongkongpost.gov.hk/root/ecert_ca_1-10_pem.crt 4. If SHA-256 e-cert (Server) not supporting OCSP with 1-year validity period is issued upon your written request, the Hongkong Post e-cert CA 1-14 certificate should be installed on your server instead of Hongkong Post e-cert CA 1-10 or Hongkong Post e-cert CA 1-15. Click following link to download: http://www1.hongkongpost.gov.hk/root/ecert_ca_1-14_pem.crt 5. HongKong Post e-cert Root CA 1 can be downloaded from Hong Kong Post web site: http://www1.hongkongpost.gov.hk/root/root_ca_1_pem.crt Page 8

Page 9

D. Installing Server Certificate 1. Copy the private key that you previously generated in Part B Step 1 and the 3 certificate files that you downloaded in Part C Step 7 to the following Apache server directories. (The directory path may vary depending on your system.) For example: a) For installation of SHA-256 e-cert (Server) supporting OCSP /usr/local/apache/conf/ssl.key/myserver.key /usr/local/apache/conf/ssl.crt/cert0000812104.cer /usr/local/apache/conf/ssl.crt/ecert_ca_1-15_pem.crt /usr/local/apache/conf/ssl.crt/root_ca_1_pem.crt b) For installation of SHA-256 e-cert (Server) not supporting OCSP /usr/local/apache/conf/ssl.key/myserver.key /usr/local/apache/conf/ssl.crt/cert0000812104.cer /usr/local/apache/conf/ssl.crt/ecert_ca_1-14_pem.crt /usr/local/apache/conf/ssl.crt/root_ca_1_pem.crt c) For installation of SHA-1 e-cert (Server) /usr/local/apache/conf/ssl.key/myserver.key /usr/local/apache/conf/ssl.crt/cert0000812104.cer /usr/local/apache/conf/ssl.crt/ecert_ca_1-10_pem.crt /usr/local/apache/conf/ssl.crt/root_ca_1_pem.crt 2. Change to the Apache server directory containing the certificate files (e.g. /usr/local/apache/conf/ssl.crt/), and then type the following command at the prompt to create a certificate chain file (hkpostca.crt) containing both the Hongkong Post e-cert CA 1-15 certificate ( Hongkong Post e-cert CA 1-10 certificate or Hongkong Post e-cert CA 1-14 certificate) and the Hongkong Post Root CA 1 certificate. a) For installation of SHA256 e-cert (Server) supporting OCSP cat root_ca_1_pem.crt ecert_ca_1-15_pem.crt > hkpostca.crt b) For installation of SHA256 e-cert (Server) not supporting OCSP cat root_ca_1_pem.crt ecert_ca_1-14_pem.crt > hkpostca.crt c) For installation of SHA1 e-cert (Server) cat root_ca_1_pem.crt ecert_ca_1-10_pem.crt > hkpostca.crt Page 10

3. Open the Apache SSL configuration file (e.g. /usr/local/apache/conf/ssl.conf) with a text editor. 4. Locate your SSL VirtualHost container, and then modify the following directives within the virtual host. Please add them if they are not present. Page 11

<VirtualHost _default_:443> # Private Key SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/myserver.key # Hongkong Post e-cert (Server) SSLCertificateFile /usr/local/apache/conf/ssl.crt/cert0000812084.cer # Hongkong Post Root CA Certificate Chain SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/hkpostca.crt </VirtualHost> 5. Save the changes and exit the editor. 6. Restart your Apache server using the following commands. apachectl stop apachectl startssl Page 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information