HOW TO GET A CSR AND A KEY
To generate an SSL certificate acquired in Conexcol you must have a CSR and a key that accompanies it KEY.
1) We make sure that the machine where we are going to generate the key (It can be the personal pc or in the terminal of the cloud server) has OpenSSL installed.
If the machine has Linux, it already comes with OpenSSL included.
2) OpenSSL is installed on the personal pc, here is a link that indicates how:
3) After making sure that we have OPenSSL, we run the command (Only this command, so it is recommended NOT to use online tools of any kind as they will put the client's certificate at risk.) openssl req -nodes -newkey rsa: 2048 -sha256 -keyout [domain] .key -out [domain] .csr
3.1 After this, it will ask us interactively for the following information about who wants to issue the certificate:
to. Country (in ISO 3166-Alpha-2 format),
and. Organizational Unit (optional),
F. the domain (or Common Name [CN])
g. email (which should be the email address of the contact in the customer portal).
h. The last parameters (password and company) should not be placed in most cases.
4) Once the previous steps have been carried out, two files will result:
to. "[Domain] .key" Private key that is needed to use the final certificate
b. "[Domain] .csr" CSR.
5) We copy into an external file (on the computer) CSR.txt and KEY.txt the corresponding information housed in each file of # 4
6) We enter the Client Portal of the client who bought the certificate, Services and choose the SSL certificate. We enter the CSR (copy and paste) in the text box for the CSR in the settings of the certificate purchased by the client.
7) You must choose an approval email from a list of possibilities in which there are only mailboxes of the domain to be certified. Make sure that this email account exists and that its MX's are correctly configured.
8) Once the mailbox is selected and the process continues, it only remains to wait for the verification message from the entity in charge.
9) After accepting the verification the certificate will be ready for use (it may take a couple of minutes).
Note: The process may vary depending on the operating system, web server or if there is a control panel. To start this step by step it is because the previous steps have already been completed.
SSL certificate installation
Sometimes a client can request a job through the engineer time or making use of the administration contracted with a server so that an SSL certificate is installed.
The process may vary depending on the operating system, the web server, or if there is a control panel.
Each type of installation assumes that there is already a generated certificate and an accompanying key as well as that port 443 is open (and 80, obviously).
Apache Web Server
mod_rewrite and mod_ssl must be enabled
In a default installation, Apache hosts all of its configuration files in / etc / apache2 / where what are known as VirtualHost and other utility instructions are created. Although it is not mandatory, it is recommended that the file name be [domain] .conf, that is, if the domain is "example.com" the file would be example.com.conf (It is created with the nano command and the content plus under). A typical configuration file would be
Redirect permanent / https: // [mydomain.com] / (modifying mydomain by the domain of the certificate.)
DocumentRoot [absolute path of the files] (Path where the domain web files are hosted)
SSLCertificateFile /etc/apache2/ssl/[domain.com :)/cert (domain.com folder created with mkdir and cert with nano)
SSLCertificateKeyFile / etc / apache2 / ssl / [domain] / key (domain.com folder created with mkdir and key with nano)
Options Indexes FollowSymLinks
Require all granted
The first block is a redirect that says that if the request to [domain] arrives on port 80 then it will be redirected to HTTPS.
The second block says that whatever comes through port 443 (HTTPS) from the [domain] has its files in a certain place and must use SSL with a certain certificate and key.
The third block enables the use of the .htaccess file (it is not necessary for all cases but it is better to define it and let the customer make the decision to leave it or delete it).
The "ssl" directory inside / etc / apache2 is a Conexcol standard for placing certificates and keys in that path. The Apache instance probably does not have such a directory created and therefore must be created
Taking into account the second block, the certificate and the domain key must be present in the appropriate directory before creating the configuration file.
Configuration in Debian and derivatives (like Ubuntu)
mod_ssl and mod_rewrite can be enabled with the command a2enmod ssl and a2enmod rewrite respectively
Debian and its derivatives have a directory called "sites-available" inside the Apache root directory where it is preferable to create the configuration file (/ etc / apache2 / sites-available).
Once the configuration file has been created (with the model above) and having checked that mod_ssl and mod_rewrite are active, we can proceed to execute a2ensite [domain] .conf which will create a symbolic link in the "sites-enabled" directory with which Apache knows that it should run said file since it is "enabled".
The working directory does not have to be "sites-available" to execute the above statement.
Once the site is enabled, we proceed to refresh the apache configuration using systemctl reload apache2 and the site should already be online.