Purchasing

• Certs from Godaddy are only ~$19
• But the $19 cert ONLY gives you ( www.boxaroo.com / boxaroo.com). You cannot just say I also want img. /app. /etc.
• You can either get a wildcard cert for $200 a year that does ALL domains (*.boxaroo.com)
• Or just get additional certs for each subdomain you need for $19. This is what we've done. We have one cert for www / (blank) and one for img.

Viewing (Awesome help from here)

• Also terrific help here
• Examine a key: openssl rsa -noout -text -in my.key
• Examine a CSR: openssl req -noout -text -in my.csr
• Examine a certificate: openssl x509 -noout -text -in my.crt

Making a self-signed cert (only useful for our eng server)

• http://www.akadia.com/services/ssh_test_certificate.html

Requesting

• You must initiate the request on your end.
• First do: openssl genrsa -des3 -out boxaroo_main.key 1024
  • You must give it a passphrase
• Then: openssl req -new -key boxaroo_main.key -out boxaroo_main.csr
  • use same passphrase
  • US for country
  • IL for state
  • McLean for locality
  • Boxaroo.com for Organization Name
  • skip Organizational unit
  • Common Name is important. For the www / (blank) domain, use boxaroo.com. For the img domain, use img.boxaroo.com
  • skip rest of the parameters
• put the .key to the server it goes with in /etc/httpd/conf/ssl.key.
• so that Apache doesn't require a password each time (the passphrase you gave when making the csr), do...
  • openssl rsa -in img_boxaroo.key_encrypted_original -out img_boxaroo.key (then enter your passphrase)
  • copy the now-unencrypted boxaroo.key to the servers. But this key must be kept safe! It is the key to the castle.
• put the .csr to the server it goes with in /etc/httpd/conf/ssl.csr. Not actually sure this is required, but...
• paste the .csr file into the Godaddy request window
• Email will come to address(es) in whois for the domain you had in the common name
• Take the actual cert file from the godaddy website and put it in a file called boxaroo.crt (or, say, img_boxaroo.crt). Save this to /etc/httpd/conf/ssl.crt/
• Copy Godaddy's intermediate bundle to the /etc/httpd/conf/ssl.crt (easy way: pdsh -w img1,img "wget https://certificates.godaddy.com/repository/gd_intermediate_bundle.crt -O /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt")
• Edit /etc/httpd/conf.d/ssl.conf. Note - there is simply one intermediate bundle, not a different one for each cert.
  • set SSLCertificateFile to your cert from Godaddy
  • set SSLCertificateKeyFile to your key you made
  • set SSLCertificateChainFile to the intermediate bundle from Godaddy

-- MattWalsh - 29 Nov 2007