Chris Salmon Technologies

OK we've covered the "why" of using encryption to protect our teacher's website.  Now let's get to the "how" of doing so.

As stated before we are running in the latest Ubuntu Linux server and the latest Apache webserver software.  We have already installed openssl for encryption.  Now, I have purchased a multi-domain certificate package from GoDaddy, because it is cheaper per cert that way.  So first I must generate a certificate for my own, primary domain, cst.net - because all the certs will have this primary domain in their site seal and so forth.  Then once I generate that one, I can generate additional certificates under my package purchase.

What exactly IS an SSL certificate?  It is a means of proving, in a way that cannot be forged, a website's identity and owner, by presenting a digital certificate signed by a trusted third party (a "Certificate Authority" - in this case GoDaddy), along with the website's public encryption key.  In this manner the web browser knows that it can trust the site enough to use the public key to generate a key of it's own to exchange with the website, so that two-way encrypted communication can begin.  I will, again, cover this in depth in another article, but that is enough to understand for our work here.

OK so let's roll up our sleeves and get to work.  This is best done on the UNIX (Linux, whatever) command line so here is a capture of what I did to generate the certificate request:

~~~~~~~~~~~~~~~~~~~~~~ BEGIN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

chris@cloud1:~/Desktop/SSL$ /usr/bin/openssl genrsa -des3 -out *.cst.net.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
...............................................+++
e is 65537 (0x10001)
Enter pass phrase for *.cst.net.key:
Verifying - Enter pass phrase for *.cst.net.key:
chris@cloud1:~/Desktop/SSL$ ls
*.cst.net.key
chris@cloud1:~/Desktop/SSL$ ls -al
total 12
drwxr-xr-x 2 chris chris 4096 2010-01-28 11:58 .
drwxr-xr-x 4 chris chris 4096 2010-01-28 11:58 ..
-rw-r--r-- 1 chris chris 1743 2010-01-28 11:59 *.cst.net.key
chris@cloud1:~/Desktop/SSL$ /usr/bin/openssl req -new -key *.cst.net.key -out *.cst.net.csr
Enter pass phrase for *.cst.net.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Houston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cyberstation, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.cst.net
Email Address []: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXX
An optional company name []:Cyberstation
~~~~~~~~~~~~~~~~~~~~   END   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK so the pass phrase needs to be something you can easily remember - in my case it involved some naughty things I'd like to do with some certain famously beautiful woman - but it doesn't matter as you are the only one who knows or will ever see it, and you definitely should write it down, no matter how memorable you try to make it.   It needs to be relatively long.  The challenge password is a shorter word-type security thing, but it should be secure, with standard mix of alphanumeric characters and randomly put together.

Now we will take the .csr (certificate signing request) generated, and input it into GoDaddy's certificate system, and we get the following:

Next, I recieve an email, as the WHOIS listed administrator of the domain, asking that I verify or deny the validity of the certificate request.  This is all about validating me and my domain as being really me, so that the CA can give assurance to website visitors that this is really the domain they think it is, and not some fakery.  You can imagine the havoc that would ensue if someone were able to get a certificate signed as bankofamerica.com or some such, and put it on some fake site!!

OK I am all validated and confirmed as this being the real www.cst.net, and me being the true owner.  I have recieved a site seal to let visitors know they are secure, and a certificate for my server to present, showing it's credentials as "the real deal."

Now it appears that all I need to do to create another certificate for www.lisabyrdsclass.com is to request an alternate, or alias name for my certificate.  I am the registered administrator for both names, and the other certs are basically like "child" certificates, springing from my authority as the primary domain holder.  Let's see what happens when I request the cert for her site --- ok I've received another validation request, I ok'd that, and let's see if it can really be that easy to generate additional certificates in my purchased package.  Well, OK I have my doubts but it appears that it has given me an alternate name for the same certificate.  This is my first go-round with these multi-domain certs so I'm not familiar with how they work yet.

Allright now comes the point to install and activate this SSL certificate.

First we will make sure that the SSL mod is installed and activated in our apache webserver:

root@cloud1:/home/chris#a2enmod ssl
root@cloud1:/home/chris#/etc/init.d/apache2 restart

Now we will copy the default SSL vhost to a new enabled host for Lisa's domain, and edit it manually to conform to her document root, IP number, key locations, and etc.:

# cd /etc/apache2

# cp ./sites-available/default-ssl ./sites-enabled/www.lisabyrdsclass.com-ssl
# cd sites-enabled/
# pico www.lisabyrdsclass.com-ssl 
# /etc/init.d/apache2 restart

This edit with the pico editor gives the following Virtual Host file for Lisa's secure, SSL encrypted site, which is a properly working file, so feel free to use it to template or check your own Vhost SSL file:

~~~~~~~~~~ START OF VHOST FILE ~~

<IfModule mod_ssl.c>
<VirtualHost 205.167.0.101:443>
ServerAdmin This e-mail address is being protected from spambots. You need JavaScript enabled to view it
ServerName www.lisabyrdsclass.com:443
DocumentRoot /home/lisab/public_html/lisabyrdsclass.com
<Directory />
Options All
AllowOverride All
</Directory>
<Directory "/home/lisab/public_html/lisabyrdsclass.com">
Options All
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined

SSLEngine on

SSLCertificateFile /etc/apache2/sslcerts/cst.net/cst.net.crt
SSLCertificateKeyFile /etc/apache2/sslcerts/cst.net/www.cst.net.key
SSLCertificateChainFile /etc/apache2/sslcerts/cst.net/gd_bundle.crt


<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>
</IfModule>

~~~~~~~~~~ END OF VHOST FILE ~~

OK!  Well SSL *is* working on Lisa's site - just one problem - I'm getting a warning in my browser saying that the site's name does not match the certificate !!  This is obviously a problem with the GoDaddy multi-domain certificate and my inexperience with it.  I will call their support and ask what the problem is, and come back here to finish this SSL part of the project.

OK - UPDATE - here is the issue, as explained to me by GoDaddy's SSL team.  These multi-domain certificates, are not actually separate certs for each domain, but rather one cert that covers the number of domains you purchased.  BUT - and this is not well documented at all - EVEN THOUGH they send you the same certificate over again with the same name, whenever you add a new domain to the certificate, you MUST use the most recently issued certificate, even if it's most recent by only a matter of minutes and even though it has the same exact name, file size, etc., etc., - somehow they are coding into the cert every time you add a new domain.

So just grab the very most recent certificate in your GoDaddy account, and load that into your server as outlined above, and any new domains you've added to the certificate will then work without giving web visitors a warning about the site's name not matching the certificate.  As you can see, we've now successfully added encryption to our classroom website and it's transparent to the user -

Lisa Byrd's Secure Classroom Website

I hope this helps some other GoDaddy SSL purchasers with these new types of SSL multi-domain certificates.  They are just slightly different from the older, one-cert-per-domain style and take just a little adjustment.  Next we will force a redirect from traffic coming to the site on port 80 to port 443 and disallow any unencrypted traffic to the site.