Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Web & Portal
Certificate Authority
Overview
Request Certificates: Apache
Request Other Certificates
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

Requesting Certificates: Generating a Key Pair and CSR for Apache+modssl

In order to allow your mod_ssl-secured Apache server to work with our certificates we recommend that you use the latest versions of Apache, mod_ssl and OpenSSL. The distribution tarballs can be found at the following locations:

Detailed installation instructions can be found in the INSTALL files in all three packages.

The utility (openssl) that you use to generate the RSA Private Key (key) and the Certificate Signing Request (CSR) comes with Openssl and is usually installed under the directory SSL_BASE/bin (where SSL_BASE is the path you specified for building Apache+mod_ssl either with the --with-openssl option or the SSL_BASE variable).

Key and CSR Generation Steps

  1. You need to know the Fully Qualified Domain Name (FQDN) of your machine. If you don't know what this is, it is most likely your machine's hostname in NetReg.

    Note: Examples of FQDNs are www.cmu.edu, webmaster.andrew.cmu.edu, netreg.net.cmu.edu, etc.
  2. Run the following command to generate a random source:

    dd if=/dev/random of=/tmp/random.data bs=1024k count=1

    This will generate 1 MB of random data in /tmp/random.data to seed the random number generator.
  3. Generate the key with the following command:

    openssl genrsa -des3 -rand /tmp/random.data -out FQDN.key 1024

    This command will generate a 1024 bit RSA Private Key and store it in the file FQDN.key, e.g. www.cmu.edu.key. It will ask you for a pass phrase. Use something secure and remember it. Your certificate will be useless without the key.

    Note: If you don't want to protect your key with a pass phrase you can omit the -des3 option above. This is particularly important if you want your machine to perform scheduled, unattended boots. You should only do this if you absolutely trust that server machine, and if you make sure the permissions are carefully set so only you can read that key.
  4. Be sure to BACKUP your FQDN.key file and make a note of the pass phrase. A good choice is to backup this information onto removable media.
  5. Generate the CSR with the following command:

    $ openssl req -new -key FQDN.key -out FQDN.csr

     This command will prompt you for the X.509 attributes of your certificate.

    Important! You must use the guidelines below or your CSR will be rejected:

    # CMU CA X.509 attributes to use for your CSR

    CN = <FQDN> # example: netreg.net.cmu.edu
    OU = <Department name>
    O = Carnegie Mellon University
    L = Pittsburgh
    S = Pennsylvania
    C = US

  6. You will be prompted to enter an e-mail address during the generation of your CSR. The CA will reject your certificate request if it contains this attribute. Press Enter to pass on this prompt. Since you are requesting a certificate for a web server, the Common Name must match your FQDN (a browser requirement).
  7. You will now have an RSA Private Key in FQDN.key and a Certificate Signing Request in FQDN.csr. The former is your secret key, and must be installed as per the instructions that come with mod_ssl (** link to doc here **). The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:

    ----BEGIN CERTIFICATE REQUEST----- MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56 YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S 6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
    -----END CERTIFICATE REQUEST---

Note: This CSR will be used by the CA to master your certificate.

Submit Your CSR

  1. Compose an e-mail message to certificate-authority@andrew.cmu.edu. This message must contain:
    • Your name and affiliation with the university
    • The purpose of your web service
    • Your X.509 DN values
    • Your CSR
    • If you are a student, the name and Andrew user ID of the sponsoring faculty member
  2. Copy and paste the CSR into your mail to certificate-authority@andrew.cmu.edu.

Certificate Installation with Andrew Apache

The process outlined on this page will configure the certificates to properly chain from your Andrew Apache web server.

Note: Additional steps are necessary to configure SSL. Steps listed below are only relevant to chaining the certificates on the server.

  1. Place the server, intermediate, and intermediate-signed certs in a directory on your web server.

    Note: Our web servers use /usr/www/conf/ssl.crt This document will adopt that convention in the examples that follow.
  2. Reference this directory using the SSLCACertificatePath directive in httpd.conf.

    Example:
    SSLCACertificatePath /usr/www/conf/ssl.crt/

    This is used to reference the certs and verify the client certificate during client authentication. However, the files are accessed through hash file names (see step 3).
  3. Add the SSLCertificateFile directive to httpd.conf:

    Example:
    SSLCertificateFile /usr/www/conf/ssl.crt/www.cmu.edu-eberhard.crt

    This directive points to the certificate file for the server and, optionally, to the corresponding RSA or DSA private key file for it (contained in the same file).

    Important! If the private key is encrypted, the pass phrase dialog (-> SSLPassPhraseDialog) is forced at start-up time.
  4. Set up the hash symlinks. For each of the 3 certificates you need to have openssl dump the certificate hash and create a symlink to it. Generate the hash with the following command:

    Example:
    openssl x509 -noout -hash -in /usr/www/conf/ssl.crt/$file

    Each time you run openssl on the certificate it will dump its hash value, which will look something like "76dbcc14".

    For each certificate, configure openssl to dump the hash and then create a symlink to it as follows:

    Example:
    ln -s /usr/www/conf/ssl.crt/cgi.andrew.cmu.edu-02-mime.crt 4f1c7cdc.0

    (Note the trailing ".0"!)

    When you have completed all 3 certificates the directory is ready to be used as CA Certificate Path directory. Apache has the correct directives to chain them. Double-check your work. You should be able to restart the web server.

Requesting Other Certificates

This section will outline the steps involved in requesting a certificate. It contains the following main sections:

  • Certificate credentials (X.509 DN)
  • Making a certificate-signing request (CSR)
  • Installing Your Certificate

Certificate Credentials (X.509DN)

The digital certificate issued by the CMU CA will contain two sets of information:

  1. Distinguished name credentials. Known collectively as your distinguished name (DN), the digital certificate carries a set of X.509 values describing your hostname, organization, organizational unit, etc. These values can be viewed by looking at a digital certificate in your browser, illustrated in the screenshot below.
  2. Public key. This is used to validate these credentials and to couple with your private key to secure your network traffic. Check the "Further Reading" section of the main CMU CA page for more information.

Making a certificate-signing request (CSR)

The CMU Certificate Authority (CA) obtains and verifies this information from a Certificate Signing Request (CSR) that you fill out using the guidelines below.

Your web server software will contain the necessary code to generate public keys and the CSR - you just need to specify what Distinguished Name attributes you want in the certificate.

Step One: Prepare X.509 DN Credentials

  1. You must use the following values as they are presented below:
    • CN: [your server's fully-qualified domain name]
      examples: www.cmu.edu, netreg.net.cmu.edu
    • O: Carnegie Mellon University
    • OU: [your division or department]
      examples: Biological Sciences, Computing Services
    • L: Pittsburgh
    • S: Pennsylvania
    • C: US

      Note: You will be prompted to enter an email address during the generation of your CSR. The CA will reject your certificate request if it contains this attribute. Hit enter or return to pass on this prompt.

Step Two: Generate the Certificate-Signing Request

  1. Using the X.509 DN, create the signing request using your web server software. We have detailed documentation for Andrew Apache + mod_ssl (see the Andrew Apache + mod_ssl section), the web server supported by Computing Services. Links for other popular web servers are provided below - simply apply our X.509 DN guidelines in lieu of what these documents advise.

Step Three: Send CSR to the Certificate Authority

  1. Compose an e-mail message to certificate-authority@andrew.cmu.edu. This message must contain:
    • Your name and affiliation with the university.
    • The purpose of your web service.
    • Your X.509 DN values.
    • Your CSR

Installing Your Certificate

Once you have submitted your CSR, the CMU CA replies with the following three certificates:

  • The certificate for your web server
  • The intermediate certificate (web 1), which the CA used to sign your certificate
  • The server certificate, which the CA used to sign the intermediate certificate (also available)

This is known as a "certificate chain", and it must be replicated on your web server to reliably communicate the trustworthiness of your web service. In other words, you will need to have the second certificate presented to the client browser to permit the certificate chain to be completed by the client.

Accomplishing this on your web server is usually a straightforward process. This document provides full documentation of certificate installation on the supported Andrew Apache and top-notch third-party documentation for all other major web servers (see the Certificate Installation with Andrew Apache section).

If you are not using Andrew Apache, simply follow the 3rd-party documentation with the understanding that you will want to install the intermediate CA certificate as well.

For example, if you are using IIS 4/5, make sure you have installed both the server certificate and the intermediate certificate you received in email into your browser cache (simply double-click and run with the defaults). If you have questions, e-mail the CMU CA at certificate-authority@andrew.cmu.edu.

 

Intermediate Signing Certificates

Computing Services has issued signing certificates to departmental administrators in the PSC.EDU, CS.CMU.EDU, and ECE.CMU.EDU domains. These "signing certificates" are signed by the CMU server certificate so that selected administrators can sign certificates for servers inside their domain.

If you have a server inside PSC.EDU, CS.CMU.EDU, or ECE.CMU.EDU and would like a certificate for your server, you are invited to use the contact information below:

ECE: Lou Anschuetz <lou@ece.cmu.edu>
SCS: SCS Help Desk <gripe@cs.cmu.edu>
PSC: Kevin Sullivan <ksulliva@psc.edu>

Your representative will have directions for requesting a certificate for your domain. Once it is issued, you may want to use the documentation found on this site to install the certificate on your server.

Need Help?

Computing Services provides full support for generating certificate requests with Andrew Apache. If you experience problems, please e-mail certificate-authority@andrew.cmu.edu for assistance.

Note: Portions of this document were adopted from the VeriSign.

Last Updated: 5/22/07