cacert.org SSL Chained Certificates for Debian Etch

Discussion in 'Suggest HOWTO' started by steve1084, Jun 20, 2007.

  1. steve1084

    steve1084 New Member

    Hi Till and Falko

    I have a Debian etch perfect server with suphp and ispconfig (because of you it works great Many thanks) But I'm finding it a bit tricky learning how to setup and install the cacert.org chained root certificates. ie how to make the request, file locations, etc etc. Information is quite scattered.

    There is one howto http://howtoforge.com/secure_websites_using_openssl_and_apache for Federa system but nothing for debian.

    Site certificates are easy thanks to ispconfig its just getting the chained certificate for the root setup that seems to befuddle many people. Maybe this could be a future feature of ispconfig to install trusted (cacert.org etc) root chained certificates using ispconfig.

    But for the time being is it possible to have a howto for setting up the chained certificates from cacert.org on a debian etch with ispconfig and suphp.

    Many Thanks
    Steve

    Ps I didnt get mpm-itk to work, had many errors. dont have time for further follow up. Maybe this could also be a future howto project as there is almost no useful information out there for beginners to use.
     
  2. falko

    falko Super Moderator

  3. steve1084

    steve1084 New Member

    Hi FalKo

    Thanks for the reply. sorry to be such a noob Im slowly getting there.

    I have several more questions. There seems to be no reference to ssl in my apache2.conf file. ssl for individual sites is handled by the Vhosts_ispconfig.conf file.

    I take it root server certificates were not created during my install of debian etch or ispconfig, is this correct and if not where will I find the server.crt file. there is no server.crt file in the /etc/ssl/certs folder

    Certificates were only created for postfix and then for ispconfig itself, is this correct.

    In order to create the certificate request server.crt etc is it enough to use [ openssl req -new -nodes -keyout myserver.key -out server.csr ] as per https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,1 using this then to creat certificate request for cacert.org

    and then make reference in my apache2.conf to the created files etc as per https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=264 is this correct, will this over-ride the individual site certificates

    Many thanks:)
    Steve
     
  4. falko

    falko Super Moderator

    Yes.

    You can use ISPConfig to create the CSR: http://www.howtoforge.com/faq/14_49_en.html
     
  5. steve1084

    steve1084 New Member

    do I use the same chained certificate for the root as I do for the site?


    Hi Falko

    Forgive me I'm a little confused but this link http://www.howtoforge.com/faq/14_49_en.html is only for the site certificates and not suitable for producing the chained root certificate request server1.myserver.com which is not setup as a website in ispconfig but is what I thought I needed a certificate for.

    or do I use the same chained certificate for the root as I do for the site?:confused:

    Thanks
    Steve
     
  6. falko

    falko Super Moderator

    No, but I read from your previous post that you want to generate the CSR for the site on the shell, too. This can be done by ISPConfig instead.
     
  7. steve1084

    steve1084 New Member

    Hi Falko

    The one site that I found that has a howto on cacert.org chained root certificate's is in a combination of english and german I think? http://syscp.org/wiki/contrib/Installation/de/debian/etch

    Unfortunately I don't understand german

    Maybe this could make the basis for a proper easy to follow falko howto as you guys seem to know the best way to write a howto thats understandable by everyone, beginner and expert.

    I can get a standard ssl for site with cacert.org easy but cant get the chain to work properly yet, still trying.

    Anyway thanks:)
    Steve
     
  8. falko

    falko Super Moderator

    I have it on my To-Do list already. :)
     

Share This Page