Installation of Apache server crt tool



Renew the certificate and make payment:

BEFORE THE CERTIFICATE EXPIRES, log on to https://www.thawte.com/process/retail/renew_ssl

using the order number and pw sent in a message to the SGU contact person (for 2006-07, it's flparkhill).   <notes on renewal>

Here's a sample :

From: Thawte Certificate Issuer
Sent: Wednesday, June 23, 2004 4:31 PM
To: Jason Burdette
Subject: Your Thawte Cert is Ready! (ADMIN.STGREGORYS.EDU)

Hi Thanks again for selecting Thawte as your Certifying Authority. We have successfully completed the necessary background checks, and issued your certificate. You can retrieve the certificate from your status page at the following URL: https://www.thawte.com/cgi/server/status.exe?code=USSTXX6

The installation instructions for your Thawte certificate are available here or cut and paste the following link:

http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs21111

You also need to put the Thawte Site Seal on your web site, for immediate customer recognition and assurance. The instructions on how to install the site seal are available here or go to this link: http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs4015

We look forward to serving you again soon!

Regards, The Customer Services Team Thawte

Payment must be received by the issuer before the crt can be downloaded.

The Tech Contact will receive a confirmation email message when the cert is issued.

Get the cert text and place it in a file on the PX system.  Remove the old certificate and replace it with the new one.

Receive the digitally signed certificate file by secure email or another means.

After making backups, replace the existing *.CRT file or replace its contents with the new one. Also replace the existing *.KEY file with the new one that was generated with the certificate request (but not sent to the CA).

SYSMGR>sd SYS$SYSDEVICE:[SYS0.SYSCOMMON.APACHE.OPENSSL.CRT]
SYSMGR>copy server.crt server_062404.crt/prot=owner

SYSMGR>sd users:[SYS0.SYSCOMMON.APACHE.specific.admin.conf.ssl_crt]
SYSMGR>copy server.crt server_062404.crt/prot=owner

SYSMGR>dir [*...]*.crt
Directory SYS$SYSROOT:[SYSCOMMON.APACHE.OPENSSL.CRT]
SERVER.CRT;2        SERVER.CRT;1        SERVER_062404.CRT;1
Directory SYS$SYSROOT:[SYSCOMMON.APACHE.SPECIFIC.ADMIN.CONF.SSL_CRT]
SERVER.CRT;3        SERVER.CRT;2        SERVER_062404.CRT;1
 
SYSMGR>copy users:[sys0.syscommon.apache.openssl.key]server.key users:[sys0.syscommon.apache.specific.admin.conf.ssl_key]/prot=owner

Install the certificate seal wherever you want it displayed on your site.  Existing seals will auto refresh in about one hour after new cert installation.

If necessary, retrieve the java script from CA site and place it in files on the system.  At 07/14/2006, the seal is displayed on the following pages.
USERS1:[CAMPUS_CONNECTV3.TEMPLATES.GUI.ADM]APPLICATION.TPL
USERS1:[CAMPUS_CONNECTV3.TEMPLATES.GUI.FAS]LOGIN.TPL
USERS1:[CAMPUS_CONNECTV3.TEMPLATES.GUI.SIS]LOGIN.TPL

Restart the server (can be done via remote internet connection):

$ @SYS$STARTUP:APACHE$SHUTDOWN.COM

$ @SYS$STARTUP:APACHE$STARTUP.COM

Test your new server certificate in a client browser using the https:// prefix.

 

The menu:
$@users:[sys0.syscommon.apache]apache$cert_tool.com


Contents of the apache directory:
SYSMGR>dir users:[sys0.syscommon.apache]
Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.APACHE]
ABOUT_APACHE.;1     ANNOUNCEMENT.;1     APACHE$ADDUSER.COM;1
APACHE$CERT_TOOL.COM;1                  APACHE$DCL.COM;1
APACHE$DCL_BIN.EXE_ALPHA;1              APACHE$DCL_ENV.EXE_ALPHA;1
APACHE$DCL_RUN.EXE_ALPHA;1              APACHE$FIXBG.EXE_ALPHA;1
APACHE$FLIP_CCL.EXE_ALPHA;1             APACHE$HTTPD_SHR.DSF_ALPHA;1
APACHE$HTTPD_SHR.EXE_ALPHA;1            APACHE$HTTPD_SHR.EXE_ALPHA_OLD;3
APACHE$PRIVILEGED.EXE_ALPHA;1           APACHE$PRIVILEGED.EXE_ALPHA_OLD;3
APACHE$SERVER.COM;1 APACHE_CREPRC.EXE_ALPHA;1
APACHE_CREPRC.EXE_ALPHA_OLD;1           APACHE_HTTPD.DSF_ALPHA;1
APACHE_HTTPD.EXE_ALPHA;1                APACHE_KILL.EXE_ALPHA;1
CGI-BIN.DIR;1       CONF.DIR;1          CONFIG.LAYOUT;1     CONFIGURE.;1
HTDOCS.DIR;1        HTPASSWD.EXE_ALPHA;1                    ICONS.DIR;1
INSTALL.;1          LICENSE.;1          LOGIN.COM;3         LOGS.DIR;1
MAKEFILE.TMPL;1     MODULES.DIR;1       OPENSSL.DIR;1       README-WIN.TXT;1
README.;1           README.CONFIGURE;1  SPECIFIC.DIR;1      SRC.DIR;1
SSL_CERTIFICATES.BCK;1                  SUEXEC.EXE_ALPHA;1
Location of the .csr file (once the certificate request is generated):

SYSMGR>dir APACHE$COMMON:[OPENSSL.CSR]/date

Directory APACHE$COMMON:[OPENSSL.CSR]

SERVER.CSR;4 11-JUL-2006 16:10:24.12
SERVER.CSR;3 10-JUN-2004 15:44:39.61

Total of 2 files.

Location of the .crt file:

SYSMGR>DIR [...]*.CRT/DATE
Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.APACHE.OPENSSL.CRT]
SERVER.CRT;1          8-AUG-2002 12:16:22.83
Total of 1 file.
Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.APACHE.SPECIFIC.ADMIN.CONF.SSL_CRT]
SERVER.CRT;2          8-AUG-2002 12:16:22.83
From the SSL User Guide:

Using Certificates

Once a real certificate has been installed, you should delete the temporary, self-signed certificate (APACHE$SPECIFIC:[CONF.SSL_CRT]SERVER.CRT) that was created during the installation of Compaq Secure Web Server. This will prevent the accidental use of the temporary certificate if you've installed the real certificate in APACHE$COMMON:[CONF.SSL_CRT] using the same name and your mod_ssl.conf directive uses APACHE$ROOT as part of the certificate file path.

Because APACHE$ROOT is a search-listed logical name, the server will first look in APACHE$SPECIFIC:[CONF.SSL_CRT] and then in APACHE$COMMON:[CONF.SSL_CRT] for the server.crt file. If you've used the same name as the temporary certificate file, the server will find that one first.

Follow these steps to install a CA's certificate (also referring to your CA's instructions as they apply to Apache with mod_ssl):

1. In the OpenSSL Certificate Tool generate a Certificate Request (using the

default responses in most cases).   (notes on renewal)

2. Send the generated file *.CSR file or the contents of the file to the CA by secure email or whatever submission process is provided.

3. Receive the digitally signed certificate file by secure email or another means.

4. After making backups, replace the existing *.CRT file or replace its contents with the new one. Also replace the existing *.KEY file with the new one that was generated with the certificate request (but not sent to the CA). The SERVER.CSR file is no longer needed..

SYSMGR>sd SYS$SYSDEVICE:[SYS0.SYSCOMMON.APACHE.OPENSSL.CRT]
SYSMGR>copy server.crt server_062404.crt/prot=owner

SYSMGR>sd users:[SYS0.SYSCOMMON.APACHE.specific.admin.conf.ssl_crt]
SYSMGR>copy server.crt server_062404.crt/prot=owner

SYSMGR>dir [*...]*.crt
Directory SYS$SYSROOT:[SYSCOMMON.APACHE.OPENSSL.CRT]
SERVER.CRT;2        SERVER.CRT;1        SERVER_062404.CRT;1
Directory SYS$SYSROOT:[SYSCOMMON.APACHE.SPECIFIC.ADMIN.CONF.SSL_CRT]
SERVER.CRT;3        SERVER.CRT;2        SERVER_062404.CRT;1
 
 
SYSMGR>copy users:[sys0.syscommon.apache.openssl.key]server.key users:[sys0.syscommon.apache.specific.admin.conf.ssl_key]/prot=owner

5. Restart the server.

$ @SYS$STARTUP:APACHE$SHUTDOWN.COM

$ @SYS$STARTUP:APACHE$STARTUP.COM

6. Test your new server certificate in a client browser using the https:// prefix.