Let’s see if we can create a new subdomain name test.mildredbrennan.com, with SSL certs, and get those certs imported into Chrome, Firefox, and IE in a way so we don’t see evil red warnings when going to the new site.
To start, we’ll need to head over to Godaddy where the domain mildredbrennan.com is currently handled, pointing to my office Linux server. I assume other domain registrars have similar interfaces for the domain name owner.
After logging on to www.godaddy.com:
Click the Manage My Domains quick link
Click the MILDREDBRENNAN.COM domain
Click the DNS ZONE FILE tab below:
Click the Add Record link below:
Select the CNAME option, with HOST: test and POINTS TO: @ and press FINISH, as shown below. Then make sure you click the Save Changes button which will initiate the DNS update process.
After a while you should be able to ping test.mildredbrennan.com and get the IP address assigned, in my case 220.127.116.11
Now if I go to test.mildredbrennan.com in a browser, I end up at the same web page as www.mildredbrennan.com because I have not yet setup a new Virtual Server in my httpd parameters. So let’s go do that:
sudo su - cd /etc/httpd/conf vi httpd.conf
<VirtualHost *:80> <Directory /var/www/html/mbtest> AllowOverride All </Directory> DocumentRoot /var/www/html/mbtest ServerName test.mildredbrennan.com </VirtualHost>
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/mbtest.crt SSLCertificateKeyFile /etc/pki/tls/private/mbtest.key SSLProtocol All -SSLv2 -SSLv3 <Directory /var/www/html/mbtest> AllowOverride All </Directory> DocumentRoot /var/www/html/mbtest ServerName test.mildredbrennan.com </VirtualHost>
And since our previous entry for mildredbrennan.com and www.mildredbrennan.com had a wildcard for the subdomain, we’ll need to change that to www as shown below. Otherwise it may be used when the new test.mildredbrennan.com name is invoked:
(old) ServerAlias *.mildredbrennan.com (new) ServerAlias www.mildredbrennan.com
And after saving httpd.conf, we need to create the new directory and chown it as needed to the owner of the httpd files:
mkdir /var/www/html/mbtest chown <userid> /var/www/html/mbtest
Since we specified some crt and key files, we’ll need to create those before attempting to restart httpd, otherwise the task will probably fail.
These SSL commands will hopefully produce files that have good enough encryption methods that modern browsers (especially Chrome) won’t complain too much.
cd openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 openssl rsa -passin pass:x -in server.pass.key -out server.key openssl req -new -sha256 -key server.key -out server.csr
Country Name (2 letter code) [XX]:US State or Province Name (full name) :CA Locality Name (eg, city) [Default City]:West Covina Organization Name (eg, company) [Default Company Ltd]:Tom Brennan Software Organizational Unit Name (eg, section) : <enter> Common Name (eg, your name or your server's hostname) :test.mildredbrennan.com Email Address :email@example.com (just press enter for the rest of the items)
openssl x509 -req -sha256 -days 732 -in server.csr -signkey server.key -out server.crt
\cp -f server.crt /etc/pki/tls/certs/mbtest.crt \cp -f server.key /etc/pki/tls/private/mbtest.key \cp -f server.csr /etc/pki/tls/private/mbtest.csr
Then we need to restart httpd to get the parameter updates:
service httpd restart
Now we can test with a browser pointing to http://test.mildredbrennan.com (no SSL) and we should get the Apache default page since there are no files in /var/www/html/mbtest yet.
Now (using Chrome) let’s try an encrypted session by using https:// and we get some evil red marks and a page where we can accept the evil certificate if we want. But let’s not do that.
Instead, in Chrome we can save the certificate to a local file on the PC, and then import it into the Root CA set of certificates, which should hopefully solve this issue. To do that:
Click the lock with the red X
Click Certificate Information
Click the Details tab
Click Copy to File and save as cert.cer or whatever name you want
Then Finish and Ok to get out of that dialog
Then click the Settings options, Advanced, and find the Manage Certificates button
Click the Trusted Root Certification Authorities tab
Click the Import button
Find and select the cert.cer file we just created
Click Next, Finish, Yes, Ok, Close or whatever it takes to complete this task
Close Chrome and re-open. The Root certs don’t seem to go into effect dynamically. If everything worked right, Chrome should show a green lock and be fairly happy with the certificate. And if you have only a few special users on this site, you can give them these instructions so they can see the green lock too.
Details can be seen if you click the lock and click the Connection tab:
So let’s try Firefox now. If we go to https://test.mildredbrennan.com we get another evil page:
And Firefox is a lot easier to setup. You just click the I Understand the Risks option, Add Exception, and Confirm. By default the cert is setup for you as a root CA. So there’s nothing more to do and the red goes away from the lock. These instructions can also be given to your web site users.
So what about Internet Explorer, which hardly anyone uses anymore these days?
IE has it’s own evil message too:
We can click the Continue to this website button and we’re in, but the address bar is a strange purple color and the words Certificate error appear:
Now here we can view the certificate details but the button to save to a file is grayed out. I don’t know why. Let’s go to Internet Options, click the Content tab, and press the Certificates button. Implementing the certificate is a whole lot like Chrome (i.e. somebody copied somebody else), and when we restart IE the purple color is gone.
The problem here though, is that I don’t yet see a way to save the certificate as a file prior to the import, like we did with Chrome. That means you would need to send the mbtest.crt for them to import into IE. Or just tell them to quit using IE.
That was easier than I thought it would be. I used my old notes from years ago for creating certificates, but Chrome (and possibly the others) didn’t like things like 1024 bit keys and sha-1, whatever those things are. So I made some command changes for this test and that seems to make the browsers happier.