I’ve recently changed my ssl certificates to fix some problems regarding subdomain handling. As firefox and other browsers complained:
You have attempted to establish a connection with “blogs.nopcode.org”. However the security certificate presented belongs to “nopcode.org” (…)
My SSL certificates are not self-signed, I use a CA known as CAcert instead. This is one of their a logos:
I’ve joined that CA six months ago and I’m really happy with it. I’ve learnt lots of issues about SSL, certificate generation, CA’s, security devices, trust policies, server configurations, code signing, etc…
If you want to know more about certificates, check cacert’s wiki, there’s a lot of interesting stuff there, including how to join CAcert’s WoT 
Next I’m gonna explain how easy it was to generate a certificate for my main domain and subdomains: I’ve simply used a helper perl script to generate a CSR and a private key. Then, I’ve sent that CSR to CAcert, and they sent back to me my server certificate. Then, with a certificate signed by CAcert, and my private key file, I’m now able to secure my services (imap, smtp, www and jabber).
The script execution went like this:
# ./subjectAltname.pl Generate SSL Cert stuff for SAPI FQDN/Keyname for Cert (ie www.example.com) :nopcode.org Alt Names (ie www1.example.com orfor none) :blogs.nopcode.org Alt Names (ie www1.example.com or for none) :www.nopcode.org Alt Names (ie www1.example.com or for none) :ftp.nopcode.org (... more sub-domains ...) Alt Names (ie www1.example.com or for none) :voip.nopcode.org Alt Names (ie www1.example.com or for none) : Host short name (ie imap big_srv etc) :nopcode Attempting openssl... Generating a 2048 bit RSA private key ..+++ ...................+++ writing new private key to '/somewhere/privatekey.pem' ----- writing csr to /somewhere/csr.pem... Take the contents of /somewhere/csr.pem and go submit them to receive an SSL ID. When you receive your public key back, you 'should' name it something like 'something.pem'.
If you just want to issue a certificate for one single TLD (instead of using subjectAltName SSL attribute for subdomains), you only have to write:
# openssl req -nodes -new -keyout private.key -out server.csr
EDIT: There is a strong reason against using self-signed certificates.
2 comments ↓
Certificats SSL de CAcert
Seguint els passos d’en Roman he canviat el self-signed certificate que tenia al servidor web per un certificat signat per CAcert. En menys de 10 minuts he completat tots els passos per crear-lo: et dones d’alta, generes el CSR (petició…
Com obtenir Certificats SSL amb CAcert
Fa uns dies que vaig actualitzar els certificats que utilitzo pels serveis ssl. La raó va ser perquè fins ara els certificats que feia servir eren self-signed, el que provocava un warning cada vegada que intentava establir una conexió ssl, avisan…
Leave a Comment