SSL Certificates on FQ, Not that hard? A do it yourself guide

*SteveYoung* · 04-19-2011, 01:02 PM

You ever try to buy something, you put so much into it, and you know you should give up. But the time you have invested is worth something right?

A long road, with quite a bit learned, we are now at a wall, I will get to the problem but I know what I have learned would help others.

Application; A FQ site was a IRM for years, just upgraded following testing. The upgrade was to have SSL capability. A Wordpress site, with two major plugins. Cart66 a commerce solution, and Catablog for presentation.

Tried to use the shared cert from FQ, works but presents the user with a warning page since the site does not match the .merchantquest.net cert.

On to setting up a SSL. Ordered at GoDaddy, they offer them for $12.99 1 year, up to 5 as we publish this.

Activated it, and selected "request certificate" on GoDaddy, they then request you enter the CSR.

Notes:The GoDaddy instructions indicate you need to cd usr/bin you do not have to do this at FQ. Make sure you use a "L" in openssl not a "1".

Back to FQ to get that.
Step 1 install PuTTY and connect to the server, make sure you type in your user id and password correctly, to many tries and you will be locked out. (email FQ with your ip address if you do)

For us we used "onthestep" in place of "<name of your certificate>"
Step 2 in the session window enter the following. The prompt will be [yourdomain@FQ-yourserver;~ ] $ (enter the following) you can make up your certificate name. do not type in the $ add the text following it.

$ openssl genrsa -des3 -out <name of your certificate>.key 2048

The server will generate a key. If you do not have typo's it will tell you that with showing dots and plus signs

You will then be asked to "Enter pass phrase for xyz.key" You will then be asked to verify it. 4 characters minimum.

Then type

$ openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr

You will then be asked for your pass phrase again.

Step 3 You will be asked the following questions;
Country Name: a two letter code
State:we are in New Hampshire, NH is ok, a space is ok.
Locality Name:City
Organizational Name:we used our incorporated name here
Organizational Unit Name:we used our DBA name here for the product
Common Name:this is not "your name" it is your website without the http://
Email Address:your contact address
(extra)
A challenge password:hit enter for none
An optional company name:hit enter for none

The server then generates the csr. enter the following to see it.
$ openssl req -noout -text -in <name of your certificate>.csr

(I would have expected to find the .csr when looking at the site through ftp, it was not there, my guess it is in the FQ root, but just guessing.)

Step 4 copy that out of your command window and paste it somewhere. This is the code that is entered into the GoDaddy CSR window.

STOP

Hope the instructions help others, but remember we do not know what we are doing and just learned it with guidance from FQ staff and other resources.

Now we have a problem, the dump looks like this.

Quote:

Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=New Hampshire, L=Londonderry, O=ImageAbility Inc., OU=On The Step A-Frame Signs, CN=onthestep.com/emailAddress=youremail@yourdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:07:f1:1e:b2:79:40:be:b5:a8:48:49:9c:07:
14:1f:1c:e6:e7:41:b3:55:7d:06:13:71:6c:29:1f:
followed by more hex code
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
3f:c1:ed:b4:3a:d3:53:b7:9c:db:12:6b:e3:3d:18:bf:75:18:
33:fd:5d:14:da:25:7b:1f:ab:5d:e1:4e:83:53:9f:23:0e:d5:
followed by more hex code ending with that.

Calling GoDaddy, (they are earning the $13 bucks!) the CSR should not look like that. It should look like this.

Quote:

Give a little get a little. I hope this helps someone get this far, can anyone tell me why the .csr does not start with -----BEGIN CERTIFICATE REQUEST----- and end with -----END CERTIFICATE REQUEST----- like GoDaddy said it should for any CSR submission to any SSL service.

We know about the FQ customer that "helps" people we are trying to do it and learn it on our own. I did use Matt's tool it does create the Certificate in the proper formatting. Just trying to understand why it is not generating correctly on the server.

**Bob** · 04-19-2011, 02:57 PM

Steve,

The Key and CSR will be created in the Directory you were in when you issued the commands, take a look in your /big/dom/xdomain/username directory

-Bob

*SteveYoung* · 04-19-2011, 03:07 PM

Nothing is there...
/big/dom/xonthestep/onthestep

Till I hit the refresh key...

I looked everywhere, but never hit the refresh key.

Looking at those files in the ftp viewer they look just right. Too bad I used Matt's solution, then again this was a great learning experience. I hope it helps someone in the future.

*Matt* · 04-20-2011, 12:30 PM

Quote:

Too bad I used Matt's solution

Was there a problem? Depending upon your hosting solution, the private key may need to be provided in encrypted format (the reason for including password in output) or unencrypted format.

Quote:

this was a great learning experience

I have always found that the article linked in FQ's Knowledgebase entry to be helpful.

It is useful to understand how the entire SSL process works, but most people don't want to bother. We built the tool primarily for our own internal use to streamline CSR generation, but realized the benefit for others. If you had any problems, I would like to know so that we may resolve them.

*SteveYoung* · 04-20-2011, 02:28 PM

Quote:

Was there a problem?

Absolutely not! As a mater of fact, it saved the day, I still had not been able to do it by hand. I used your code to submit to GoDaddy and have submitted the request to FQ, we are waiting to be installed to finish this.

By the way, it worked so good I got chatting with the GoDaddy rep, I recommended that they look at your utility and consider making an offer to you for it. Hope you don't mind, I am thinking high six figures in value!

Oh I still don't understand how the ssl process works, or even if I did it right. However, I will keep learning. I said this to FQ in a email, I taught all my kids how to drive a standard, they may use a automatic but the ability to know how it works and how to do it is priceless.

As soon as this one is working I have a few more to do.

*Matt* · 04-20-2011, 03:13 PM

I'm glad it was helpful.

Quote:

By the way, it worked so good I got chatting with the GoDaddy rep, I recommended that they look at your utility and consider making an offer to you for it. Hope you don't mind, I am thinking high six figures in value!

Not holding my breath on that one, but thanks for the kudos.

-Matt

*SteveYoung* · 04-20-2011, 08:05 PM

If I had not already ordered the the SSL I would have gone to Matt, for those interested. Clearly the ability to understand the needs of the customer and create such a great tool and make it available at no charge is a value add.

The service was incredible at GoDaddy plus they were impressed, (with you not me, I had no clue.) If you are in New England visit, I will make it up to you. If they buy it from you, pick me up in your corporate jet we can raise a glass in honor of the FQ community.

After our long journey we have now reopened our Ecommerce store on Future Quest www.OnTheStep.com we have been down for a few months after upgrades (appropriate) on the server brought us down.

That action caused us to implement a long planned and needed upgrade.

Now if we had just noticed sooner after the orders stopped coming in...

Steve