Web Server: SSL

SSL is used to manage SSL CSRs (certificate signing requests) and SSL certificates.

SSL Certificates

An SSL certificate states that a domain has been certified to use SSL. SSL certificates may be obtained from a SSL certificate reseller. To obtain an SSL certificate, a 'CSR' (Certificate Signing Request) file must be created and supplied to the SSL certificate reseller. When a CSR is created, a private key file is also generated. Although the CSR does not contain sensitive material, the private key must be kept secure and never given to anyone. The directory containing the private key should have permissions set to restrict access only to system administrators.

Once an SSL certificate has been received, it should be copied to the certificate directory and named as my'domain.com.crt' where 'domain.com' is the domain name in the certificate and '.crt' is the filename extension.

The CSR directory is:

  • C:\Program Files\InstantServers\ISMail\Apache\conf\ssl.csr

The SSL certificate directory is:

  • C:\Program Files\InstantServers\ISMail\Apache\conf\ssl.crt

The SSL certificate private key directory is:

  • C:\Program Files\InstantServers\ISMail\Apache\conf\ssl.key

Creating a CSR (Certificate Signing Request) and Certificate Private Key

To create a CSR:

  • Under 'SSL Certificate Signing Requests (CSR)', click 'New'
  • Enter values in each of the CSR fields (see 'CSR Details' below for the names and meaning of each CSR field)
  • Click 'Save'

To view a CSR:

  • Under 'SSL Certificate Signing Requests (CSR)', click 'View' next to the domain name

Note: to create and view CSRs manually from a DOS command window, see 'CSRs and SSL Certificates: Manual Control'.

Obtaining an SSL Certificate

An SSL certificate may be obtained from any authorized SSL certificate reseller. The CSR file generated above must be supplied when requesting an SSL certificate.

Note: The private key file should not be supplied to the certificate reseller.

Installing an SSL Certificate

To install an SSL certificate, copy the certificate file to the certificate directory and rename it as 'mydomain.com.crt' where 'mydomain.com' is the domain name in the certificate and '.crt' is the filename extension.

Then, setup the domain to use SSL using the 'Domains' configuration page.

Viewing SSL Certificates

To view certificates:

  • Under 'SSL Certificates', click 'View' next to any certificate name

Note: To view SSL certificates and CSRs manually using DOS command line tools, see 'CSRs and SSL Certificates: Manual Control'.

CSRs and SSL Certificates: Manual Control

A CSR and private key may be created manually using a DOS command line window and command line tools. CSRs and SSL certificates may also be viewed manually.

To create a CSR and private key manually:

  • Open a DOS command window
  • cd c:\program files\instantservers\miniportal\apache\install
  • spp2k.bat (this will set the PATH and OPENSSL_CONF environment variables)
  • cd c:\program files\instantservers\miniportal\apache\conf\ssl.csr
  • openssl req -newkey rsa:1024 -keyout req.key -keyform PEM -out req.pem -outform PEM -nodes

The program will prompt for each field needed to build the CSR (e.g. the Country Name of the CSR owner). Although default values are provided, they are only used for illustration and not to create a useful CSR. Enter the information requested in each field. If you make a mistake, the program may be exited by hitting Control-C several times. See below about file naming conventions.

To view a CSR manually:

  • Open a DOS command window
  • cd c:\program files\instantservers\miniportal\apache\install
  • spp2k.bat (this will set the PATH and OPENSSL_CONF environment variable)
  • cd c:\program files\instantservers\miniportal\apache\conf\ssl.csr
  • openssl req -in req.pem -text -noout

To view a certificate manually:

  • Open a DOS command window
  • cd c:\program files\instantservers\miniportal\apache\install
  • spp2k.bat (this will set the PATH and OPENSSL_CONF environment variable)
  • cd c:\program files\instantservers\miniportal\apache\conf\ssl.crt
  • openssl x509 -in mydomain.com.crt -text -noout

CSR Details:

The 'Country Name' must be a 2-letter code (e.g. US or CA).

The 'State or Province Name' is the name of the state or province of the company or organization (e.g. California).

The 'Locality Name' is the name of the city of the company or organization (e.g. Mountain View).

The 'Organization Name' should be the name of the company (e.g. InstantServers, Inc.).

The 'Organizational Unit Name' may be left blank or a value entered (e.g. Marketing Group).

The 'Common Name' should be the name of the domain (generally WITHOUT any 'mail' or 'www' prefix) (e.g. instantservers.com).

The 'Email Address' should be the mail account of the server administrator.

Private Key:

The file 'req.key' is the private key. Move this file to the private key directory and rename it as 'mydomain.com.key' where 'mydomain.com' is the domain name used for the CSR (the 'Common Name' field).

A 'PEM pass phrase' is not used to encrypt the private key and is NOT recommended since using one would require the server to be manually started (and the pass phrase typed in). Rather, the private key directory should have permissions set to restrict access only to system administrators.

The file 'req.pem' is the CSR. This file will be used to obtain an SSL certificate. when requesting an SSL certificate.