CSR and Caudium
 
 
The Webserver
History
FAQs
Download
Packages
Source
CVSweb
Getting started
Configuration InterFace
Virtual server
Documentation
Howtos
RXML Related
Autodocs
Releated docs
Caudium's SNMP
Developer's Corner
Release Plan
Opened Issues
Caudium API
Caudium 1.3 modref
Caudium Modules
Pike 7.4 modref
Community
Press Releases
Mailing list
The Crew
Contribute
Join
Testimonials
BugTracking System
Conferences
The Webmail
History
Features
Configuration hints
Todo list
Themes and screen shots
Documentation
Modules
Ultralog
Third Party Modules
Thanks
About this site

  		  How to generate a CSR ?
Why ?

I had a bit of trouble generating a CSR that Verisign would accept for Caudium. Here is what it took.

Prerequisites

You will need the openssl libraries installed. I did this with OpenSSL 0.9.6 and it worked. Pike was not compiled with the OpenSSL libraries. I used a Caudium 1.0.35 Snapshot taken 6/1/2001 by kiwi to get this working. bja was instrumental in getting the openSSL stuff working properly.

Generating the CSR

If you use Thawte as your registrar, you can generate the CSR through the Caudium Configuration Interface.
Instructions for generating a CSR that Verisign will accept:

In the Caudium Configuration Interface, click on Actions, Click on Security, Click on Generate a new RSA Key Pair.

At the prompt where it asks for a key file name, put in a filename such as the servername.key -- I would suggest that you preface the filename with ../ so that if you ever upgrade caudium you don't have to move the key file and certs from server.old to server

At the shell prompt, change to the directory where you created the servername.key file and type: 

openssl req -new -key servername.key > servername.csr

It will ask you for a number of parameters:

  • Valid character rule -- if you have to hit the Shift key to generate a punctuation mark, its probably not a valid character.
  • Country Name (using the ISO 2 letter Country Code).
  • State (must be spelled out, no abbreviations).
  • Locality or City (you can use a . or , in this field, but most other punctuation will render the CSR invalid).
  • Organization Name (Again, . or , are acceptable, most other punctuation is not).
  • Organizational Unit (put a . here to leave this field blank. If you are clustering servers, you can use this field as an identifier if the common name is the same for each of the keys you generate).
  • Common Name (This is your host name www.servername.com -- IF you generate the key with just servername.com, your users will need to put in http://servername.com and http://www.servername.com will present you with a server name mismatch when you browse).
  • Email address.
  • Challenge password -- Verisign does in fact use this when revoking certificates or asking for replacement certificates when you move servers.
  • Optional Company Name - put a . here to leave it blank

After you finish, it will create a file called servername.csr. View that file, cut and paste the results into the window on Verisign's site that asks for the CSR.

Depending on what you use to Cut & Paste, you might want to make sure there are no trailing spaces at the end of the lines when you paste the CSR into Verisign's page.

After Verisign accepts the CSR, make sure you enter the information on the Technical contact screen carefully. That information is used to let you know when a new certificate is generated (if you purchase 2 years in advance). It also is the only contact information that can request a new certificate, revoke a certificate or move a certificate from one server to another.

After you fill in that page, Verisign will send you an email with the Server ID. Generally takes a few minutes, but can take up to an hour.

Once you've received your key via email, create a file called servername.cert in the /usr/local/caudium directory. Then follow these steps:

  1. Create a new server (or modify an existing server).
  2. Go into the Server Variables, Click on Listen ports, Change the Port to 443, the protocol to SSL3, Click Use these values.
  3. You will then be prompted for the Certificate and Key file names. If you generated them in the directory above the server directory, make sure to preface the filenames for the Certificate and Key files with ../ or put in the full path.
  4. Click Use these values again. Then click Save. You will then be prompted for the URL -- make sure it says https://servername.com rather than http://servername.com if you copied the configuration to mirror a non-secure server.
  5. After hitting save the second time, it should activate the server and you should be able to go into the Config Interface for the Server, and click on the Server URL and it should pop up.

Word of warning with Secure Servers -- IE will NOT consider a page that loads graphics from a non-secure server as secure and will not present the little lock icon. If you are loading images with absolute references, you will need to adjust this.

After you get done with this, modify any code that you have that refers to id->remoteaddr to understand that it COULD be presented with "" as an IP number. It appears that somewhere in the socket communication process when a machine is behind some firewalls, the IP address returned is "". Its pretty tough to consistently reproduce this because access logging doesn't work for the ones where the IP address returned is "" -- so unless you have something that generates a backtrace, you'll probably never notice this.

Helpful pages

http://www.verisign.com/products/site/index.html - the page to start the process of creating a Verisign ID

http://www.verisign.com/support/tlc/csr/ssleay/v01.html - The page that contained most of the information to create the key

http://www.verisign.com/support/tlc/csr/intro.html - describes some of the character requirements.

 
HTML OK CSS
Copyright © 2000 - 2005 The Caudium Group All Rights Reserved.
Hosting by Kazar.