welcome: please sign in

The following 340 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
abbreviated   aboutcerts   access   accessible   acquiring   Address   address   admins   afs   all   also   Alternatively   an   and   annoying   any   anything   Apache   apache   are   As   asked   At   authorities   Authority   available   be   best   Best   bin   blank   both   box   browsers   but   by   By   ca   called   can   Category   caution   cd   cerificate   cert   certain   Certificate   certificate   Certificates   certificates   certification   Challenge   choose   com   combine   common   Common   Company   concatenated   concerning   containing   Contents   Coop   Country   create   creating   csr   data   days   Deployment   describes   description   dialog   directory   do   docs   Dom   domain   domtool   easiest   either   Email   email   enable   Encrypt   end   ensure   every   Examples   explanation   explanatory   faq   far   few   file   filename   files   first   following   For   for   form   format   free   from   full   gandi   Gandi   general   generate   generated   Generating   get   given   goes   good   have   hcoop   Here   highly   home   host   how   html   http   httpd   https   if   If   in   included   index   indicates   install   installation   Installing   intermediate   Introduction   introductions   is   it   It   just   keep   kept   Key   key   keyout   keys   largest   later   latter   Leave   left   Letencrypt   Lets   letsencrypt   like   ll   Locality   longer   majority   make   Manual   Member   members   Most   multiple   must   nag   name   Name   need   net   never   new   newkey   no   nodes   not   Now   number   Of   of   offers   often   on   only   openssl   operations   option   options   or   order   org   Organization   organization   Organizational   our   out   page   parameters   Password   path   paths   pem   People   permissions   placed   point   Portal   portal   Practices   practices   precautions   Precautions   private   projects   properly   provide   providers   providing   public   publicly   Qualsys   read   readable   recommendations   recommended   remains   renewed   Replace   req   Request   request   root   rsa   same   script   secure   Security   see   seem   Self   self   separated   server   servers   set   several   Several   sha256   sharing   short   should   Sign   sign   signed   signing   Signing   Since   single   site   so   some   sometimes   somewhere   space   specific   specifically   specify   ssl   ssllabs   State   store   stored   subdomains   subject   such   supply   sure   Table   take   than   that   thawte   Thawte   The   the   their   them   then   There   These   This   this   tldp   to   To   together   Tool   Trusted   trusted   two   unfamiliar   Unit   us   Use   use   used   Using   using   valid   Veri   verify   verisign   via   virtual   visitors   want   way   We   we   web   website   where   which   wiki   wildcard   will   with   would   www   x509   year   You   you   your   Your   yourdomain  

Clear message

MemberManual / ServingWebsites / SslCert

This is the page of the MemberManual that describes how to generate a valid SSL cert.

Security Precautions

At some point, your certificate and private key will need to be stored in afs. Since afs is publicly accessible, you need to take a few precautions to ensure that your data remains private. For all key operations, keep the files in a directory that only you and the admins can read. We provide a script to create such a directory: /afs/hcoop.net/common/bin/make-secure-directory certificates


There are a few options for acquiring an SSL certificate to use with us.

The first option is to get a signed certificate from a trusted Certificate Authority ("CA" for short). If you want to make it so that visitors to your website never see an annoying nag dialog box, then this is your best option. The easiest way to do this is using letsencrypt

Alternatively, you can generate a self-signed certificate.

There are several good introductions to SSL and x509 certificates in general if you are unfamiliar with the subject:

Generating a Key and Certificate Signing Request

If you are creating an SSL certificate to use for a web virtual host via DomTool, then you need to create both a key file and a csr file. The csr file is called a "certificate signing request" (sometimes abbreviated "certificate request"), and you will want to specify that on the SSL form in the HCoop Portal. We'll also need access to your key.

Your key must be kept private. You supply the csr to any certification authorities you would like to sign your key, and later combine the certificate given by them with your private key to server a TLS site from our servers. It is highly recommended that you generate a private key specifically for use with HCoop.

To create a cerificate request in file.csr and a private key in file.key, do the following. These files should be readable only by you and the HCoop admins, so be sure to set permissions properly on the directory where you store the certificate request and key. The certificate should be placed somewhere in your home directory, like ~/certificates.

/afs/hcoop.net/common/bin/make-secure-directory ~/certificates
cd ~/certificates
openssl req -sha256 -newkey rsa:2048 -keyout file.key -out file.csr -nodes

Here is an explanation of the parameters that you will be asked to provide. Replace yourdomain.org with your domain name.

Signing the Key

Using a Trusted CA

There are several options available. By far the largest providers are VeriSign and Thawte. Several members seem to like Gandi. We make no specific recommendations concerning which CA to choose: just make certain that their root CA certificates are included with the majority of web browsers.

Letencrypt offers free SSL certificates (but must be renewed every 60 days).


FILE is the filename of the certificate that will be generated: it should end in ".pem". DAYS indicates the number of days that you want the certificate to be valid. It is recommended not to sign keys for longer than a year or two.

/afs/hcoop.net/common/bin/make-secure-directory ~/certificates
cd ~/certificates
openssl req -x509 -newkey rsa:2048 -keyout FILE -out FILE -days DAYS -nodes

Installing the Certificate

Now that you have a certificate, we need to install it.

Use the SSL permissions page on the portal to request installation of your new certificate. You need to provide us with either:

For the latter option, provide both paths in the same form, separated by a space.

We will then verify the certificate and install it, providing you with a path that you can use to enable SSL using domtool.


MemberManual/ServingWebsites/SslCert (last edited 2022-01-15 06:48:28 by JesseShumway)