Generate the Certificate Signing Request (CSR)
Log in to the sever. Root or sudo access is required.
| Code Block |
|---|
|
# Change the following to your Customer ID ({CUSTOMER ID}) provided by PCR
NAME="{CUSTOMER ID}"
# Example
# NAME="pcr"
# Create the key and csr
sudo openssl req -new -newkey rsa:2048 -nodes \
-keyout /etc/ssl/private/$NAME.key \
-out /etc/ssl/private/$NAME.csr \
-subj "/CN=*.$NAME.bypass/OU=Bypass/O=PCR/L=Grand Rapids/ST=Michigan/C=US" \
-addext "subjectAltName = DNS:*.$NAME.bypass, DNS:$NAME.bypass, DNS:prod.$NAME.bypass, DNS:test.$NAME.bypass"
# display the csr contents
sudo cat /etc/ssl/private/$NAME.csr |
The CSR will look like this:
| Code Block |
|---|
|
-----BEGIN CERTIFICATE REQUEST-----
asdaHjCCAgYCAQAwcTEZMBcGA1UEAwwQKi50ZXN0Y3NyLmJ5cGFzczEPMA0GA1UE
Cww INVALID CSR sgYDVQQKDANQQ1IxFTATBg INVALID CSR sIFJhcGlkczER
MA8GA1UECAwITWljaGlnYW4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEApLdTQdjk8lyAkCZJNOPoLLEWH2Ezwh8MZVpKQJ0pv4Ni
G9gLyZxzKisk8nRB/iMfAa94jUGFqe1dpFJsTaRLJSVp7l8/gfx/psKPiwKrs3Um
fDVIJqWrpRq0s8vX7T5np7j/c1t1OSmseKs+O7J0lR+prvlmiWiSOS1ZL4Uz7RtS
K/F3BphrizfNNPEAd6r7Dk6uIsdf3X3/QAbdh45GPhcWGUdiLKOlaa2nkRk8TkIp
pKl+d4Zx+seZynTugdLq5 INVALID CSR TiqbnavXOz2QwwgbawMyxWI17EBUDf
0tyxPST75G+W5Du/yeO8gY2jperyfhqzR6qJoQaRhwIDAQABoGgwZgYJKoZIhvcN
AQkOMVkwVzBVBgNVHREETjBMghAqLnRlc3Rjc3IuYnlwYXNzgg50ZXN0Y3NyLmJ5
cGFzc4ITcHJvZC50ZXN0Y3NyLmJ5cGFzc4ITdGVzdC50ZXN0Y3NyLmJ5cGFzczAN
BgkqhkiG9w0BAQsFAAOCAQEAbZX3yf/RSRb/qDlP3B90bCedb5kOAinbSqlTAFMv
86gw INVALID CSR sNI/McDhTyFEasGCTyQZQ5Sa4+psC7TsYHwhT39s0KOTue5
mD7PIwNC3VqrSeJrJrz18G/F8KXNR0QoQhbPZ7dsCWHs3nJIH5x1+pP159qIp3uq
I7bHoVW8TstsHTTMWtoUlF246ClVo58fh4a+RSosnIqj4ab1s7LWpP7YDoJf6ZV1
qDuDxywgE69JRWmKachMGgH+XcK0r+3ZruI24a6oyJbGao8yeCpe
-----END CERTIFICATE REQUEST----- |
Send the text of the CSR (or the file located in /etc/ssl/ to PCR.
PCR will send back a Certificate File (CRT).
Place the file in the /etc/ssl/certs/ directory.
Apache Config
The Virtual Hosts for PROD & TEST must be updated for the new Certificate and ServerAlias.
Locate the .conf files. These are located here:
- /etc/apache2/sites-available (Ubuntu)
- /etc/httpd/conf.d (RHEL / CentOS)
| Code Block |
|---|
| language | bash |
|---|
| theme | RDark |
|---|
| title | pcr360_prod.conf |
|---|
|
<VirtualHost *:443>
# The ServerName should be similar to the following:
ServerName pcr360.{CUSTOMER ID}.pcr.com
# Add the following. Make sure to update {CUSTOMER ID} with your Customer ID.
ServerAlias prod.{CUSTOMER ID}.bypass |
Locate the SSL Certificate directives within the same Virtual Host and update them to reflect the new Certificate files.
| Code Block |
|---|
| language | bash |
|---|
| theme | RDark |
|---|
| title | pcr360_prod.conf |
|---|
|
<VirtualHost *:443>
# ...
SSLCertificateFile /etc/ssl/certs/{CUSTOMER ID}.crt
SSLCertificateKeyFile /etc/ssl/private/{CUSTOMER ID}.key
# ... |
Once done, it should look similar to this:
| Code Block |
|---|
| language | bash |
|---|
| theme | RDark |
|---|
| title | pcr360_prod.conf |
|---|
|
<VirtualHost *:443>
# ...
# SSL
SSLEngine on
SSLCertificateFile /etc/ssl/certs/pcr.crt
SSLCertificateKeyFile /etc/ssl/private/pcr.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLHonorCipherOrder on
# ... |
Update the Virtual Host for TEST. This is usually in pcr360_test.conf.
| Code Block |
|---|
| language | bash |
|---|
| theme | RDark |
|---|
| title | pcr360_test.conf |
|---|
|
<VirtualHost *:443>
# The ServerName should be similar to the following:
ServerName pcr360-test.{CUSTOMER ID}.pcr.com
# Add the following. Make sure to update {CUSTOMER ID} with your Customer ID.
ServerAlias test.{CUSTOMER ID}.bypass
# ...
SSLCertificateFile /etc/ssl/certs/{CUSTOMER ID}.crt
SSLCertificateKeyFile /etc/ssl/private/{CUSTOMER ID}.key
# ... |
Reload Apache:
| Code Block |
|---|
|
systemctl reload apache2 # Ubuntu
systemctl reload httpd # RHEL / CentOS |
