(2022.1) Setting up Bypass VHOSTs & URLs
- Rob Alber
- David Engblom
Owned by Rob Alber
Aug 31, 2023
2 min read
Loading data...
Generate the Certificate Signing Request (CSR)
Log in to the sever. Root or sudo access is required.
# Change the following to your Customer ID ({CUSTOMER ID}) provided by PCR
NAME="{CUSTOMER ID}"
# Example
# NAME="pcr"
# Create the key and csr
sudo openssl req -new -newkey rsa:2048 -nodes \
-keyout /etc/ssl/private/$NAME.key \
-out /etc/ssl/private/$NAME.csr \
-subj "/CN=*.$NAME.bypass/OU=Bypass/O=PCR/L=Grand Rapids/ST=Michigan/C=US" \
-addext "subjectAltName = DNS:*.$NAME.bypass, DNS:$NAME.bypass, DNS:prod.$NAME.bypass, DNS:test.$NAME.bypass"
# display the csr contents
sudo cat /etc/ssl/private/$NAME.csr
The CSR will look like this:
-----BEGIN CERTIFICATE REQUEST----- asdaHjCCAgYCAQAwcTEZMBcGA1UEAwwQKi50ZXN0Y3NyLmJ5cGFzczEPMA0GA1UE Cww INVALID CSR sgYDVQQKDANQQ1IxFTATBg INVALID CSR sIFJhcGlkczER MA8GA1UECAwITWljaGlnYW4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEApLdTQdjk8lyAkCZJNOPoLLEWH2Ezwh8MZVpKQJ0pv4Ni G9gLyZxzKisk8nRB/iMfAa94jUGFqe1dpFJsTaRLJSVp7l8/gfx/psKPiwKrs3Um fDVIJqWrpRq0s8vX7T5np7j/c1t1OSmseKs+O7J0lR+prvlmiWiSOS1ZL4Uz7RtS K/F3BphrizfNNPEAd6r7Dk6uIsdf3X3/QAbdh45GPhcWGUdiLKOlaa2nkRk8TkIp pKl+d4Zx+seZynTugdLq5 INVALID CSR TiqbnavXOz2QwwgbawMyxWI17EBUDf 0tyxPST75G+W5Du/yeO8gY2jperyfhqzR6qJoQaRhwIDAQABoGgwZgYJKoZIhvcN AQkOMVkwVzBVBgNVHREETjBMghAqLnRlc3Rjc3IuYnlwYXNzgg50ZXN0Y3NyLmJ5 cGFzc4ITcHJvZC50ZXN0Y3NyLmJ5cGFzc4ITdGVzdC50ZXN0Y3NyLmJ5cGFzczAN BgkqhkiG9w0BAQsFAAOCAQEAbZX3yf/RSRb/qDlP3B90bCedb5kOAinbSqlTAFMv 86gw INVALID CSR sNI/McDhTyFEasGCTyQZQ5Sa4+psC7TsYHwhT39s0KOTue5 mD7PIwNC3VqrSeJrJrz18G/F8KXNR0QoQhbPZ7dsCWHs3nJIH5x1+pP159qIp3uq I7bHoVW8TstsHTTMWtoUlF246ClVo58fh4a+RSosnIqj4ab1s7LWpP7YDoJf6ZV1 qDuDxywgE69JRWmKachMGgH+XcK0r+3ZruI24a6oyJbGao8yeCpe -----END CERTIFICATE REQUEST-----
Send the text of the CSR (or the file located in /etc/ssl/ to PCR.
PCR will send back a Certificate File (CRT).
Place the file in the /etc/ssl/certs/ directory.
Apache Config
The Virtual Hosts for PROD & TEST must be updated for the new Certificate and ServerAlias.
Locate the .conf files. These are located here:
- /etc/apache2/sites-available (Ubuntu)
- /etc/httpd/conf.d (RHEL / CentOS)
pcr360_prod.conf
<VirtualHost *:443>
# The ServerName should be similar to the following:
ServerName pcr360.{CUSTOMER ID}.pcr.com
# Add the following. Make sure to update {CUSTOMER ID} with your Customer ID.
ServerAlias prod.{CUSTOMER ID}.bypass
Locate the SSL Certificate directives within the same Virtual Host and update them to reflect the new Certificate files.
pcr360_prod.conf
<VirtualHost *:443>
# ...
SSLCertificateFile /etc/ssl/certs/{CUSTOMER ID}.crt
SSLCertificateKeyFile /etc/ssl/private/{CUSTOMER ID}.key
# ...
Once done, it should look similar to this:
pcr360_prod.conf
<VirtualHost *:443>
# ...
# SSL
SSLEngine on
SSLCertificateFile /etc/ssl/certs/pcr.crt
SSLCertificateKeyFile /etc/ssl/private/pcr.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLHonorCipherOrder on
# ...
Update the Virtual Host for TEST. This is usually in pcr360_test.conf.
pcr360_test.conf
<VirtualHost *:443>
# The ServerName should be similar to the following:
ServerName pcr360-test.{CUSTOMER ID}.pcr.com
# Add the following. Make sure to update {CUSTOMER ID} with your Customer ID.
ServerAlias test.{CUSTOMER ID}.bypass
# ...
SSLCertificateFile /etc/ssl/certs/{CUSTOMER ID}.crt
SSLCertificateKeyFile /etc/ssl/private/{CUSTOMER ID}.key
# ...
Reload Apache:
systemctl reload apache2 # Ubuntu systemctl reload httpd # RHEL / CentOS