SSL-Steps to get security certificates and allow https.
Sites powered by RAASPI already have some data security built in, for example, the data exchanged with the payment processors use https. Https transmits encrypted data.
Now a days, most sites prefer to use https, so that all data transmission including password information are encrypted and decrypted. To use https we need a security certificate.
SSL Certificate.
Both the browsers and the server make use of ssl certificate to encrypt/decrypt the data. If the site uses a subdomain like xxx.raaspi.com then we still need a separate SSL certificate. By default a subdomain of raaspi.com will use http but if needed, a separate certificate or a wildcard ie example *www.raaspi.com certificate can be used.
If the site uses own domain ie xxx.com then a separate SSL certificate is needed. The RAASPI reseller will contact companies like dnsimple , namecheap or ssl shop or the domain name registration company to get the appropriate SSL certificate.
Reseller will also create a new CSR using the following information.
Country Name (2 letter code) [XX]: COUNTRY --ex: CA
State or Province Name (full name) []: STATE INITIALS --ex:ontario
Locality Name (eg, city) [Default City]: CITY NAME --ex:Toronto
Organization Name (eg, company) [Default Company Ltd]: YOUR COMPANY NAME--ex:3r computer systems and services Inc or domain name as raaspi.com
Organizational Unit Name (eg, section) []: I SKIP THIS--ex:ecommerce
firstname/lastname or Common Name (eg, your name or your server's hostname) []: --ex:www.raaspi.com or *.raaspi.com (if wild card)
Email Address []: [email protected] --ex:[email protected] or [email protected]
Ignore any other extra options requested by hitting return or enter button.
A CSR (Certificate Signing Request) is needed to obtain the SSL certificate.
The following is done by the reseller or system integrator who is managing the hosting.
openssl req -new -key private.key -out www.xxx.com.csr
openssl exe file is under the bin directory and an example will be: openssl req -new -key myprivate.key -out www.3rcomputer.com.csr
or openssl req -new -key myprivate.key -out star.raaspi.com.csr for wildcard domains
myprivate.key can be any other name like mystuffp.key , encprivate.key etc.
The private key (with pass code) is an encrypted text file starting with -----BEGIN RSA PRIVATE KEY----- and can be re-used for renewals.
the generated CSR is in text format and will be sent to the reseller who can copy/paste the csr into the appripriate online forms provided by SSL vendor. Most of the SSL vendors are resellers of the actual certificate issuing companies like COMODO or Symantec.
The ssl vendor need to verify that the requestor is authorized for the domain, simple method is via Email but if the domain does not have email attached to it,
then the requestor needs access and add a CNAME entry using domain zone editor.
If the domain is hosted at Namecheap, another alternaive is to use [email protected] as the Email for ssl activation,
which means email will be sent to DNS admin email.example [email protected] or [email protected].
The ssl vendor will create the public part of the certificate in pem format. .pem certificate itself is in text format and need to be forwarded to the designated email address.
The final step is for 3R Computer Systems to use RedHat OpenShift web configuration to
define or modify the route for the site and use edge encryption
Upload or copy / paste the pem ssl certificate and also upload or copy/paste the private key (without pass code, Openshift does not support pass code)
So there may be two versions of private key, one encrypted with paasode to be used for CSR and the other uncrypted one if platform provider does not support encrypted with passcode.
if the ssl checker (like https://www.sslshopper.com ) says intermediate files missing then copy/paste certificate itself followed by intermediates files content from ca-bundle.
The ssl certificate will hold the public key
Once done and verified, the reseller will be notified of the change.
There is one time extra service fee for this to the site owner.