SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
 
 
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Getwwwcert

The getwwwcert package is available on Ubuntu hosts running the SCS Facilities environment (it is also available on legacy Fedora hosts, though this page only describes the Ubuntu version). It provides a semi-automated mechanism for generating CSRs and installing web server certificates. Use of this package to handle Apache server certificates is completely optional --- you may not want to use it if you are already familiar with setting up Apache with SSL on Ubuntu.

Using getwwwcert

Installation

The getwwwcert package can be installed with the command:
  apt-get install getwwwcert
Installing the package will also install the apache2 and cmucs-apache2-ssl packages.

CSR generation

Once the package is installed, run /usr/sbin/getwwwcert, to generate a CSR. You will be asked a series of questions about the Common Name and Organizational Unit of your web server, along with some questions about your contact information. See the documentation on SSL certificates if you are unsure about how to answer some of these questions. getwwwcert will then automatically mail your CSR to certificates@cs.cmu.edu, and your request will be verified by someone from SCS Facilities logging into your server. A signed certificate will then be mailed to you. Note: Because of the way Comodo generates certificates under the CMU site license, the OU you specify in getwwwcert will probably be ignored.

Installing a certificate with getwwwcert

To install your certificate, save the mail you were sent containing your certificate to a file on your web server, and then run:
  /usr/sbin/getwwwcert -I FileName

After the certificate has been installed, you'll need to enable the cmucs-ssl site, which contains the correct paths for certs installed by getwwwcert:
  a2ensite cmucs-ssl

Make sure that the Apache SSL module is enabled and then restart your web server, to have the server use your cert.

Technical details

Directories

Getwwwcert uses several directories created by the cmucs-apache2-ssl package to store certificates and private keys. The main ones are:

/etc/apache2/ssl.key
This is a symlink to the directory /etc/not-backed-up/ssl.key, which contains the server's private key. The contents of /etc/not-backed-up are not backed up by the default SCS Facilities backup system. The server's private key is put there to help preserve its confidentiality.
/etc/apache2/ssl.csr
This direcotry is where getwwwcert stores a copy of the CSRs it generates.
/etc/apache2/ssl.crt
This directory contains the server certificate(s) and files containing intermediate certificate chains.

Certificate & key versioning

The cmucs-ssl site has the following Apache configuration values:

SSLCertificateFile      /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.crt/server-chain.crt

server.crt, server.key, and server-chain.crt are symlinks. getwwwcert ensures that these symlinks point to the correct files by creating symbolic links that are versioned according the server's private key and the Common Name of the certificate. These links are created when it creates a new private key or installs a new certificate. When getwwwcert generates a CSR and sends it to certificates@cs.cmu.edu, it appends a comment to the CSR that specifies the private key version. The comment is of the form:

#:KEYNAME:ServerName.cs.cmu.edu-N
where N is the private key version. That comment will be appended to the signed certificate that SCS Facilities sends you, and getwwwcert will use it to ensure that symlinks are correctly created when it then installs the new cert.

If you are using getwwwcert to install your certificates, you should not attempt to manually install new certificates or private keys unless you understand exactly how the symlinks should be created, since that could break your Apache SSL configuration and/or case getwwwcert to fail the next time it attempts to install a certificate.