The getwwwcert package is available on Ubuntu hosts running the SCS Facilities environment (it is also available on legacy Fedora hosts, though this page only describes the Ubuntu version). It provides a semi-automated mechanism for generating CSRs and installing web server certificates. Use of this package to handle Apache server certificates is completely optional --- you may not want to use it if you are already familiar with setting up Apache with SSL on Ubuntu.
The getwwwcert package can be installed with the command:
apt-get install getwwwcert
Installing the package will also install the apache2 and cmucs-apache2-ssl packages.
Once the package is installed, run /usr/sbin/getwwwcert, to generate a CSR. You will be asked a series of questions about the Common Name and Organizational Unit of your web server, along with some questions about your contact information. See the documentation on SSL certificates if you are unsure about how to answer some of these questions. getwwwcert will then automatically mail your CSR to firstname.lastname@example.org, and your request will be verified by someone from SCS Facilities logging into your server. A signed certificate will then be mailed to you. Note: Because of the way Comodo generates certificates under the CMU site license, the OU you specify in getwwwcert will probably be ignored.
Installing a certificate with getwwwcert
To install your certificate, save the mail you were sent containing your certificate to a file on your web server, and then run:
/usr/sbin/getwwwcert -I FileName
After the certificate has been installed, you'll need to enable the cmucs-ssl site, which contains the correct paths for certs installed by getwwwcert:
Make sure that the Apache SSL module is enabled and then restart your web server, to have the server use your cert.
Getwwwcert uses several directories created by the cmucs-apache2-ssl package to store certificates and private keys. The main ones are:
- This is a symlink to the directory /etc/not-backed-up/ssl.key, which contains the server's private key. The contents of /etc/not-backed-up are not backed up by the default SCS Facilities backup system. The server's private key is put there to help preserve its confidentiality.
- This direcotry is where getwwwcert stores a copy of the CSRs it generates.
- This directory contains the server certificate(s) and files containing intermediate certificate chains.
Certificate & key versioning
The cmucs-ssl site has the following Apache configuration values:
SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLCertificateChainFile /etc/apache2/ssl.crt/server-chain.crt
server.crt, server.key, and server-chain.crt are symlinks. getwwwcert ensures that these symlinks point to the correct files by creating symbolic links that are versioned according the server's private key and the Common Name of the certificate. These links are created when it creates a new private key or installs a new certificate. When getwwwcert generates a CSR and sends it to email@example.com, it appends a comment to the CSR that specifies the private key version. The comment is of the form:
#:KEYNAME:ServerName.cs.cmu.edu-Nwhere N is the private key version. That comment will be appended to the signed certificate that SCS Facilities sends you, and getwwwcert will use it to ensure that symlinks are correctly created when it then installs the new cert.
If you are using getwwwcert to install your certificates, you should not attempt to manually install new certificates or private keys unless you understand exactly how the symlinks should be created, since that could break your Apache SSL configuration and/or case getwwwcert to fail the next time it attempts to install a certificate.