Based on the GSRC page How and when do we renew the certificate?
This page is OLD and OBSOLETE. See
Multi-domain SSL.
| The Ptolemy code signing certificate expires on 4/9/12 |
| The Chess certificate expires on 1/2/15 |
| The E3S certificate expires on 11/6/15 |
| The Embedded certificate expires on 10/27/13 |
| The Gigascale certificate expires on 9/23/09 |
| The Source.eecs certificate expires on
6/16/16 |
The Trust certificate expires on 3/24/07
We'll let it expire and use truststc
|
| The Truststc certificate expires on 6/14/14 |
Read the Viewing Certificate Info FAQ for details.
To check the contents of a .cer
or .crt file, use keytool -printcert -v -file server.crt
September, 2010: Certificates for domain names that
end in berkeley.edu are FREE, see
https://iris.eecs.berkeley.edu/forms/cert-request.html. Instructions are at:
https://wikihub.berkeley.edu/display/calnet/CalNet+InCommon-Comodo+Certificate+Service.
Ken Tang at BWRC recommends http://rapidsslonline.com ($14-$18/year), which the use for
http://bwrc.eecs.berkeley.edu, see
http://micronet-at-uc-berkeley.840177.n3.nabble.com/Micronet-Advantages-or-Disadvantages-to-using-cheaper-SSL-certificates-td883986.html.
Renewing source.eecs
June, 2013
openssl req -newkey rsa:2048 -nodes -keyout private.key -out public.csr
Generating a 2048 bit RSA private key
.................+++
....................................+++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California at Berk
eley
Organizational Unit Name (eg, section) []:EECS Dept., Ptolemy Project
Common Name (eg, YOUR name) []:source.eecs.berkeley.edu
Email Address []:root@source.eecs.berkeley.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Our DUNS number
To get a certificate, we needed a Dun and Bradstreet
number. The GSRC DUNS number is:
Gigascale Silicon Research Center, D-U-N-S Number: 08-952-1582
558 Cory Hall, Berkeley, CA, 94720, Trade Style, Branch Location
More info:
DUNS: 08-952-1582 DATE ACCESSED BUSINESS RECORD DATE
REGENTS OF THE UNIVERSITY CAL AUG 13 2001 JUN 12 2001
UNIVERISTY OF CALIFORNIA - BER
GIGASCALE SILICON RESEARCH CEN SIC: 82 21 TYPE:
558 CORY HALL BRANCH
BERKELEY CA 94720
TEL: 510 643-9841
CHIEF EXECUTIVE: PROFESSOR A RICHARD NEWTON, DRCT
LINE OF BUSINESS:
UNIVERISTY, ELECTRONIC DESIGN AUTOMATION RESEARCH
BTW - The DUNS number for the Ptolemy group is 037966921.
Try searching for Edward's phone number 5106420455
DUNS: 03-796-6921 DATE ACCESSED BUSINESS RECORD DATE
REGENTS OF THE UNIVERSITY CAL FEB 14 2002 AUG 20 2001
UC BERKELEY PTOLEMY PROJECT
558 CORY HALL SIC: 73 89 TYPE:
BERKELEY CA 94720 BRANCH
TEL: 510 642-0455
CHIEF EXECUTIVE: Prof Edward A Lee
The Chess DUNS number is 126727705.
REGENTS OF THE UNIVERSITY OF CALIFORNIA, THE
558 CORY HALL
BERKELEY , CA 947200001
(510) 642-0455
Type of Location: branch
The Embedded DUNS number is 168938145
I got the info below by using
http://www.dnb.com/eUpdate
DUNS: 16-893-8145 DATE PRINTED
REGENTS OF THE UNIVERSITY OF NOV 15 2004 RATING BRANCH
CALIFORNIA, THE
+PETERSON, DONALD O CENTER EMPLOYS 80-100
SIC NO.
545 CORY HALL 87 33
MOVED FROM: 545 COPRY HALL,
BERKELEY, CA
BERKELEY CA 94720
TEL: 510 643-9841
BRANCH MANAGER: CHRIS BROOKS, DIR
The TRUST DUNS number is 191822738
The UNIVERSITY OF CALIFORNIA
178 CORY HALL DUNS number is 136164147
When to renew
Our initial certificate was purchased on 9/16/99.
We then purchased a 2 year certificate which will
expire on 9/18?/02, the receipt is below.
The way two year certificates work is that we
should get a renewal certificate in August, that
then needs to be installed. In August, 2004, we
should renew again for two years. Christopher
should receive the email.
Date: Thu, 29 Jul 2004 10:15:05 -0700 (PDT)
To: cxh@eecs.berkeley.edu
From: VeriSign Customer Support Department
Subject: Your VeriSign SSL Certificate
Reply-To: support@verisign.com
Order number: 151527154
Price: $ 598.00
Dear VeriSign Site Services Customer,
Congratulations! Your VeriSign Site Service order has been approved.
Your SSL certificate is included at the end of this message. The
attached SSL certificate is for:
Common name: WWW.GIGASCALE.ORG
Organization: GIGASCALE SILICON RESEARCH CENTER
Organizational unit: WEBSITE ENGINEERING
Additionally, as part of your Site Service, you are entitled to
display the VeriSign Secure Site Seal - recognized across the
Internet and around the world as a symbol of authenticity, security,
and trust - to build consumer confidence in your Web site.
For installation instructions for your SSL certificate, go to:
http://www.verisign.com/support/install/index.html
For installation instructions for your Secure Site Seal, go to:
http://www.verisign.com/seal/secure/index.html
******************************
If you have any questions, please call our Customer Support Department.
Thank you,
VeriSign Customer Support Department
Hours of Operation: 5AM-6PM Pacific Time, Monday-Friday
E-mail: support@verisign.com
Web: http://www.verisign.com
Phone: 1-877-GET-VRSN 1-877-438-8776 or 1-650-426-3400
Fax: 1-650-961-8870
How to renew:
Vendor: Verisign
Phone Number: 1-650-429-3400 1, 2, 2
Order ID: 42526622
Expiration Date: 9/16/00
Cost: $249/year (can pay for two years in advance, but must renew annually)
Password or Challenge Phrase: *********
Our Certificate was purchased through Verisign. The renewal process may
or may not require generation of a new key. Usually if there is a
change in the people who serve as technical contacts (currently
Christopher Brooks) a new key is mandatory. When it comes time to renew
Verisign tech support can assist with key generation.
Below are the steps I took to generate a new
CSR
gigascale:root: %C2> cd /usr/local/apache/conf/gsrc.crt
gigascale:root: %C2> mkdir 2004
gigascale:root: %C2> cd 2004
gigascale:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
......................++++++
...........................++++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gigascale Silicon Research Center
Organizational Unit Name (eg, section) []:Website Engineering
Common Name (eg, YOUR name) []:www.gigascale.org
Email Address []:www@gigascale.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Gigascale
gigascale:root: %C2> chmod 400 *
gigascale:root: %C2> ls -l
total 2
-r-------- 1 root 891 Sep 4 17:10 private.key
-r-------- 1 root 838 Sep 4 17:10 public.csr
gigascale:root: %C2>
I then used public.csr in the Verisign form
For chess, I did
[]:gigascale:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr
Using configuration from /usr/local/openssl-0.9.6g/openssl.cnf
Generating a 1024 bit RSA private key
........++++++
.............++++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of the Unive
rsity of California
Organizational Unit Name (eg, section) []:Chess Project
Common Name (eg, YOUR name) []:chess.eecs.berkeley.edu
Email Address []:www@chess.eecs.berkeley.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
As of 2010, now we are getting .berkeley.edu certs from
campus. However, the keys need to be 2048 bits. So, the command to run for CHESS is:
andrews.EECS.Berkeley.EDU:root: %C2>
openssl req -newkey rsa:2048 -nodes -keyout private.key -out public.csr
Generating a 2048 bit RSA private key
......................+++
......+++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California at Berkeley
Organizational Unit Name (eg, section) []:CHESS Center, EECS Dept.
Common Name (eg, YOUR name) []:chess.eecs.berkeley.edu
Email Address []:cxh@eecs.berkeley.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
andrews.EECS.Berkeley.EDU:root: %C2>
For embedded, I did:
openssl req -new -nodes -keyout private.key -out public.csr
Generating a 1024 bit RSA private key
..................++++++
..............++++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California at Berkeley
Organizational Unit Name (eg, section) []:The Donald O Peterson Center for Electronic Systems Design
Common Name (eg, YOUR name) []:embedded.eecs.berkeley.edu
Email Address []:root@andrews.eecs.berkeley.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
andrews:root: %C2> chmod 400 *
and then mailed the cert to help@eecs.berkeley.edu.
See https://wikihub.berkeley.edu/display/calnet/CalNet+InCommon-Comodo+Certificate+Service.
Note that when you get the email from support@cert-manager.com, select
"as X509 Certificate only, Base64 encoded".
If you select "as X509, Base64 encoded", then when you
restart apache, you will get messages like:
[Thu Oct 28 09:51:38 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 28 09:51:38 2010] [warn] RSA server certificate CommonName (CN) `Add Trust External CA Root' does NOT match server name!?
[Thu Oct 28 09:51:38 2010] [error] Unable to configure RSA server private key
[Thu Oct 28 09:51:38 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
For details about this, see http://www.howtoforge.com/forums/showthread.php?p=120343, which says to run
openssl x509 -noout -text -modulus -in embedded.crt/2010/embedded.cer > /tmp/cer
openssl rsa -noout -text -modulus -in embedded.crt/2010/private.key > /tmp/key
and to compare the moduluses, which should match.
e3scenter.org
For https://e3scenter.org, we purchased a 5 year certificate from http://rapidsslonline.com ($14-$18/year)
andrews.EECS.Berkeley.EDU:root: %C2> openssl genrsa -out e3s.key 1024
Generating RSA private key, 1024 bit long modulus
..............++++++
.++++++
e is 65537 (0x10001)
andrews.EECS.Berkeley.EDU:root: %C2> openssl req -new -key e3s.key -out e3s.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California, Berkeley
Organizational Unit Name (eg, section) []:Center for Energy Efficient Electronics Science
Common Name (eg, YOUR name) []:e3scenter.org
Email Address []:root@andrews.eecs.berkeley.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
andrews.EECS.Berkeley.EDU:root: %C2>
Note that we now use www.truststc.org, not trust.eecs.berkeley.edu
For trust, I did
gigascale:root: %C2> mkdir trust.crt trust.key
gigascale:root: %C2> cd trust.crt
gigascale:root: %C2> mkdir 2004
gigascale:root: %C2> cd 2004
gigascale:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr
Generating a 1024 bit RSA private key
.......................................++++++
......++++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of The University of California
Organizational Unit Name (eg, section) []:Team for Research in Ubitquitous Secure Technologies (TRUST)
Common Name (eg, YOUR name) []:trust.eecs.berkeley.edu
Email Address []:www@trust.eecs.berkeley.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
For www.truststc.org, I did
andrews.EECS.Berkeley.EDU:root: %C2> cd /usr/local/apache/conf/truststc.crt
andrews.EECS.Berkeley.EDU:root: %C2> mkdir 2008
andrews.EECS.Berkeley.EDU:root: %C2> cd 2008
andrews.EECS.Berkeley.EDU:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of The University of California
Organizational Unit Name (eg, section) []:Team for Research in Ubitquitous Secure Technologies (TRUST)
Common Name (eg, YOUR name) []:www.truststc.org
Email Address []:webmgr@www.truststc.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
andrews.EECS.Berkeley.EDU:root: %C2> chmod 0400 *
For tao.truststc.org, I did
andrews.EECS.Berkeley.EDU:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr
Generating a 1024 bit RSA private key
.....++++++
...................++++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of The University of California
Organizational Unit Name (eg, section) []:Team for Research in Ubitquitous Secure Technologies (TRUST)
Common Name (eg, YOUR name) []:tao.truststc.org
Email Address []:www@truststc.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note: Be sure to use "Regents of The University
of California", do not use
"Regents of the University of California, Berkeley"
Installing a renewed certification
After awhile, you will get a file named
cert.cer back from Verisign.
- Each website has a directory named
/usr/local/apache/conf/website.csr
and
/usr/local/apache/conf/website.key
Backup the current files by ensuring that there
is a subdirectory in each directory with a copy of
the .crt and .key files
- Place the contents of the
cert.cer
file received from Verisign in the appropriate
/usr/local/apache/conf/website.csr
as server.crt
- Copy the
private.key file created
when we generated the certificate request into
/usr/local/apache/conf/website.key
as server.key
- As root, stop and restart the website
/etc/init.d/gsrc stop
# What a few seconds, use ps -auxgww to verify the site is down
/etc/init.d/gsrc start
- Verify that you can log out and log in
- View Certificate Info
Initial Installation
To install the certificate, follow these steps
- If you are setting up a new server, then generate the certificate request by running
make certificates in the Apache sources.
See
How Do I install Apache for details.
If it is the second year of a two year license,
then aw@eecs.berkeley.edu should get email
in mid August with the new license.
If you are only renewing, then you need not generate
a new certificate request.
- See Verisign's webpage for more info:
http://www.verisign.com/cus/srv/csr/index.html
- Get a Dun and Bradstreet number and authorization
for the purchase, and then purchase a standard
Verisign
secure site license for one year ($349 in 9/99)
($498 for two years in 9/02, $598 for two years in 9/04
- Eventually, you will get a certificate back
from Verisign.
- In /usr/local/apache/conf/gsrc.crt, copy the previous
server.crt
cp -p server.crt server.crtMMDDYY
where MMDDYY is the Month, Day, Year
of the previous certificate. The idea
is that we want to be able to revert back if
there are problems.
- In /usr/local/apache/conf/gsrc.key, copy the previous
server.key
cp -p server.key server.keyMMDDYY
Again, we preserve the old key in case something
goes wrong.
- Copy the server.key that was generated:
cp ../gsrc.crt/2004/private.key server.key
- Copy the certificate that verisign emailed us
into
/usr/local/apache/conf/gsrc.crt
- restart apache as root with
/etc/init.d/apache* stop
/etc/init.d/apache* start