Based on the GSRC page How and when do we renew the certificate?
This page is OLD and OBSOLETE. See Multi-domain SSL.
The Ptolemy code signing certificate expires on 4/9/12 |
The Chess certificate expires on 1/2/15 |
The E3S certificate expires on 11/6/15 |
The Embedded certificate expires on 10/27/13 |
The Gigascale certificate expires on 9/23/09 |
The Source.eecs certificate expires on 6/16/16 |
The Trust certificate expires on 3/24/07
We'll let it expire and use truststc |
The Truststc certificate expires on 6/14/14 |
.cer
or .crt
file, use keytool -printcert -v -file server.crt
September, 2010: Certificates for domain names that
end in berkeley.edu
are FREE, see
https://iris.eecs.berkeley.edu/forms/cert-request.html. Instructions are at:
https://wikihub.berkeley.edu/display/calnet/CalNet+InCommon-Comodo+Certificate+Service.
Ken Tang at BWRC recommends http://rapidsslonline.com
($14-$18/year), which the use for
http://bwrc.eecs.berkeley.edu, see
http://micronet-at-uc-berkeley.840177.n3.nabble.com/Micronet-Advantages-or-Disadvantages-to-using-cheaper-SSL-certificates-td883986.html
.
openssl req -newkey rsa:2048 -nodes -keyout private.key -out public.csr Generating a 2048 bit RSA private key .................+++ ....................................+++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California at Berk eley Organizational Unit Name (eg, section) []:EECS Dept., Ptolemy Project Common Name (eg, YOUR name) []:source.eecs.berkeley.edu Email Address []:root@source.eecs.berkeley.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Gigascale Silicon Research Center, D-U-N-S Number: 08-952-1582 558 Cory Hall, Berkeley, CA, 94720, Trade Style, Branch LocationMore info:
DUNS: 08-952-1582 DATE ACCESSED BUSINESS RECORD DATE REGENTS OF THE UNIVERSITY CAL AUG 13 2001 JUN 12 2001 UNIVERISTY OF CALIFORNIA - BER GIGASCALE SILICON RESEARCH CEN SIC: 82 21 TYPE: 558 CORY HALL BRANCH BERKELEY CA 94720 TEL: 510 643-9841 CHIEF EXECUTIVE: PROFESSOR A RICHARD NEWTON, DRCT LINE OF BUSINESS: UNIVERISTY, ELECTRONIC DESIGN AUTOMATION RESEARCHBTW - The DUNS number for the Ptolemy group is 037966921. Try searching for Edward's phone number 5106420455
DUNS: 03-796-6921 DATE ACCESSED BUSINESS RECORD DATE REGENTS OF THE UNIVERSITY CAL FEB 14 2002 AUG 20 2001 UC BERKELEY PTOLEMY PROJECT 558 CORY HALL SIC: 73 89 TYPE: BERKELEY CA 94720 BRANCH TEL: 510 642-0455 CHIEF EXECUTIVE: Prof Edward A Lee
The Chess DUNS number is 126727705.
REGENTS OF THE UNIVERSITY OF CALIFORNIA, THE 558 CORY HALL BERKELEY , CA 947200001 (510) 642-0455 Type of Location: branch
The Embedded DUNS number is 168938145
I got the info below by using
http://www.dnb.com/eUpdate
DUNS: 16-893-8145 DATE PRINTED REGENTS OF THE UNIVERSITY OF NOV 15 2004 RATING BRANCH CALIFORNIA, THE +PETERSON, DONALD O CENTER EMPLOYS 80-100 SIC NO. 545 CORY HALL 87 33 MOVED FROM: 545 COPRY HALL, BERKELEY, CA BERKELEY CA 94720 TEL: 510 643-9841 BRANCH MANAGER: CHRIS BROOKS, DIR
The TRUST DUNS number is 191822738
The UNIVERSITY OF CALIFORNIA 178 CORY HALL DUNS number is 136164147
The way two year certificates work is that we should get a renewal certificate in August, that then needs to be installed. In August, 2004, we should renew again for two years. Christopher should receive the email.
Date: Thu, 29 Jul 2004 10:15:05 -0700 (PDT) To: cxh@eecs.berkeley.edu From: VeriSign Customer Support DepartmentSubject: Your VeriSign SSL Certificate Reply-To: support@verisign.com Order number: 151527154 Price: $ 598.00 Dear VeriSign Site Services Customer, Congratulations! Your VeriSign Site Service order has been approved. Your SSL certificate is included at the end of this message. The attached SSL certificate is for: Common name: WWW.GIGASCALE.ORG Organization: GIGASCALE SILICON RESEARCH CENTER Organizational unit: WEBSITE ENGINEERING Additionally, as part of your Site Service, you are entitled to display the VeriSign Secure Site Seal - recognized across the Internet and around the world as a symbol of authenticity, security, and trust - to build consumer confidence in your Web site. For installation instructions for your SSL certificate, go to: http://www.verisign.com/support/install/index.html For installation instructions for your Secure Site Seal, go to: http://www.verisign.com/seal/secure/index.html ****************************** If you have any questions, please call our Customer Support Department. Thank you, VeriSign Customer Support Department Hours of Operation: 5AM-6PM Pacific Time, Monday-Friday E-mail: support@verisign.com Web: http://www.verisign.com Phone: 1-877-GET-VRSN 1-877-438-8776 or 1-650-426-3400 Fax: 1-650-961-8870
Our Certificate was purchased through Verisign. The renewal process may or may not require generation of a new key. Usually if there is a change in the people who serve as technical contacts (currently Christopher Brooks) a new key is mandatory. When it comes time to renew Verisign tech support can assist with key generation.
Below are the steps I took to generate a new CSR
gigascale:root: %C2> cd /usr/local/apache/conf/gsrc.crt gigascale:root: %C2> mkdir 2004 gigascale:root: %C2> cd 2004 gigascale:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf Generating a 1024 bit RSA private key ......................++++++ ...........................++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gigascale Silicon Research Center Organizational Unit Name (eg, section) []:Website Engineering Common Name (eg, YOUR name) []:www.gigascale.org Email Address []:www@gigascale.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Gigascale gigascale:root: %C2> chmod 400 * gigascale:root: %C2> ls -l total 2 -r-------- 1 root 891 Sep 4 17:10 private.key -r-------- 1 root 838 Sep 4 17:10 public.csr gigascale:root: %C2>I then used
public.csr
in the Verisign form
For chess, I did
[]:gigascale:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/openssl-0.9.6g/openssl.cnf Generating a 1024 bit RSA private key ........++++++ .............++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of the Unive rsity of California Organizational Unit Name (eg, section) []:Chess Project Common Name (eg, YOUR name) []:chess.eecs.berkeley.edu Email Address []:www@chess.eecs.berkeley.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:As of 2010, now we are getting .berkeley.edu certs from campus. However, the keys need to be 2048 bits. So, the command to run for CHESS is:
andrews.EECS.Berkeley.EDU:root: %C2> openssl req -newkey rsa:2048 -nodes -keyout private.key -out public.csr Generating a 2048 bit RSA private key ......................+++ ......+++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California at Berkeley Organizational Unit Name (eg, section) []:CHESS Center, EECS Dept. Common Name (eg, YOUR name) []:chess.eecs.berkeley.edu Email Address []:cxh@eecs.berkeley.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: andrews.EECS.Berkeley.EDU:root: %C2>
For embedded, I did:
openssl req -new -nodes -keyout private.key -out public.csr Generating a 1024 bit RSA private key ..................++++++ ..............++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California at Berkeley Organizational Unit Name (eg, section) []:The Donald O Peterson Center for Electronic Systems Design Common Name (eg, YOUR name) []:embedded.eecs.berkeley.edu Email Address []:root@andrews.eecs.berkeley.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: andrews:root: %C2> chmod 400 *and then mailed the cert to help@eecs.berkeley.edu. See https://wikihub.berkeley.edu/display/calnet/CalNet+InCommon-Comodo+Certificate+Service.
Note that when you get the email from support@cert-manager.com, select "as X509 Certificate only, Base64 encoded". If you select "as X509, Base64 encoded", then when you restart apache, you will get messages like:
[Thu Oct 28 09:51:38 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Oct 28 09:51:38 2010] [warn] RSA server certificate CommonName (CN) `Add Trust External CA Root' does NOT match server name!? [Thu Oct 28 09:51:38 2010] [error] Unable to configure RSA server private key [Thu Oct 28 09:51:38 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatchFor details about this, see http://www.howtoforge.com/forums/showthread.php?p=120343, which says to run
openssl x509 -noout -text -modulus -in embedded.crt/2010/embedded.cer > /tmp/cer openssl rsa -noout -text -modulus -in embedded.crt/2010/private.key > /tmp/keyand to compare the moduluses, which should match.
https://e3scenter.org
, we purchased a 5 year certificate from http://rapidsslonline.com
($14-$18/year)
andrews.EECS.Berkeley.EDU:root: %C2> openssl genrsa -out e3s.key 1024 Generating RSA private key, 1024 bit long modulus ..............++++++ .++++++ e is 65537 (0x10001) andrews.EECS.Berkeley.EDU:root: %C2> openssl req -new -key e3s.key -out e3s.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of California, Berkeley Organizational Unit Name (eg, section) []:Center for Energy Efficient Electronics Science Common Name (eg, YOUR name) []:e3scenter.org Email Address []:root@andrews.eecs.berkeley.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: andrews.EECS.Berkeley.EDU:root: %C2>
Note that we now use www.truststc.org, not trust.eecs.berkeley.edu For trust, I did
gigascale:root: %C2> mkdir trust.crt trust.key gigascale:root: %C2> cd trust.crt gigascale:root: %C2> mkdir 2004 gigascale:root: %C2> cd 2004 gigascale:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr Generating a 1024 bit RSA private key .......................................++++++ ......++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of The University of California Organizational Unit Name (eg, section) []:Team for Research in Ubitquitous Secure Technologies (TRUST) Common Name (eg, YOUR name) []:trust.eecs.berkeley.edu Email Address []:www@trust.eecs.berkeley.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:For www.truststc.org, I did
andrews.EECS.Berkeley.EDU:root: %C2> cd /usr/local/apache/conf/truststc.crt andrews.EECS.Berkeley.EDU:root: %C2> mkdir 2008 andrews.EECS.Berkeley.EDU:root: %C2> cd 2008 andrews.EECS.Berkeley.EDU:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr Generating a 1024 bit RSA private key .++++++ ......................++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of The University of California Organizational Unit Name (eg, section) []:Team for Research in Ubitquitous Secure Technologies (TRUST) Common Name (eg, YOUR name) []:www.truststc.org Email Address []:webmgr@www.truststc.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: andrews.EECS.Berkeley.EDU:root: %C2> chmod 0400 *For tao.truststc.org, I did
andrews.EECS.Berkeley.EDU:root: %C2> openssl req -new -nodes -keyout private.key -out public.csr Generating a 1024 bit RSA private key .....++++++ ...................++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:Regents of The University of California Organizational Unit Name (eg, section) []:Team for Research in Ubitquitous Secure Technologies (TRUST) Common Name (eg, YOUR name) []:tao.truststc.org Email Address []:www@truststc.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Note: Be sure to use "Regents of The University of California", do not use "Regents of the University of California, Berkeley"
cert.cer
back from Verisign.
/usr/local/apache/conf/website.csr
and
/usr/local/apache/conf/website.key
Backup the current files by ensuring that there
is a subdirectory in each directory with a copy of
the .crt
and .key
files
cert.cer
file received from Verisign in the appropriate
/usr/local/apache/conf/website.csr
as server.crt
private.key
file created
when we generated the certificate request into
/usr/local/apache/conf/website.key
as server.key
/etc/init.d/gsrc stop # What a few seconds, use ps -auxgww to verify the site is down /etc/init.d/gsrc start
make certificates
in the Apache sources.
See
How Do I install Apache for details.
If it is the second year of a two year license,
then aw@eecs.berkeley.edu
should get email
in mid August with the new license.
If you are only renewing, then you need not generate
a new certificate request.
server.crt
cp -p server.crt server.crtMMDDYYwhere MMDDYY is the Month, Day, Year of the previous certificate. The idea is that we want to be able to revert back if there are problems.
server.key
cp -p server.key server.keyMMDDYYAgain, we preserve the old key in case something goes wrong.
cp ../gsrc.crt/2004/private.key server.key
/usr/local/apache/conf/gsrc.crt
/etc/init.d/apache* stop /etc/init.d/apache* start