Ubuntu | Request & Install Certificate from a Windows CA

Requesting a Certificate

A crucial part of hosting any website is to apply the basics around security. Top of the list of things to do, is to apply a certificate, whether that’s an internal certificate or if the site is accessed over the internet, then a external certificate.

Newer versions of Ubuntu have made it increasingly easier to request and apply certificates. The steps below are what i did to request and install an internal certificate on a Ubuntu system running 20.04 LTS.

First of all, ssh over to the Ubuntu server and ensure your a sudo’er user on the box. We’ll be using OpenSSL to create our CSR (Certificate Signing Request) and we’ll generate a .CSR file and a .KEY file. The CSR being our signing certificate file and .key being our private key.

Before we generate our signing request we add to add some additional options to the SSL configuration at /etc/ssl/openssl.cnf. Open the configuration using nano with the following command:

sudo nano /etc/ssl/openssl.cnf
Look for the [ req ] section and remove “#” from the following line.
# req_extensions = v3_req #
Look for [ v3_req ] and add the following lines.
subjectAltName = @alt_names
[alt_names]
DNS.1 = <ServerNameFQDN>
DNS.2 = <ServerName>
Replacing ServerName with the servers name

Save the changes.

Run the following command to generate the files:

openssl req -new -newkey rsa:2048 -keyout <ServerName>.key -out <ServerName>.csr -nodes -config /etc/ssl/openssl.cnf

Your be prompted to complete a number of attributes. Most of them will be common information such as country and email address. The important attributes to complete will the common name attribute, this needs to be the FQDN of the address of the site. For me i’m using the server name for access but you maybe using a CNAME to make the site easier to access.

After all the attributes have been completed your see the 2 new files in the directory your currently running the command from. Its best to move these into a directory so you know where they are.

The next step is to copy the contents of the CSR file onto a Windows machine. I’ve found that opening the file using cat and simply copy and pasting is the easiest thing for as im running Windows as my base operating system. Ensure to save the file on Windows as .CSR.

sudo cat <ServerName>.csr

Once you have a copy of the CSR file on your Windows machine, you can either copy and paste the contents into your external certificate vendor to obtain an external certificate or move on to get the relevant information to obtain an internal certificate.

Your need the name of the certificate template your going to be using to ensure you get the right certificate for your use. If you have access to the Certificate Authority, this can be obtained from the certificate template itself:

If you dont have access you may to ask your administrator to retrieve the name for you.

Once you know the certificate template name, on your Windows machine open an administrative command prompt and enter the following:

certreq -submit -attrib "CertificateTemplate:NEW-WebServer"

Your be asking to import your .csr file and to select the appropriate Certificate Authority which normally will only be one. Your also need to specify the location of where the full certificate should be exported to.  This file will be a .cer file.

The .cer file now needs to be copied back over to the Ubuntu system. I normally use SCP for these sorts of scenarios.

scp file.txt username@to_host:/remote/directory/

Installing the Certificate

Now we have all the files in the same place, the request is now complete although it is worth noting that Linux system deal with PEM files alot easier then CER files so its worth converting the certificate before importing. This can be done with the following command:

openssl x509 -in <ServerName>.cer -outform PEM -out <ServerName>.pem

To get your certificate imported, copy the .pem and .key files to /etc/ssl/certs where all the other certificate files reside.

As we are using Apache as our web hosting service its important to note that Apache uses configuration files per site. These configuration files are located at /etc/apache2/sites-enabled.

As we only have one site, open the only conf file available using the below command:

sudo nano /etc/apache2/sites-enabled/000-default.conf

Add the following if it does not already exist:

<VirtualHost [IP ADDRESS]:443>
ServerAdmin webmaster@demo.com
DocumentRoot var/www/html                                  <— This may need changing if your root is different
ServerName <ServerName>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<ServerName>.pem
SSLCertificateKeyFile /etc/ssl/certs/<ServerName>.key
</VirtualHost>

Ensure to restart your Apache service using:

sudo systemctl restart apache2

or use the below to see what the current status is:

sudo systemctl status apache2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.