It became apparent that getting mod_ssl working correctly without browser warnings when developing sites that take payments is a bit of pain. Mainly because there is no free way to have a root authority sign your Certificate Signing Request (CSR).
There is how ever a short cut, given that you are using Apache, mod_ssl, openssl and Firefox.
We’re going to generate our own Certificate Authority (CA), this is CA is only going to work for us so if your generating a certificate for production, you’ll need to send your CSR to a proper CA such as VeriSign
Step1, Make a temporary folder we can work in.
Step2, generate our private key
openssl genrsa -des3-out server.key 1024
You will be asked for a passphrase in the creation of this key. (just use 12345) or anything butdo not forget this passphrase! You’ll have to do this all over if you forget the passphrase. You will need this passphrase later on in the process.
Step3, generate a CSR from our private key
openssl req -new-key server.key -out server.csr
you’ll be asked for the following information:
Country Name (2 letter code)[AU]: (enter your country code here)
State or Province Name (full name)[Some-State]: (Enter your state here)
Locality Name (eg, city): (enter your city here)
Organization Name (eg, company)[Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section): (enter something here)
Common Name (eg, YOUR name): (this is the important one)
Email Address : (your e-mail address)
Make sure you fill in `Common Name` with your domain you want this certificate for, this should match your apache vhost `ServerName` setting
Now, looking at the directory we’re working in, you should have the following:
drwxr-xr-x 5 rob staff 126 Nov 1417:01 .
drwx------ 38 rob staff 1248 Nov 1416:57 .. -rw-r--r--1 rob staff 729 Nov 1417:01 server.csr -rw-r--r--1 rob staff 963 Nov 1416:59 server.key
Step4, create the private key for our CA
openssl genrsa -des3-out ca.key 1024
Again, you’ll be asked for a passphrase, which, again, you should not forget.
Step5, create CA certificate using the key we just made
You will be asked for similar information you were asked for when we make the web server certificate earlier; this information should be about you, enter something like the following
Country Name (2 letter code)[AU]:GB
State or Province Name (full name)[Some-State]:Cheshire
Locality Name (eg, city):Stockport
Organization Name (eg, company)[Internet Widgits Pty Ltd]:My CA
Organizational Unit Name (eg, section):My CA for Dev
Common Name (eg, YOUR name):Rob Aldred
Email Address :email@example.com
Now you will have 4 files your directory; server.key, server.csr, ca.key, ca.crt
Next is the important park, signing our certificate request.
The easiest way to do this is to use the sign.sh script contained in the mod_ssl source,
or you can get it here: sign.sh
copy the script to the working directory
Step6, make sign.sh executable and sign our CSR
chmod +x sign.sh
you should get something like the following:
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
The Subjects Distinguished Name is as follows
Certificate is to be certified until Nov 1423:09:202010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
Answer ‘y’ to the question asking to Sign the certificate [y/n]
Step7, remove password requirement from server key
Step10, Tell apache to listen on 443
By default there is a file in /etc/apache2/extras called httpd-ssl.conf
this needs to edited and included in /etc/apache2/httpd.conf its commented out initially.
Depending where you are defining your VirtualHost blocks
Comment out or remove the _default_ virtualHost block in httpd-ssl.conf, this will cause errors when starting apache because we have no configured certificate for the example apache provites
Edit your httpd.conf to include the etc/httpd-ssl.conf file, scroll to the bottom the file, you’ll notice its commented out at around line #476
# Secure (SSL/TLS) connections # Include /private/etc/apache2/extra/httpd-ssl.conf
Just remove the # and move onto the next step
I use a seperate vhosts folder in extra, containing individual conf files for each virtualhost, they are included in the extra/httpd-vhosts.conf files using the following:
Step10, restart apache
Step11, (a few steps in itself) Add our CA to Firefox so it think its a trusted authority
Go to Preferences (Cmd + ,)
Go to Advanced
Go to Encryption
Click ‘View Certificates’
Choose the ‘Authorities’ tab
Hit Shift + Cmd + g to open the go to folder window
Enter ‘/etc/apache2/certs’ (You might be asked to authenticate with your system password)
Select the ca.crt file we generated earlier and click ‘Open’
Firefox will ask you:
Do you want to trust “My CA” for the following purposes?
Just select Trust this CA to identify websites
Restart your browser
If you’ve followed everything correctly when you go to https://localhost (or whatever CommonName you specified)
You will get a ssl encrypted site and no warnings about the certificate not being trusted.
If apache doesn’t come backup then apache’s config checks program is your best friend.
I had an iMac for a while now and have been thinking of getting a Macbook aswell.
Just recently I’ve been given a Dell D430 I’ve heard a lot about OSx86 and tried to do it once before with a kalyway install but failed miserably. This Dell D430 has a good spec match to the macbooks and seems to be supported a bit so thought i’d give it a whirl.
It took about 6 hours, 2 of them spent downloading the 4.3gb iPC DVD from Rapidshare (btw, jDownloader + Rapidshare premium ftw)
I burnt the ISO to a Blank 4.7 DVD, popped it into my Lenovo USB DVD Combo drive (No DVD/CD on the D430)
to my amazement the OSX installer booted up straight away.
Note: You’ll need a USB KB + Mouse for the first boot, the installer works with the D430’s kb + trackpad but after install it needs little more work.
Install done using iPC OSX 10.5.6 PPF5 Universal Final – Base
Use the following options when installing:
– Kernel: Voodoo 9.5.0
– Video: Intel GMA950
– Chipset: LegacyAppleIntelPIIXATA
– Audio: Sigmatel 9200 (Might not work, if not fix later with Apple HDA Patcher instructions below)
– Ethernet: Intel 82566MM/DC (Not tested, I use Wifi)
– Wireless: Intel PROSet/Wireless 3945
– USB: Patched USB + PCGenUSBEHCI
– Fixes & Patches: ACPI Fix
Time Machine Patch
USB Mount Fix
PS/2 Device Support (Both KB + Mouse)
– All Applications
Restart remember to use “-f” flag when starting up for the first time.
KEYBOARD AND MOUSE Install
1. Download Package PS2 FixPS2Fix1054.
2. Right Click on the Package -> Open With -> Pacifist
3. After 15 Seconds, Click on Not Yet (Support Charles if you use this App)
4. Expand contents of “Choice0”
5. Expand contents of “appleps2controller.pkg”
6. Right Click “ApplePS2Controller.kext” and select the option “Install to default location”
To solve the kernel panics when mounting dmg’s
Install this seatbelt.kext from 10.5.5 over the one from 10.5.6, use osx86tools for install
Remember to fix permissions.