ipSCA offers free 2 year certificates for edu’s. But, back in 2009, their root CA expired, and since then, many browsers don’t trust their certificates. And while this isn’t a huge issue for the well informed IT crowd, it does pose a problem for the average user. Especially with browsers like Firefox that present certificate trust errors like the world is coming to an end.
genkey in RHEL 6 seems to be broken, or at least it is in vSphere. Generating an SSL key takes forever, and then it fails at the end of the process with a non-descript error.
The fix, after futzing for a bit was to run it with the “–test” option. When run that way, it doesn’t try to use the kernel’s random number generator, but instead uses random keyboard input to generate the randomness for the key.
Looking online for info with regards to this turned up nothing, so I thought I would post the solution here. Good luck!
UPDATE:So after receiving a signed cert back from ipSCA using a CSR generated with the above process, I found the CRT doesn’t work. I don’t know if this is because of the process, or whether ipSCA made a mistake in creating the CRT. I have instead generated the key and csr manually using the openssl utility and submitted that CSR to ipSCA. We will see if they send me back a valid CRT. Will update again once I know.
This post assumes the user is using a Macintosh running 10.5.x or greater. It will still work with Linux or other Unix OS’s, but you’ll need to do some digging to get the proper commands. This way is all GUI driven.
- Have access to a computer running ≥10.5.x
- Have a self signed certificate your web server is using for SSL
- Have configured WordPress to require SSL for XMLRPC and Login (using “define(‘FORCE_SSL_ADMIN’, true);”) (Admin over SSL).
Assuming all of this, the process is not too difficult.
The basic gist is that you need to create a Certificate Authority, and then sign your SSL web cert with this CA. Once you’ve done that, you can then take the CA certificate, and email it to your iphone, and install it there.
So basically, you need to create a CSR (Certificate Signing Request) from your SSL cert you’re using on your webserver. If you’re using Mac OS Server 10.4 or greater, you can do this in Server Admin very easily. If you’re not, then you need to do some command line magic.
Something like this here: http://sial.org/howto/openssl/csr/
Once you have that CSR, you then can go into Keychain Access on your mac, and under the “Keychain Access” menu, go to “Certificate Assistant” and say “Create a Certificate Authority…”. Walk through that wizard, and most of the defaults are fine. You’ll want to put in your name, email, etc.
Once that’s done, you can go back into Certificate Assistant, and say “Create a Certificate for Someone Else as a Certificate Authority…”. This basically will sign your certificate. It’s like a self-signed certificate, only you actually have the CA cert to “trust”. Walk through that, though you may have to change the defaults for what the certificate is for.
Once you’ve done that, you’ll need to use this new certificate, as your SSL certificate. You do that by exporting the SSL cert as a .pem, and then replacing your public SSL cert with this one. Restart your web server, and you should have a signed cert. Assuming you trusted your own CA, you also shouldn’t get any warning about it being untrusted.
Now, once that’s done, you can export the public CA cert, as a .crt, and email than to your iphone. Once you get that, you can click it, choose to install the profile, and you’re done. The wordpress app should now work.
Please contact me if none of this makes sense, or if you need additional info. I was going to put up screen shots, but that just delayed me posting this. Which I wanted to get done.
Have a great rest of the week, and weekend!