Creating an SSL certificate for AOLserver

$Id: ssl-aolserver.html,v 1.3 2002/11/22 10:18:35 mhw Exp $

Note: this document may now be out of date. I've extracted the introduction into a separate document and written a document on Using OpenSSL as a Certificate Authority but what remains has not been tested against an AOLserver instance recently.

How to do it

You need to enable SSL support in your AOLserver instance. You can do this through the setup server, but you may find this pulls settings from auxilliary parameter files into the main nsd.ini file. What you need to do is get the following lines added to nsd.ini:

[ns/server/yourservername/modules]
...
nsssl=nsssle.so

Note that I've used nsssle.so which is the export strength encryption version. The US domestic strength version isn't available at the moment.

Having made that change you need to restart AOLserver and go to /NS/Admin (all URLs are relative the the http://whatever/ you'll already know). Follow the link titled Secure Socket Layer Control and then the Generate a new key pair link. Here you are prompted for the name of a file into which the key pair will be written. Enter "newkey.pem" and choose a modulus size of 512 bits (the largest you can use with the export version of the SSL module). Then click Generate key pair.

You now need to generate a certificate request. This combines the public key from your key pair with other credentials which will go on the certificate. This request is what you would send to a certification authority if you were putting a live site up. Enter "newkey.pem" in the Key Info filename box (that's the key you just generated) and enter "newreq.pem" in the Certificate Info filename box (that's where the certificate request will be written). As for the certificate credentials, you need to provide values for every field except Locality. Here're some suggestions:

Common Name - server.example.co.uk
E-Mail Address - [email protected]
Phone Number - +44 123 456 7890
Organization - Example Limited
Organizational Unit - Development
State Or Province - Yorkshire
Country - UK

Now click the "Generate Certificate Request" button to do the work. On the next page you be told to mail the file to VeriSign - don't bother doing this.

You now need to copy the certificate request into your certification authority directory and sign it. You'll find the AOLserver-generated request in /pathtoAOLserver/newreq.pem. Use openssl to generate a certificate called newcert.pem, then copy the certificate into /pathtoAOLserver.

The final step is to tell AOLserver's nsssl module where your keys and certificates are. Shutdown the server and add these lines to nsd.ini:

[ns/server/yourservername/module/nsssl]
KeyFile=newkey.pem
CertFile=newcert.pem

Now start the server up again and you should find that it will handle SSL connection on port 443. Note that you need to have the server start up as root for it to bind a socket to this port.