This article will help to configure a PositiveSSL certificate with a stud installation (Scalable TLS Unwrapping Daemon). The default setup requires us to enter the password to your private key at start. We will include a set of optional steps to remove the passphrase from our private key, which reduces the security of the installation, but is required if we want to setup stud to start automatically at server boot.
Your PositiveSSL certificate bundle.
Once PositiveSSL approves our certificate request, they send a certificate bundle, usually a ZIP file containing three files — your certificate, a class 1 intermediate certificate and a root certificate. Unpack the archive and it should look something like the following:
The private keys we signed the request with.
A working stud installation.
Preparing a PEM bundle for stud
Stud requires a single PEM file that contains the following things, in the same order:
- Domain certificate
- Intermediate certificates (in our case, the PositiveSSL CA)
- Root CA
- Private key
The following command creates it:
$ cat alexnj_com.crt PositiveSSLCA2.crt \ AddTrustExternalCARoot.crt alexnj.com.key \ > bundle.pem
Load stud with the PEM bundle
stud /opt/stud/certs-assembly/bundle.pem -u nobody
Stud will ask for the PEM passphrase. Enter our private key password and if everything went well, stud will load up the certificate and start serving SSL requests.
Optionally, remove the passphrase from our key file
This is required only if we want to setup stud to start without a password entry, for example, automatic start at server boot. Run the following command. We will need to enter the key passphrase one last time.
openssl rsa -in alexnj.com.key -out alexnj.com.nopass.key
alexnj.com.nopass.key will now contain a version of your private key that is not encrypted with your passphrase. If we create a PEM bundle with this file instead of the file alexnj.com.key, stud wouldn’t prompt for a password at load. To create the new bundle, once again:
cat alexnj_com.crt PositiveSSLCA2.crt \ AddTrustExternalCARoot.crt alexnj.com.nopass.key \ > bundle.pem
That’s it. We have the PositiveSSL configured with stud and ready to respond to SSL requests. Fire up stud, hit the box with an https prefix and see it serving SSL pages signed with your brand new certificate.