Welcome to my Blog. Mostly, I shall be writing up my experiences of day-to-day administration of a few linux machines on my home network. To start with, let’s look at how I went about setting up this blog.
Domain Choice
I want this blog to be recognisable and easily found. This is basically going to be my brand, so how it’s referred to needs a bit of thought up front. So, first up, how will visitors find the blog? Well, probably through a search engine, but which of these are you more likely to trust the opinion of?
- http://user123456.myisp.net/cgi-bin/bloggingsoft/page1
- http://user123456.dynamic.ip.net/ (which then puts the real page in a frame)
- http://paulsaunders.uk.com/
- http://paulsaunders.org.uk/
Clearly, a concise URL is better, so going to the extra effort of buying a domain name does pay off. If I choose to change ISP or blogging software, I can move the domain and (in theory at least) keep these pages available long term.
As to the extension (in the case above, the choice between ‘.uk.com’ and ‘.co.uk’), I am of the opinion that this says almost as much about an entity as the main part of the domain does. To people in the know “.uk.com” says “I am a UK commercial entity who either couldn’t get a ‘.co.uk’ (perhaps because someone else had it) or couldn’t afford it.” The TLD in this case is ‘.com’ and ‘uk.com’ are a reseller; you’re not buying from Verisign (who administer .com), but from a secondary company who had the good idea to buy ‘uk.com’ from them. In contrast, ‘.co.uk’ and ‘.org.uk’ are directly administered by Nominet (who also operate .uk) so you’ve effectively got a first-class ccTLD.
So, now that I’ve decided on a domain, where to buy it from? I’m going with Gandi. Comparing their offering against other people, they seem to offer everything I need a domain registar to provide: the possibility for me to run my own DNS server, IPv6 support, DNSSEC. And, because Nominet set the price of domains, I don’t actually pay anything extra for this service.
During the purchase of the domain, I was given the option of changing the DNS (for example, to point at my server), but for now, I’m going to leave that as it is and I’ll move it over when I’m ready.
SSL Certificate
While purchasing the domain at Gandi, I spotted that they were doing a promotion of their SSL certificates; the first year for a single domain certificate is free.
To take advantage of this, I went to the Gandi SSL page and chose “1 year”. Although the price there was listed as £11.00, there is a note saying that the amount at checkout would be 0. And yes, at checkout I was given a -£11.00 promo code. All good.
So, the first thing they ask for is a CSR1. At the linux console, then, enter:
$ openssl req -nodes -keyout paulsaunders.www.ssl.key -out paulsaunders.www.ssl.csr -newkey rsa:2048 -sha256
This creates a 2048-bit key, signed with a SHA256 checksum. Two files are created: paulsaunders.www.ssl.key is the private half and paulsaunders.www.ssl.csr is the public certificate which you give to Gandi. Fill in the form that openssl presents to you. The entry to pay attention to, though is “Common Name”; this MUST be set to the domain you wish to secure. In my case, I put “paulsaunders.org.uk” here (Gandi will additionally add www. to the front, so that both are secured by the same certificate).
Now, to copy the CSR to Gandi, you can either do:
$ cat paulsaunders.www.ssl.csr
and then select the text in your terminal window or, if you’re running a local X-server and connecting to your linux server by SSH (as I do), try:
$ xclip -sel clip < paulsaunders.www.ssl.csr
which will read the file directly into the X clipboard. The advantage of this is that A) it’s not displayed on your terminal (not an issue here, but it might be useful for other texts) and B) it is much easier if the text is longer than a screenful.
So, paste the CSR into the text box on the Gandi website and notice that a nice bit of Javascript parses out the Common Name field for your verification.
Gandi will now perform some validation steps on the certificate. They’ll send you an e-Mail to check your contact defails are valid; just click the link they send you. Next, they’ll validate that you own the domain. This can be done either by adding an entry into your DNS records, by replying to an email at admin@{yourdomain} or by placing a file in the root directory of the server. As I don’t have the mail or webserver setup yet, I’m going with the DNS record validation. As my DNS is, for the moment, handled by Gandi, they add the record themselves, so it’s just a matter of waiting for the validation run to happen (every 60 minutes).
When the certificate eventually validates, go to your Gandi account, click on the certificate name and click “Get”. In the pop-up, there are two “Download” links, fetch them both (wget or curl are your friend) and stash them away for future use.
We’re done for day one.
-
Certificate Signing Request. Basically, you create the certificate with which you’ll be securing the traffic yourself. You then pass this certificate to a Certificate Authority (CA) who check it out and return you a signed version. People can then check the chain of trust from your certificate to that trusted authority. ↩