[[wiki:tech|Back to Tech Documentation]]
----
===== GeoTrust Certificates =====

We have a wildcard certificate for *.surfrock66.com which is used on the actual PlusPlus Hosted www.surfrock66.com site, and is used in the house on any services which are accessible at *.surfrock66.com.  Each year, we must purchase it as an add-on to the business hosted package ($140/year), then submit a ticket to PlusPlus Hosting for them to provide a copy of the certificate as a .crt and the key as a .key.  They will attach it to the ticket, then after you download it, remove it.  

We download the files to [[wiki:inventories:tech:systems:sr66-web-01|sr66-web-01]] at /home/surfrock66/Projects/SSL with the name "wildcard.surfrock66.com.YYYY.EXT" with YYYY as the current year, and EXT as the file extension.  

The .crt file needs to be copied to "/etc/ssl/certs/wildcard.surfrock66.com.crt" and the .key needs to be copied to "/etc/ssl/private/wildcard.surfrock66.com.key".  This will apply to all apache sites, and apache needs to be restarted with "systemctl restart apache2".  Additionally, you will need the Intermediate certificate (formerly RapidSSL, now Digicert), which I place in /etc/ssl/certs/intermediate.surfrock66.crt.  All of these certs in /etc/ssl/certs/ need to be owned by "root:ssl-certs" and must have 644 permissions, all the certs in /etc/ssl/private must be owned by "root:ssl-certs" and must have 640 permissions.

Servers that have the wildcard cert and need to be updated when it is renewed:
  * [[wiki:inventories:tech:systems:sr66-web-01|sr66-web-01]]
  * [[wiki:inventories:tech:systems:sr66-ast-01|sr66-ast-01]]

On [[wiki:inventories:tech:systems:sr66-ast-01|sr66-ast-01]] the files that reference the cert:
  * /etc/asterisk/http.conf
  * /etc/asterisk/pjsip.conf
  * /etc/turnserver.conf

----
[[wiki:tech|Back to Tech Documentation]]