Adding SSL to my OSX server

I decided it was time to make a little statement and add “always on” encryption to this completely innocuous site.  The online equivalent of moving a lemonade stand inside a bank vault.  Now when you read about refurbishing my car, or fixing a seed drill, you’ll be doing it over an encrypted connection.

This is another scratchpad post for folks who run an OXS Server and want to use a multi-domain UC (unified communications) SSL certificate.  The rest of you can stop here — this is probably the most boring post of all time.

UPDATE – May 2016 – Cloudflare Origin Cert on an OSX Server:

This section describes using Cloudflare Origin Certificates, the following section is the original post where I was installing a Godaddy cert.

I’ve taken to using Cloudflare for all my sites.  If you haven’t come across them, I heartily recommend you take a look — they’re a pretty nifty gang.  Somewhere along there they added SSL to all the connections from end-users to their servers but that left the link from Cloudflare to my sites unencrypted.

They now support several ways to secure that connection – most of which are free.  Free is good, since commercial certs to cover the 20 or so websites I host start to add up.  I decided to try implementing their preferred approach where they issue me an “origin cert” (rather than using a self-signed cert which wouldn’t give end-users as much confidence).

Doing that on OSX Server is dead simple.  Here are the steps

Create a new cert-request on OSX Server.

CloudflareCert1

We’ll create one for my buddy Foo (at bar.com).

CloudflareCert2

Which results in a cert request that looks like this

CloudflareCert3

Go to Cloudflare (I’m assuming the site is already established there) and submit the cert request.  Note that I’ve elected to submit my own CSR.  Cloudflare has a pretty interesting process to do it on their own but I decided I needed to generate the CSR within OSX Server in order to have a socket for the cert when it is issued.

CloudflareCert4

Cloudflare generates the cert and provides it in a variety of formats.  I elected PEM format and the certificate appears in the window.  I copied/pasted/saved that text into a new text file (demo-cert.pem in this example) and saved it to the desktop of the server.

CloudflareCert5

Back to OSX Server now.  The CSR shows up as a pending cert in the Certificates window.  Double-clicking it results in this screen.   Drag the newly-saved demo-cert.pem file into the Certificate Files box and all is complete.

CloudflareCert6

Create a new SSL web site, use the newly-installed cert, point it at the same directory as the port-80 cleartext site, do a redirect to the port-443 site to complete the job.  Don’t forget to tick the “allow overrides using .htaccess files” box in Advanced Settings for the site so’s the permalinks work.

Original post – August 2014 – Godaddy Cert

I’m a happy Godaddy customer, so the examples in this post are Godaddy-oriented.  But the theory should apply to any Unified Communications (UC) cert vendor.

Single-domain cert

Here is Godaddy’s list of steps for installing a standard single-domain cert.   Click here to view the help page these came from.  The process for a multi-domain cert is almost the same, but let’s start with “vanilla.”

To Generate a CSR with Mac OS X 10.7-10.9

  1. On the Mac, launch Server.
  2. Click Certificates on the left.
  3. Click +.
  4. Click Next.
  5. Complete the on-screen fields, and then click Next
  6. Either copy the CSR that displays, or click Save and save the file locally.

After you have successfully requested a certificate, you need to install the certificate files we provide on your server.

To Install an SSL Certificate with Mac OS X 10.9

  1. Download your certificate’s files — you can use the files we offer for Mac OS 10.6 (more info).
  2. On the Mac, launch Server.
  3. Click Certificates on the left.
  4. Double-click the common name of the certificate you requested.
  5. Click and drag the certificate and bundle files into the Certificate Files section.
  6. Click OK.

This installs the certificate on your server. To verify its installation, you should see your certificate’s common name listed in the Settings menu.

Multi-domain Unified Communications (UC) cert

There are two things that are different when using a UC cert.

Change #1) Use one CSR to request the cert

  • Create one certificate signing request (CSR) in the OSX Server app, no matter how many domains are going to be covered by the UC cert.  The CSR is just creating a socket into which the certificate is going to be installed by OSX Server and only one such socket is needed.
  • All of the domains added through Godaddy’s “manage Subject Alternative Names (SAN)” process will work once the cert is installed.
  • Take care in choosing the domain name when creating the CSR.  This will be the “common name” on the cert and is the only domain name that cannot change later.  This is the apex of the hierarchy of the cert and is the only one that will appear if site-visitors view the cert.
  • The picture below is an example of the Godaddy management interface looking at a (prior version of) the cert that secures this page.  That cert appears in OSX Server’s list of Trusted Certificates as “server.cloudmikey.com” — that name came from the CSR I generated in OSX Server.
  • The alternate domains that will also work with this version of the cert are “cloudmikey.com” and “server.haven2.com” but those names are entered at the Godaddy end, NOT through CSR’s from OSX Server.
  • To restate — just create one CSR and add the rest of the domains through the cert-vendor’s Subject Alternative Name process.  In my case, the domain in the CSR was for “server.cloudmikey.com”

GD-UCC

Change #2) Add domains to the cert BEFORE downloading it to OSX Server

  • Don’t download the cert that’s created from the CSR just yet.  It will only have the Common Name and doesn’t yet include the other domains that the cert will cover
  • In the case of the cert shown above, the SANs “cloudmikey.com” and “server.haven2.com” were added through Godaddy’s cert-management interface before I downloaded/installed the cert.

Follow the vendor-provided download/install steps. 

Now that the cert has the proper names added, it installs the same way a single-domain cert does (see above).

To recap Godaddy’s instructions: download the OSX 10.6 version of the files, unzip them, click on the pending cert request in Server, drag the two unzipped files into the CSR when it asks for them, click OK and wait a bit while the cert installs.

Verify that the cert covers the domain-names that are needed

Once the cert has been installed, review (double-click) the cert on OSX Server to make sure that all the needed domains are there.  The list of domains is in the middle of the cert, each entry is titled “DNS Name”  If they’re all there, jump ahead and start assigning the cert to web pages and services.

If the names listed on the installed cert don’t match what’s needed, add the missing domains before using it

  • Delete the cert from OSX server (it’s OK, it’ll be downloaded again in a jiffy)
  • Return to Godaddy and modify the Subject Alternative Names (SANs) to get the domains right
  • Create a new CSR on OSX Server – again, this is just a socket into which the cert will install.
  • Download/install/verify the cert

Note: The cert will install correctly as long as the domain in the new CSR matches one of the domains covered by the cert.  But it will always be appear under the common name on the cert, which confused me.  I surprised myself by installing this cert under a “haven2.com” CSR — it installed just fine, but it’s name changed to “server.cloudmikey.com” on the list of Trusted Certificates in OSX Server.  Best to avoid confusion by creating the replacement CSR under the common name.

Once the cert is right, associate the cert with web pages and services.

  • Web pages and services will operate correctly as long as the domain of the web-page or service matches one of the domains on the cert.
  • It doesn’t matter that the common name of the cert (server.cloudmikey.com in this case) doesn’t match the domain of the web page (haven2.com).

That concludes my report.  This web page is running under a later version of that cert — you can see what it looks like by double-clicking the “lock” in the URL bar of your browser.

Renew the cert

A year has passed and it’s time to renew the cert.  Here’s a checklist:

  • Launch the Server app, open the cert that is coming up for renewal, click the “renew” button, generate a CSR.
  • Renew the cert at the cert-provider, using the newly-generated CSR (this is a copy/paste operation at Godaddy)
  • Download the certs from the vendor once you have been validated
  • Open up the “pending” cert again in the Server app and drag the newly-downloaded cert files from the vendor into the box that’s displayed.
  • There should now be two certs in the Server app list — the current one and the new one.  Update the cert configuration to point at the newly-renewed cert.
  • Test with the new cert and once all is working and verified, delete the expiring one

Grinnell Reunion 2012 — a life of happy accidents

I gave a talk at my Grinnell College reunion last weekend and decided to build this post to share a bunch of links to things that I talked about.  This ain’t a’gonna make any sense to the rest of you.  But the stuff is interesting.  🙂

This is a story of rivers of geeks.  I described the rivers that I swam in during my career, but these are by no means all of the species of geeks that ultimately built the Internet.  I was lucky to be a part of a gang of 10’s maybe 100’s of thousands of geeks that came together in the giant happy accident that resulted in this cool thing that we all use today.  But don’t be confused — it was a complete accident, at least for me and probably for all of us.  Here’s a diagram…

 

The opening “bookend” of the talk was to introduce the idea of “retrospective sense-making” which I first learned about from Karl Weick when I was getting my MBA at the Cornell business school

I talked a little bit about what it was like as an Asperger guy showing up at Grinnell in the fall of 1968 — when everything was changing.  We Asperger folks have a pretty rough time dealing with changes.  Several people spoke with me about this part of the talk later in the weekend.  The really-short version of my reply was “just give us more runway.”  Many of the geeks that built the Internet are Asperger folks.

Another giant gaggle of geeks is the “community radio” gang that I was part of.  That part of the talk opened with a discussion of Lorenzo Milam, one of the folks who inspired many of us community-radio organizers to go out and do ridiculous impossible things.

  • These days Lorenzo hangs out at Mho and Mho Works (and Ralph Magazine)
  • He put the word “sex” in the title of his handbook about starting a community radio station, Sex and Broadcasting, just to get your attention and this was the book that got a lot of us going

Which led into a discussion of my involvement with the community radio movement — Tom Thomas, Terry Clifford and Bill Thomas are all still very much involved in public and community radio these days.

Then there was a musical interlude (you cannot believe how much the music went off the rails — almost all the technology failed — oh well).

The next series of accidents revolved around the “learn my chops in brand-name consulting organizations” part of the saga.  Another of the rivers of geeks — many people of the Internet construction workers came from big firms like Arthur Andersen and Coopers and Lybrand, the two places I worked.  Probably the biggest things I learned there were Structured Programming and project management.  And this…

The next accidents ran this Forrest Gump type guy through a couple of now long-dead mainframe companies , another BIG source of internet-building geeks.  First ETA Systems, the hapless wannabe competitor to Cray.  Then Control Data, where I learned how to do mass layoffs in an imploding manufacturing company.  Ugh.

I was an early personal computer enthusiast as were almost all Internet geeks.  I live in the Midwest, so I missed out on the Homebrew Computer Club in Silicon Valley.  Dang.  But relatively cheap modems showed up about that time which led to the rise of the Bulletin Board System (BBS) movement which provided the gathering places for a lot of us Internet geeks. Boardwatch Magazine, published by Jack Rickard, was the glue that held us together — Jack inspired me much the same way that Lorenzo Milam did.  The arrival of FidoNet allowed email to flow beyond the local boundaries of a BBS and brought a lot of us geeks together for the first time.

Another giant pile of Internet geeks came from the ham radio movement.  My call is KZ0C and I’m completely lame — I hardly do anything ham radio related these days.  But a whole giant tradition of “makers” comes out of that gang.  We hams were darn early adapters of the packet networking protocols that underpin the Internet.  We turned that stuff into packet radio.

So there’s the list of pre-Internet geek communities that I was a part of in one way or another.  No wonder some of my friends call me a Forrest Gump of Internet technology.  So what happened next?  This is what happened next…

 

That’s a picture of the first four-node ARPANET network in the late 60’s.  The network grew slowly over the next couple decades and by the mid-80’s had been opened up to include institutions of higher education.  I worked at the University of Minnesota which, when I was there, was home to the Gopher protocol and the POP3 email protocol — another great gaggle of geeks.  I was a Dreaded Administrator, there to fix a financial system problem, but I loved those geeks ’cause they were the ones that turned me on to the Internet.

The next kind of geeks that still play a huge role in the Internet are the folks that work at Internet Service Providers (ISPs).  Ralph Jenson and I started an ISP in my basement and called it gofast.net.  That project grew into an amazing gang that eventually got rolled up as the ISP market consolidated in the late 90’s and thereafter.  Lots of the geeks I’ve described in this post were involved in starting those early pioneering ISPs — what a time…

The last geek that I mentioned in my talk is Hubert Alyea, the role-model for the Disney films about the Absent Minded Professor.  Professor Alyea was another great Asperger geek who was quite emphatic in telling me about lucky accidents, great discoveries and the prepared mind.  Click HERE to see movies of some of his lectures on Youtube — they’re astounding.

What are Mike and Marcie obsessing about now?

The rest of this post is a series of links to projects that I mentioned during the talk.

The final thing I need to throw into this post is three little graphs I made up to describe the half life of knowledge — in which I choose to view the glass as half full.  As the half-life shortens, it takes less and less time to become an expert!

 

 

 

 

 

 

 

Domain-names — Develop? Park? Sit tight?

Photographer: Gregory Szarkiewicz

I have a gaggle of terrific domain names (bar.com, pub.com, grill.com, etc.) that I’ve had Since The Beginning.  Over the years I’ve pondered what to do with them and always come back to “sit tight” as my strategy.  I saw a great article today that lays out the reasons why.  Here’s the link:

http://www.domainnamenews.com/domain-development/mass-development-flawed-model/8058#more-8058

Whit Diffie is the new VP of info-security and cryptography at ICANN! Kewl!

Very neat news today out of ICANN.  Whit Diffie is this monster figure in the crypto world — he’s one of the founding folks in that circle.  He worked at Sun for ages and now he’s joining ICANN.

Click HERE for the ICANN press-release.

Click HERE for a starter-page at Wikipedia.

Click HERE to watch him on an episode of Cranky Geeks (with John Dvorak) to get a feel for what’s he’s like in person.

I’m really glad to hear that he’s joining the ICANN gang.  It’ll give us some depth that we badly need in this area.

New volunteer job — 37-word long title

I’m thinking another fold-out business card may be required;

Volunteer
Vice Chair of Finance and Operations (of the)
Commercial and Business Users Constituency (which is part of the)
Generic Name Supporting Organization (which is in turn part of the)
Internet Corporation for Assigned Names and Numbers

Can you see why ICANN has a bafflegab problem?

I’m quite excited about this one — it’s got lots of tasty issues and it’s the ops and finance stuff that I love to do. 

I had another fold-out business card job back in the early ’90’s.  That fold-out business card read;

Temporary Interim Acting Assistant Associate
Vice President (supervising)
Administrative Information Systems
Business Operations
Quality Management
Operations Improvement (for the)
University of Minnesota

or…  Vice President of Stuff that is Busted.  This new gig is a lot less complicated than that one was.

Domain selling points

I just got back from the latest Traffic conference. ‘Seems time for another article in the “Domain names” category.

I’ve been pecking away on the problem of selling one (or a few) of my remaining domain names to an end user for the last year or so. Last year I decided to issue an RFP for domain brokerage that went precisely nowhere. I have various theories about that, ranging from me being a dope, to me being ahead of the market, but the upshot was that I decided to make a background hobby out of figuring out how to sell domains to end-users rather than domain investors. I’m not exactly cut of the right cloth to do that kind of thing, but it’s a great hobby.

To that end, I decided to collect all the good reasons that an end-customer might want to buy a domain for their business. I’m a pretty good listener and some of the bestest domainers are now out there with blogs, so I had some awful smart people to listen to while I was building the first-draft of my case.

As my little draft came together, it seemed like a good list to share with the folks at TRAFFIC and Rick Schwartz was kind enough to give me a slot as a member of the Madison Avenue panel. I sure wish I’d been healthy when I was standing in front of the gang, although enough people asked for the slides to make me think it went ok.

Here’s a link to the presentation in PowerPoint format and here’s the same thing in outline format;

Sales

  • Beat competitors to prospects
  • Obtain more qualified leads
  • Increase closing ratio

Marketing

  • Expand into a new market
  • Enhance position in current market
  • Consolidate a fragmented market
  • Reinforce brand (or “reverse brand”)
  • Capture mind-share

Finance

  • Improve revenue and profit
  • Reduce or avoid recurring costs
    • Customer acquisition
    • Branding
    • Advertising
  • Own an asset that will continue to appreciate

Operations

  • Provide a memorable, unchanging address
  • Reach a world-wide audience
  • Improve web traffic, search ranking and ad-placement
  • Leverage online advertising expenditures

Trends

  • Web audience – up
  • Online advertising – up
  • Importance of web identity – up
  • Domain valuations – up
  • One-word name availability – nil

Opportunities

  • Capture a category – broadly or narrowly
  • Stand shoulder to shoulder with much larger companies
  • Use social media to selectively enhance brand
  • “Own a word” in the mind of the prospect – and prime your site

As you can see, I’m trying to clump the “solutions to problems” by the type of person in the company. My notion is to write a little something about each of these and use the resulting paragraphs in a book that I would build for each domain. Then, figure out who the 200 best prospects are for the domain, mail them a copy of the book, follow up with phone calls and try to trigger a bidding war between 3-5 interested prospects. I don’t know where the spare time to do all this is going to come from, but that’s the plan.

Domain-brokerage RFP

I have a gaggle of premium domain names I got a really long time ago. I keep coming up with ideas for them that are either late/lame or too hard for me to do. I’ve decided that the time is right to sell one and, being a structured RFP type guy, I decided to build an RFP to select the broker.

Here’s a list of the domains — I only want to sell one of them, but I’m going to let the brokers choose which one they want to sell so they can sell it into their strongest market segment.

bar.com — social networking, beverage industry, legal services

pub.com — social networking, beverage industry, publishing

grill.com — social networking, consumer products, humor

cafes.com — social networking, food and dining

place.com — travel industry, entertainment, social networking, Internet-destination

shelter.com — social services, social networking, consumer products, industrial products

I’ve prepared a couple of documents. Here’s an introductory letter (in Word format) that describes the process and timing in detail. If you’re thinking about bidding, you fersure want to read that.

There’s also a detailed vendor response document that I will cheerfully email to anybody who’s interested. The reason I’m not posting the response document to the web is to keep track of who’s inquiring so’s to make sure that vendors gets invited to the various events along the way. But if you’re just interested in a copy for any reason, feel free to ping me (everybody: put “RFP response” in the subject to get through the spam filter)

Here’s a timeline (see? I am into structure);

1/8/2007 Issue and publicize RFP
1/22/2007 Vendor conference call (at noon, CST)
2/12/2007 Deadline for proposal submission
2/19/2007 Interviews with finalists completed
2/26/2007 Negotiations with finalists completed
3/5/2007 Announce selection

Update:

Well dang. Looks like I threw a party and nobody came. Lots to reflect on in that, but the bottom line is that no brokers proposed. This isn’t the first time this has happened to one of my goofy ideas. It usually means I’m a little ahead of the market. So I’ll go figure out some other approach to this problem… I’ve got some good friends in a related field who bring a lot of marketing and sales savvy to the table — maybe it’s time to roll my own.

Further Update:

Ah! Frank Michlick wrote a piece about this little RFP over at his great DomainEditorial site. Here’s a link to his article about the RFP. Thanks Frank!

Corp.com registry

The latest project to keep me away from this blog is bringing up the registry for CORP.COM domain names.

This is a project that Edmon Chung and I started back in 2002 when Edmon was the hotrod young entepreneur in charge of Neteka. He did such a great job that they got acquired by Afilias not long after we started our project.

What with Edmon distracted by the acquisition, and me distracted with a series of really interesting InstantCxO engagements, the Corp.com Registry sorta went on the back burner for a few years. But the time seemed right to both of us last year and the project is galloping toward an April launch.

2nd level domains like CORP.COM have been steadily gaining favor over the last few years, which is another reason why it seems like the time might be right to kick things off. Afilias is game, Edmon is game, I’m game, we have our first registrar in NamesBeyond. So off we go.

Free corporation name searches

I’m working with Affilias to roll out a registry for corp.com domain names (“did you miss acme.com? you might be interested in acme.corp.com”). We’re shooting for early April to have things up and running.

Along those lines, I’m working on a little gizmo to help people look up name-possibilities for free. There are lots of darn good resources, but they’re really hard to find so I thought it would be useful to find as many as I can, and perhaps put some automation in front of them to make the searching easier.

This is a scratchpad for me as I locate the free-lookup sites.

Free trademark searches — US Patent and Trademark Office (USPTO) — (note; follow the “Search trademarks” link in the middle of the page)

Free national business yellow-pages searchSearchbug

Free state entity name search locations (not complete, I’m still hunting them down on the incredibly variable state pages — you’d think there’d be some kinda convention they’d follow…)

Alabama
Alaska
Arizona
Arkansas
California
Connecticut
Delaware
District of Columbia (DC)
Florida
Georgia
Hawaii
Idaho
Illinois
Indianna
Iowa
Kansas
Kentucky
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
Wisconsin