First of all you need to register with Start SSL, you will need to provide your own home address to start the registration. Start SSL use these details to confirm your identity and create your personal account - if you are requesting a certificate for a business you will first need to go through this registration process to confirm your own identity to them. Once you have an account be sure to back up your Client Certificate as loosing it will probably mean you cannot get back into your account.
Before you generate a certificate for your domain you must first verify you are the domain owner (or at least have full access to the domain). Click on the validations wizard and select Domain Name Validation in the drop down and click Continue. Enter your domain name on the next page, click continue and then select an email address which StartSSL can use to send a verification code to.
Once you have verified your domain you can request a Web Server SSL/TLS Certificate via the Certificates Wizard (Selected from the dropdown 'Certificate Target' in the wizard). Be sure to set a strong but memorable password and click on continue.
This will generate a private key, be sure to take a copy of it and store it somewhere on your computer. Copy this file to the server and name it [sitename].key a secure directory (we often use /etc/apache2/ssl/).
This key is encrypted and needs to be decrypted to stop apache asking for a password when it restarts. To decrypt the key on your server run the following command:
openssl rsa -in [sitename].key -out [sitename].key
Next click continue and select the site you this certificate is to be used with and then add one sub-domain (i.e. www.yoursite.com). Carry on clicking continue after this and you will have generated your server certificate!
Again, take a copy of this file and upload it to your server (call it [sitename].crt)
Before we can install the certificates on our server we need some of the Certificate Authorities Certificates. For Class 1 Certificates we need to download the ca.pem and sub.class1.server.ca.pem
All StartSSL's certificates can be downloaded from 'StartCom CA Certificates' in the Toolbox of your control panel but a quick and easy way to get them onto your webserver is to execute these two commands while in the directory you are using to store your certificates:
wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem
And then secure your certificates by executing the following command:
chmod 400 *
If they are all in the current directory or
chmod 400 /path/to/the/file
Now we have everything we need to configure your server to use your certificate.
The standard Apache2 distro has mod_ssl built in but not enabled. To enable SSL copy ssl.conf and ssl.load from /etc/apache2/mods-available/ to /etc/apache2/mods-enabled/
cp mods-available/ssl.* mods-enabled/
Now you only need configure your httpd.conf file to secure your site. In debian your httpd.conf is usually found at /etc/apache2/httpd.conf
First we need to have apache listen to port 443 for virtual hosts so we need to add the line:
NameVirtualHost *:443
Add this before or after any other NameVirtualHost entries in the file. Next find you virtual host record for your site and add the following entery after:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/example.com/public_html/
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<VirtualHost>
Replace [www.]example[.com] with your site name / domain and be sure to change the paths for the SSL Certificate files to the directory you have stored your files in.
All that is left now is to restart Apache and your website will support SSL (Should anything go wrong and your server stops serving HTTP requests open the httpd.conf file and comment out all lines starting with SSL with the # character):
/etc/init.d/apache2 restart
If Apache restarts without generating an error your website should now be available via https!
No comments:
Post a Comment