Setup a SSL apache server
This is a quick tutorial on how to setup an ssl server on Apache.
Why do you need a ssl-http server?
It encrypt all the traffic between your web-server and whoever visits your server.
This is important for passwords and other information you want to keep secret.
It can also helps the verify your site is legit.
It proves that you really are, who you say your are.
How much does it cost you?
Setting up a ssl server is free, getting a certificate, that can cost money.
You can create self-signed certificates, this still encrypts the communication, and is perfect for personal use and even inside an organization. If you are running a public or commercial website, than it is advised to get a certificate from a recognized certification authority (CA). They verify that you are who you say you are.
Visitors see a nice green key-lock in their browser.
There are about 36 certification authorities and many more resellers.
There is small performance hit. The pages need to be encrypted on the server and decrypted on the client PC. This means that a https page takes a little longer too load then a http-page.
But for most sites the benefits outweigh the drawbacks.
Install Open-SSLYou should you use the usual commands for your system
sudo apt-get install openssl
yum install openssl
Creating a self signed keyThis is straightforward, type the commands and answer the questions and done.
The certificate has an end-date, so you need to renew it regularly.
openssl genrsa 2048 > yoursite.com.key openssl req -new -x509 -nodes -sha1 -key yoursite.com.key > yoursite.com.key
The default is 365 days, but you can change it with the option -days 365
We put the key and the certificate in safe place:
mv *.crt *.key /etc/conf.d/apache2
Now you can config apache
Creating a key for certificate
Do this part if you need an official ssl certificate.
This command generates a 2048 bit RSA private key and stores it in the file website.com.key.
openssl genrsa -des3 -out website.com.key 2048
Then generate the CSR. This will be requested when you sign-up for a SSL certificate.
openssl req -new -key website.com.key -out website.com.csr
You need to enter the password.
This command will prompt for the following X.509 attributes of the certificate:
NOTE: Please do not enter an email address, challenge password or an optional company name when generating the CSR.
- Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
- Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
- Common Name: The Common Name is the Host + Domain Name. It looks like "www.website.com"
"www.website.com" or "secure.website.com", is not the same "website.com" and might receive a warning.
A public/private key pair has now been created. The private key (website.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (website.com.csr), will be for certificate enrollment.
You can test your CSR at https://ssltools.digicert.com/checker/
Make sure you have a backup of your private key (website.com.key), and store it in a safe place.
You might want to start with removing the world readable.
chmod og-r website.com.key
The files server.cert and intermediate.crt are send to you by your SSL Certificate provider.
you can set it up as a virtual website on port 443.Some explanation:
NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "/local/www/ssl_html" SSLEngine on SSLOptions +StrictRequire <Directory /> SSLRequireSSL </Directory> SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLCertificateKeyFile /etc/apache2/ssl/website.com.key SSLCertificateFile /etc/apache2/ssl/server.cert SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt SSLVerifyClient none SSLProxyEngine off SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
Test the config with
- SSLEngine must be enabled so that the server uses SSL.
- DocumentRoot sets the root directory for this virtual host. This means that you can separate secure content entirely from regular content.
- SSLRequireSSL requires SSL to be used (on this virtual host): i.e., a user can't connect to this host using a regular HTTP request. This is why we separate out the secure and regular root directory.
- SSLProtocol disables all protocols other than TLS v1.0 and SSL v3.0. This will be OK for most web browsers.
- SSLCipherSuite is set to use only HIGH and MEDIUM security cipher suites. SHA1 is considered to be more secure than MD5 so is preferred.
- SSLCertificateKeyFile, SSLCertificateFile and SSLCertificateChainFile should be set to the locations where you put your certificate and key files.
Both SSLCertificateFile and SSLCertificateChainFile are provided by your registrar.
- SSLVerifyClient should be set to none if not using client authentication.
before you restart the apache server.
Send HTTP traffic to HTTPS
You can automatically send all you unsecure http-traffic to you new secure site,
by adapting the apache config file:or just a part of it (the secure directory)
<VirtualHost *:80> ServerName www.example.com Redirect permanent / https://secure.example.com/ </VirtualHost>
<VirtualHost *:80> ServerName mysite.example.com DocumentRoot /usr/local/apache2/htdocs Redirect permanent /secure https://mysite.example.com/secure </VirtualHost>