Simple way to configure SSL on our website

T

his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.

 

Today the task is to configure a SSL version of our website domain placed in a different "secure_html" folder.

First, you have to install an Apache module named 'mod_ssl'

But you also need an Unique IP address - this is what the certificate providers use to validate the secure certificate. One IP per SSL domain
An SSL Certificate from an SSL Certificate Provider - of course this isn't neccessary for self-signed certificate which we create first.

Remember, instead those, you have to put your values:

domain.com - you enter your own domain
your.vps.ip - the IP assigned to the VPS
apacheuser - a user under which Apache runs
apacheusergroup - a usergroup under which Apache runs

 

Instal mod_ssl

$ yum install mod_ssl
 

We will create a directory for the certificates:

$ mkdir /etc/httpd/ssl
 

And our secured version of public_html which we put our secure webpage:

$ mkdir /var/www/html/domains/domain.com/secure_html
 

Remeber that we use a single-user apache configuration:

$ chown apacheuser:apacheusergroup -R /var/www/html/domains/domain.com/secure_html/
$ chmod 0755 /var/www/html/domains/domain.com/secure_html
 

And the test index.html to see if it works at the end:

$ echo "SSL webpage" >> /var/www/html/domains/domain.com/secure_html/index.html
 

Self-signed certificate

Please keep in mind that self-signed certificates will always generate warnings in a visitor's browser becuse it's your certificate and signed by You, so it's untrusted as hell :-) To avoid this you have to buy a commercial SSL certificate.

 

Creating a self-signed certificate

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/domain.com.key -out /etc/httpd/ssl/domain.com.crt

Generating a 2048 bit RSA private key
..............................................................................
...............................
writing new private key to '/etc/httpd/ssl/domain.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:My state
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:Studio
Common Name (eg, your name or your server's hostname) []:domain.com
Email Address []:admin@domain.com
 

We have a /etc/httpd/conf.d/ssl.conf file where are already some pre-defined SSL directives which are loaded (via include) but we will use /etc/httpd/conf/httpd.conf for mantain both our http and https webpages and leave our default ssl.conf intact.

Add below vhost directive in a very same way as you previously did. Remember to make changes accordingly.

$ nano /etc/httpd/conf/httpd.conf

 

Restart Apache.

$ service httpd restart

$ service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
 

Now type in your browser address bar

https://yourdomain.com

You should see a browser security warning, that's OK.
You should see a "SSL webpage" text.

 

Creating a commercial SSL cert

Create a Certificate Signing Request

You must create a certificate signing request (CSR) for the site which you'd like to use with SSL. Be sure to change "domain.com" to reflect the fully qualified domain name (subdomain.domainname.com) of the site you'll be using SSL with. Leave the challenge password blank. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial CA (certificate authority).

$ openssl req -new -days 365 -nodes -keyout domain.com.key -out domain.com.csr

You may now submit the file ending in .csr to a commercial SSL provider for signing. You will receive a signed file after the CA signs the request. Save this file as /etc/httpd/ssl/domain.com.crt
You'll also need to get the root certificate for the CA that you paid to sign your certificate.

For example, if we downloaded a root cert for Verisign, we would save it to /etc/httpd/ssl/verisign.cer

Configure Apache to use the Signed SSL Certificate

$ nano /etc/httpd/conf/httpd.conf

Restart Apache.

$ service httpd restart

And if you pay enough money you should have no-warning but green lock on address bar.

For all of you I recommend StartSSL  for beginning - they have free certificates which are always better than the self-signed ones.