by Patrick Kerrigan, . Tags: Web Linux Cryptography Security
As Google have publicly stated that a site's usage of SSL will now start to play a part in the ranking of its pages in search results (and presumably other search engines will follow suit) I decided it was time to switch this site to SSL. With online privacy an even bigger concern than ever there's no reason not to use cryptography where possible. I'm posting the steps I took here as a guide for anyone else thinking of making the same move in the hope that someone might find it useful.
This guide assumes a few things: firstly, that you're using RHEL or a derivative thereof, secondly that you're using the Apache HTTP server. If not, the core process should be the same, but you may need to adjust a few things such as the location and syntax of configuration files. Finally, root access to your server is required. If you use shared hosting and/or do not control your own server then your host may provide an alternative method for you to set up SSL. You should consult their documentation for further details.
Obtaining an SSL certificate
Update: As of 2017 StartSSL are no longer issuing certificates, so any references in this post should be replaced with your Certificate Authority of choice.
The first step in the process is to obtain an SSL certificate for your domain. This usually involves paying some money to a certificate authority (commonly known as a CA) for them to sign your public key. As this is not a commercial site however, I opted to get a free certificate from StartSSL (they do charge you if you want to revoke your certificate at a later date, some people have a problem with that so just be aware if you decide to go that route!). For the rest of this guide, I'll assume your domain is example.com.
Start by generating yourself a key pair using openssl on the command line:
$ openssl genrsa -out example.com.key 2048
Next, generate a certificate signing request from your keys (known as a CSR):
$ openssl req -sha256 -new -key example.com.key -out example.com.csr
It should be noted that a sha256 hash is explicitly requested; sha1 is no longer considered secure and browsers are starting to reject certificates that use it.
You'll be asked to input some information about yourself and your domain. The most important of these is the response you give for "Common Name (CN)". This should be your domain name without the www in front. Once this information has been filled out you will be left with a .key file (your key pair) and a .csr file (your certificate signing request) in your current working directory.
Now you'll need to request a certificate from your certificate authority of choice. When prompted for a certificate signing request you'll need to upload the .csr file that you've just generated. Depending on the certificate authority the signing process may be instant, may take some time or may require additional verification steps. In all cases the CA should verify that you own the domain name either before or during the signing process. This is usually done by emailing a specific address at your domain with a verification key, or by asking you to set a DNS record to a specific value. Once signing is complete you will be able to download your certificate either as a file or by copying it from a text field. Save this file as example.com.crt in the same folder as your key pair and certificate signing request.
Most CAs sign using an "intermediate certificate" which they'll give you a link to download on their website. For maximum compatibility with browsers you should download this to the same folder as your certificate - we'll install it later.
Installing your new certificate
First, copy your certificate, intermediate certificate and key pair to the correct places on the filesystem (again, assuming RHEL):
$ sudo cp example.com.key /etc/pki/tls/private
$ sudo cp example.com.crt /etc/pki/tls/certs
$ sudo cp intermediate.pem /etc/pki/tls/certs
Next, you'll want to tell Apache where to find your certificates and keys. By default you can do this by modifying the ssl configuration file located at /etc/httpd/conf.d/ssl.conf and changing a few lines.
Uncomment SSLCertificateFile and change its value to the path of your certificate. It should read the following for this example:
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
Uncomment SSLCertificateKeyFile and point it to your key:
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
If you downloaded an intermediate certificate then uncomment SSLCertificateChainFile and put the path to it here:
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.pem
Finally, make sure to disable SSLv2 and SSLv3 by uncommenting the SSLProtocol directive and changing it to the following:
SSLProtocol All -SSLv2 -SSLv3
Configuring virtual hosts
If you use virtual hosts, then you'll also need to set them up to use SSL. Open /etc/httpd/conf.d/vhosts.conf and add the following line to the top:
NameVirtualHost *:443
Next, find the VirtualHost block for your domain and duplicate it. You'll need to change the port of the new block from 80 to 443, then add the following lines inside it:
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.pem
Configuring the firewall
If you're running iptables to block unwanted traffic you'll need to open a port for https. Use the following commands to add the necessary firewall rule:
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ sudo service iptables save
Testing it all
Now that everything's set up, you'll need to restart Apache for the changes to take effect. Issue the following command to test the configuration:
$ httpd -t
If any errors are reported, go and fix those now. If everything's ok then issue the following command to restart Apache:
$ sudo service httpd restart
You should now be able to view your website over SSL by visiting https://example.com!
What next?
There are a few things you may want to do once SSL is up and running to make sure you're taking full advantage of it:
- Redirect non-https pages to https
- Add canonical link tags to your pages pointing to the https version
- Use Google's webmaster tools to inform them of the change of address
- Tune SSL to use stronger ciphers
- Set a reminder to alert you when your SSL certificate is going to expire!