jquery autocomplete doesn't work | mysqli query to connect to database
 


 

A Simple Guide to Obtain and Install an SSL Certificate


A Simple Guide to Obtain and Install an SSL Certificate

Image source: Data key



More and more companies use SSL certificates (small data files that digitally bind a cryptographic key) to protect their customers sensitive data, as username, password and credit card number, as they are transmitted over the internet.

There is a large number of companies provide SSL certificates (Certificate authorities) - see here - and a wide variety of SSL certificates. So, it is often difficult for the average user to choose the right SSL certificate.

Basically there are three "levels" of SSL certificates:

  1. Domain Validation (DV) this is the most common
  2. Organization Validation (OV) - it also offers Company validation
  3. Extended Validation (EV) - it also offers Company validation and a Green Bar is displayed in the browser.

All "levels" offer the necessary encryption. Certificates of Level 1 are relatively cheap (5-50 dollars per year), while others are much more expensive. The level 1 certificates are usually issued in 10-15 minutes, while level 2 and 3 certificates need enough paperwork to be issued (2-3 days). On the other hand, τhey offer greater prestige in the online presence of a company.

As a general rule, a dedicated IP is required for an SSL certificate to operate with a domain (site.com + www.site.com). However, there are available SSL certificates for many domains, subdomains (more expensive, of course). However, it is possible to setup multiple SSL certificates using a single IP with multiple Apache virtual hosts (see at the end of the article), but there are some security issues with this method.

Personally, I usually use certificates of level 1. I often use SSLs, because it offers the full range of SSL certificates from various Certificate authorities, has cheap prices, brings the possibility of detailed comparisons between SSL certificates and has very good documentation and support.

In the following post I describe the process of obtaining and installing a Comodo PositiveSSL SSL certificate on a Debian server with Apache 2.4.10 over port 443 for domain "site.com" There are small differences in this procedure in other operating systems and web servers. You will usually find detailed documentation on the site where you purchased the SSL certificate.

1. Purchase SSL certificate

Just choose the SSL certificate and pay for it. At this time, your SSL certificate is not associated with your domain, it is a "blank certificate".

2. Create CSR (Certificate Signing Request)

Creating the CSR (Certificate Signing Request) you actually associate your domain, company etc with the Certificate you have just purchased.

As root, use openssl as follows

openssl req -new -newkey rsa:2048 -nodes -keyout site.com.key -out site.com.csr

After completing this procedure, two files are created

  • your private key (site.com.key) - ATTENTION: keep it always secret.

    It starts with

    -----BEGIN PRIVATE KEY-----
    

    and ends with

    -----END PRIVATE KEY-----
    
  • the CSR file (site.com.csr) you have to submit to your Certificate authority, in order to issue your SSL certificate

    It starts with

    -----BEGIN CERTIFICATE REQUEST-----
    

    and ends with

    -----END CERTIFICATE REQUEST-----
    

3. Activate SSL certificate

Every Certificate authority has a special form in its website, where you submit the CSR file you have just created.

In case of SSLs, they ask you to upload a file on your web server to validate your domain and activate your certificate.

NOTE: When SSL is already issued and installed on your server, you can remove this file.

After 5-10 minutes you will receive an email with you new Certificate. Congratulations! See next step for installation.

4. Install SSL certificate

4.1 What we have here

The files you received seem like:

  1. site_com.crt this is the main SSL Certificate

there are three more files (intermediate and root certificates):

  1. COMODORSADomainValidationSecureServerCA.crt
  2. COMODORSAAddTrustCA.crt
  3. AddTrustExternalCARoot.crt

They all start with

-----BEGIN CERTIFICATE-----

and end with

-----END CERTIFICATE-----

4.2 Store Certificate files

Store Certificate files in /etc (or any other path). As root:

mkdir /etc/ssl-certs
mkdir /etc/ssl-certs/site.com

Create the file site.com.crt by concatenating the main Certificate file and intermediate and root certificates. Something like:

cat site_com.crt \
	COMODORSADomainValidationSecureServerCA.crt \
	COMODORSAAddTrustCA.crt \
	AddTrustExternalCARoot.crt > /etc/ssl-certs/site.com/site.com.crt

Move the file site.com.key

mv /root/site.com.key /etc/ssl-certs/site.com/site.com.key

4.3 Enable SSL Apache module

Use:

a2enmod ssl

4.4 Modify Apache configuration

I suppose that www.site.com configuration file is /etc/apache2/sites-available/www.site.com.conf

cd /etc/apache2/sites-available/
nano www.site.com.conf

The first VirtualHost concerns port 443 and the second the classic port 80. It is recommended to redirect all requests on port 80 to 443. So, modify the file as follows:

<VirtualHost YOUR_IP_HERE:443>
	ServerName  www.site.com
	ServerAdmin YOUR_EMAIL_HERE

	DocumentRoot /var/www/site.com

	<Directory /var/www/site.com>
		Options -Indexes +FollowSymLinks +MultiViews
		AllowOverride All
		Require all granted
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/site.com_error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/site.com_access.log combined

	SSLEngine on
	SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
	SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key

</VirtualHost>

<VirtualHost YOUR_IP_HERE:80>
	ServerName  www.site.com
	Redirect permanent / https://www.site.com/
</VirtualHost>

Probably, you need another configuration file to redirect site.com requests to www.site.com:

nano /etc/apache2/sites-available/site.com.conf

use:

<VirtualHost YOUR_IP_HERE:443>
	ServerName site.com

	SSLEngine on
	SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
	SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key

	Redirect / https://www.site.com/
</VirtualHost>

<VirtualHost YOUR_IP_HERE:80>
	ServerName site.com
	Redirect / https://www.site.com/
</VirtualHost>

Restart Apache

systemctl restart apache2.service

4.5 Apache versions less than 2.4.8

You have to use the syntax

	SSLEngine on
	SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
	SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key
	SSLCertificateChainFile /etc/ssl-certs/site.com/site.com.ca-bundle

where ca-bundle contains intermediate and root certificates. Of cource, in this case, site.com.crt contains only the main Certicate file site_com.crt.

5. Validate SSL certificate

Check your Certificate with one of the following (free) online tools:

Is is possible to setup multiple SSL certificates using a single IP with multiple Apache virtual hosts?

YES IT IS. Since Apache v2.2.12 and OpenSSL v0.9.8j a transport layer security (TLS) is supported. This is called SNI. More about SNI, here or here.

Furthermore, only recent browsers are supporting SNI. Most current major desktop and mobile browsers support SNI. See here.

You can use virtual hosts configuration as described above. No changes needed.

Is it safe to use SNI in production?

Please, note that IT IS NOT recommended for E-Commerce sites (or where security is critical). Dedicated IP is the most secure way to implement SSL.

Remarks

In case you use Webmin, browser complains about the Webmin certificate when in SSL mode. So. it is a good idea to use your SSL certificate with Webmin.

This happens because the default SSL certificate that is generated by webmin is not issued by a recognized certificate authority. From a security point of view, this makes the certificate less secure because an attacker could theoretically redirect traffic from your server to another machine without you knowing, which is normally impossible if using a proper SSL certificate. Network traffic is still encrypted though, so you are safe against attackers who are just listening in on your network connection.

If you want to be really sure that the Webmin server you are connecting to is really your own, the only solution is to order a certificate from an authority like Verisign that is associated with your server's hostname and will be recognized web browsers. This certificate should be placed in the file /etc/webmin/miniserv.pem and be in the same certifcate+key format as the existing miniserv.pem file.

Backup /etc/webmin/miniserv.pem and then create it again concatenating the main Certificate file and your Private key:

cat site_com.crt site.com.key > /etc/webmin/miniserv.pem

Then restart Webmin

systemctl restart webmin.service

Summary

Here is a summary:

  1. Purchase SSL certificate
  2. Create CSR (Certificate Signing Request)
  3. Activate SSL certificate (by submitting CSR to your Certificate authority)
  4. Install SSL certificate on your server
  5. Validate SSL certificate

Related Posts

You may also be interested in

Sign-up for our free email newsletter. Get updates when new tutorials and tips are published. You can unsubscribe anytime with a click.

Your comments are welcomed!

This site actively encourages commenting on any post. Comments are not pre-moderated, but this community does not tolerate direct or indirect attacks, name-calling or insults. Please, read terms of use and Comment Policy at privacy policy.

Upgrade Debian 7 Wheezy to 8 Jessie Update Postgres Major Version in Debian Jessie