Apr 232014
 

This site is now available over https and here’s what i did to get the certificate.

Generating a Certificate Signing Request (CSR) using OpenSSL

Generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, use the following command :

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

For some fields there will be a default value, If you enter ‘.’, the field will be left blank.


    Country Name (2 letter code) [AU]: GB
    State or Province Name (full name) [Some-State]: Yorks
    Locality Name (eg, city) []: York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
    Organizational Unit Name (eg, section) []: IT
    Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
    Email Address []:

Please enter the following ‘extra’ attributes to be sent with your certificate request

    A challenge password []: 
    An optional company name []:

Use the name of the web-server as Common Name (CN). If the domain name (Common Name) is mydomain.com append the domain to the hostname (use the fully qualified domain name). i.e. for this site i used www.webstershome.co.uk

The fields email address, optional company name and challenge password can be left blank for a webserver certificate.

Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

Purchase SSL Certifcate

Now go buy your certificate from your favourite supplier, i used https://www.ssls.com/ to purchase my SSL certificate from Comodo.

Install SSL Certifcate

Now depending on where you got your certificate you will receive a zip file with yourDomainName.crt(your certificate) and 1 or more .crt Certificate Trust Chain which should be put into a .pem file

easiest way to do that is open a text editor (such as notepad++) and paste the entire body of each certificate into one text file.
You need to make sure you include the beginning and end tags on each certificate. The result should look like this:


-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate1.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: Intermediate2.crt)
-----END CERTIFICATE-----

There is no need to include the trusted root crt as your browser already has it, and if you use a browser from the stone age that doesn’t it won’t trust it anyway.
Note: Save the combined file as “yourDomainName_ca_bundle.pem”. The .pem file is now ready to use.

Now we can setup apache to use it, as i use Virtualmin i go to the Manage SSL certificate page for my domain and go to the CA Certificate page and upload “yourDomainName_ca_bundle.pem” then go to the Update Certificate and Key page and upload your “yourDomainName.crt” and private key “myserver.key”

If you don’t use Virtualmin you need to manually add this to your virtual host section of /etc/httpd/conf/httpd.conf

SSLEngine on
SSLCertificateKeyFile /etc/ssl/myserver.key
SSLCertificateFile /etc/ssl/yourDomainName.crt
SSLCertificateChainFile /etc/ssl/yourDomainName_ca_bundle.pem

Testing

Now you should be running with your new certificate, go check your setup using https://www.ssllabs.com/ssltest/

Your looking to get at least an A- otherwise you need to fix stuff and make sure it says your Certifcate is Trusted and valid and there are no chain issues.

Now time to test your website for any errors, your looking to make sure you get the padlock symbol and no errors.
The most common error is linking to images. You need to make sure any images can be reached over https. As an example on this site i use relative links which means i don’t include the “http://www.webstershome.co.uk” part of the link i just have “/image/pic1.jpg” that way the image works over both http and https.
The next issue is likely to be your css and js files will need the same treatment.
If you use a CDN service you need to make sure they allow https connections as well.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)