How To Set Up HTTPS On Your
Web Server

So you need to enable SSL on your web server. Your website visitors expect you to handle sensitive information that must travel to your web server securely.

In other words, you need a digital certificate. Let me first explain the background, before I walk you through the steps of making your web server https-ready.

Why Do You Need A Certificate?

Certificates can be used as a kind of identity proof for your web site. It provides a reliable check whether your website can be trusted to be yours and most importantly, it allows everyone to encrypt data travelling to and from your web server.

In a nutshell, a certificate is a public encryption key that has been approved by an independent, trusted third party. The third party will perform some kind of scrutiny to make sure, that the public key really belongs to you, particularly to your domain name, and it confirms this verification with a digital signature.

It's very important that you get a certificate from one of the few institutions that have their keys already been built into the browser most people use every day. Only those certificates are recognized as legitimate and will induce the trust you need for your web site.

In order to get a certificate for your web server, you have to create a RSA key pair first. So you cannot simply order a certificate from a provider, the first step has to be done by yourself, because you will create two keys that fit tightly together, but only the public part of it must be sent to the trusted third party for certification. The secret part must be kept local and secure, you will have to store this private key in your own web server. I'll show you how, shortly.

What Kind Of Certificate Do You Need?

Things can get a bit complicated, because there are different kinds of certificates available. Technically, they're all the same, but if you have shopped around you will have noticed that certificates come at very different prices, depending on which third party will certify your public key and depending on the amount of scrutiny that will be performed.

The lowest level of (perfectly working) certificates can be issued within 10 minutes after you have applied for the certification. These certificates validate the domain name and nothing else. After sending your certification request to a company via a web page form the company will ask you to reply to an email message they send to a specific email address like admin@your-domain.com within 10 minutes. If you return the code sent in the email back to your company, they have verified that you can read the email and therefore that you own and control the domain. Based on this check they will sign your request and send the finished certificate back to you in an email. Quick and easy.

But there are more expensive certificates that require more extensive scrutiny, because these certificates verify the personal identity of the domain owner. Certain documents have to sent to the third party on company letterhead. They are checked against public available data and sometimes confirmed with a phone call, so that producing such a certificate will take days, not minutes. The benefit of this procedure is that in the browser, the additional personal information will be displayed as trusted.

The most luxurious and almost unaffordable versions are "extended validation" certificates that turn the address bar logo into green colour, as you know from PayPal or banking sites. You won't need such a certificate for your web site, so domain validated certs are a good choice.

Applying For A Certificate

Before you apply for a certificate you should gather some important information, first. Please bear in mind, that your new certificate covers only one domain name. If you apply for "your-domain.com" the certificate usually works for "www.your-domain.com" too, but not for any other sub-domain.

As I said, the first step is to create a key pair and a CSR, a certificate signing request, that you can send to the company of your choice for certification. You can create such a CSR file on a linux computer with the following command on a single line.

openssl req -new -nodes -keyout yourdomain.key -out yourdomain.csr
-newkey rsa:2048
Make sure that you enter your own address details as you can see in the output of this command. You can use a dot (.) to leave the input empty.
Please double-check when you enter your domain name as the CN below, as your website visitors will use "https://your-domain.com" in their browsers.

Generating a 2048 bit RSA private key ............................................+++ ......................................+++ writing new private key to 'yourdomain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IE State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]:Your Company Name Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:your-domain.com Email Address []:support@your-domain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.

Now you have two different files, "yourdomain.key" which holds the private key and "yourdomain.csr" which holds your certificate signing request, aka your public key. You can safely cut and paste the content of the file "yourdomain.csr" into the input box on the application form on your third party's website to apply for a certificate.

Before you apply, it's wise to check if you can read and reply to the email address you are requested to use in the application form. Then watch out for an email asking you to confirm your request and send the code back. Based on what you are willing to pay you will find a new certificate in your email a few minutes later. Write the new certificate into a file "yourdomain.crt" for later use by your web server.

Setting Up SSL On Your Web Server

As a last step we are going to make your keyfile "yourdomain.key" and the new certificate "yourdomain.crt" available to your web server. If you haven't done it already it's time to install apache mod-ssl on your server. After finishing the installation of apache's ssl module, you'll find a file "ssl.conf" in the main configuration directory of your apache web server.

"/etc/httpd/conf.d/ssl.conf"

You can see below where your information will be inserted in this config file.

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ServerName your-domain.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf/yourdomain.crt
SSLCertificateKeyFile /etc/httpd/conf/yourdomain.key

Now it's time to restart your web server process to see if the ssl configuration is error-free, and if so nothing can stop you and your website visitors to "https" from now on. Congratulations.