Home > Support > HOWTO List > Web > SSL

Web howtos

Securing Your Web Traffic: Installing an SSL Certificate

If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate.

The RimuHosting staff can purchase and install an SSL on any server you host with us. Just complete an SSL support ticket type.

If you would prefer to do it yourself, here is how the SSL certificate setup goes:

Things to know:

Anyway, enough of that.  Time to get SSL running on your server: Just follow the rest of the instruction in the script


wget -q -O ./prepcert.sh http://proj.ri.mu/prepcert.sh ; bash ./prepcert.sh

At end of the script it will suggest an apache directive that can be added on your existing apache config file. The output will be something like this


You will need to add this to your SSL-enabled VirtualHost:
################### START HERE#########################
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/mycooldomain.com.2048.crt-10102012-1410
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mycooldomain.com.2048.key-10102012-1410
################### END HERE #########################

To see the contents of the certificate, run:

openssl x509 -in $httpdconfdir/ssl.crt/$domainname.2048.crt -text  | head -n 12 

You should now be able to browse to https://yourdomainname.com

When you go to browse the https page, do you get a warning about the certificate issuer not being recognised?  Then you may need to tell Apache about your SSL certificate issuer's certificate.  They should provide you this file.  Upload it to the /etc/httpd/conf/ssl.crt directory. Then add an option like:


SSLCACertificateFile /etc/httpd/conf/ssl.crt/ComodoSecurityServicesCA.crt

after

your SSLCertificateFile directive.

Some people prefer to pay for 1 certificate and they have several domain names aliased to the one domain. This can bring up warnings on browsers that the cert doesnt match the domain. There is an easy fix for this using an apache rewrite rule to redirect all those domains to the 'default' domain.

In the apache config where you have configured your port 80 Virtualhost add the following rules


RewriteEngine On
RewriteCond %{HTTP_HOST}   !^$
RewriteCond   %{HTTP_HOST}  !^domain.com [NC]
RewriteRule ^/(.*)         http://domain.com/$1 [L,R=301]

If you want the entire website to be forced into using ssl you can change the last line to be


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will ensure all domains redirect to the one with the SSL certificate.

Resolving 'Server Certificate Expired' and 'Certified By an Unknown Authority' Browser Warnings

Apache comes with a default SSL host in /etc/httpd/conf.d/ssl.conf of <VirtualHost _default_:443>.  Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added.  Change that VirtualHost to <VirtualHost 127.0.0.1:443> so that it does not override the setting for the IP you entered and restart Apache.  The web server should now start picking up the SSL VirtualHost you added.

Removing a passphrase from an SSL certificate

There is a good guide on how to do that on the Apache wiki

Convert OpenSSL certificate to tomcat pks12 file

Something like the following...

openssl pkcs12 -export -in <crtfile> -out <pks21file> -name "<certificate domain name>" -inkey <keyfile>

openssl pkcs12 -export -in /etc/httpd/conf/ssl.crt/promotionalway.com.crt -out /root/sslcert/promotionalway.com.pkcs12 -name "promotionalway.com" -inkey /etc
/httpd/conf/ssl.key/promotionalway.com.key

Then in /usr/local/tomcat/conf/server.xml do something like the following...


    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
        enableLookups="true" disableUploadTimeout="true"
        acceptCount="100"  maxThreads="200" maxHttpHeaderSize="8192"
        scheme="https" secure="true" SSLEnabled="true"
        keystoreFile="/usr/local/tomcat/promotionalway.com.pkcs12" keystorePass="developer"
        keystoreType="PKCS12"
        clientAuth="false" sslProtocol="TLS"/>

Tuning SSL security

There are a few tools out there you can use to test SSL connections. The main one is openssl itself, there are also scripts that can provide a quick report to help highlight any concerns. For example the open source sslyze seems to work quite well and is being actively developed.