Order VPS Hosting
Order a VPS, Semi- dedicated or Dedicated server in Dallas, London or Australia.

Get Assistance
Ask our support team about your hosting requirements.


Host where the staff takes pride in making customers happy

Congrats on turning 5! I have to say that RimuHosting is by far the best hosting company I've ever worked with.

- Eric (on receiving our 5th anniversay newsletter) (#50/309)
Home > Support > HOWTO List > Web > SSL

Web howtos

Securing Your Web Traffic: Installing an SSL Certificate

If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate.

The RimuHosting staff can purchase and install an SSL on any server you host with us. Just complete an SSL support ticket type.

If you would prefer to do it yourself, here is how the SSL certificate setup goes:

  • You create a private key for your server.  Only you should ever see this key (a file). 
  • You create a certificate signing request (CSR) using this private key.   The CSR includes information about you or your organization and about the domain you want to protect with SSL. 
  • The certifying authority creates a certificate for you based on this CSR.  This certificate will only work when your private key is present.   And your browser will only accept the certificate (without warnings) if the certificate was signed by a certifying authority recognized by your browser. 
  • Your browser will negotiate a secure (i.e. encrypted) connection to your server.  Anyone between your browser and the web server who intercepts this traffic will be unable to decrypt the content (well, that is the theory).

Things to know:

  • SSL will require an IP address per domain.  (Actually, it is possible to put multiple domains on one IP but you would need to use non-standard port numbers).
  • SSL works on a particular domain.  E.g. domain.com.  It will not work, without warnings, on other domains.  E.g. www.domain.com.
  • SSL certificates are usually issued for a particular duration, and have to be renewed after that.
  • If a certificate expires, a browser can still use it (i.e. the certificate will still ensure traffic is encrypted), but the browser will probably issue a warning to its user.

Anyway, enough of that.  Time to get SSL running on your server:


function prepcert() {
httpdconfdir=/etc/httpd/conf
if [ -e /etc/apache2 ]; then
httpdconfdir=/etc/apache2
fi
while true; do 
if [ ! -z "$domainname" ]; then
break
fi
echo "SSL Domain Name = ? "
read domainname
done

# Create the private key and certificate signing request directories
mkdir -p $httpdconfdir/ssl.key/
mkdir -p $httpdconfdir/ssl.csr/
mkdir -p $httpdconfdir/ssl.crt/

# Create your private key file.  You need to make sure the noone gets a copy of this.
if [ ! -e $httpdconfdir/ssl.key/$domainname.key ]; then
    openssl genrsa -out $httpdconfdir/ssl.key/$domainname.key 1024
    chmod 0600 $httpdconfdir/ssl.key/$domainname.key 
fi
# add a -des3 option to the above command if you want to use a password with your key

if [ ! -e $httpdconfdir/ssl.csr/$domainname.csr ]; then
    # Create your certificate signing request.  This is what you'll send out to get your certificate.
    openssl req -new -key $httpdconfdir/ssl.key/$domainname.key -out $httpdconfdir/ssl.csr/$domainname.csr
    # the 'common name' must match your domain name
    # Leave the challenge password blank (press Enter)
fi

# create a self signed certificate for now.  You will overwrite this
# certificate with the one your SSL provider issues you
if [ ! -e $httpdconfdir/ssl.crt/$domainname.crt ]; then
    openssl x509 -req -days 3650 -in $httpdconfdir/ssl.csr/$domainname.csr -signkey $httpdconfdir/ssl.key/$domainname.key -out $httpdconfdir/ssl.crt/$domainname.crt
fi

# Double check your input:
openssl req -noout -text -in $httpdconfdir/ssl.csr/$domainname.csr

# save the conf settings for when we get the cert
echo "
export domainname=$domainname
export httpdconfdir=$httpdconfdir
" > /root/sslorderdetails
cat $httpdconfdir/ssl.key/$domainname.key
cat $httpdconfdir/ssl.csr/$domainname.csr
echo Common Name = $domainname

echo "You will need to add this to your SSL-enabled VirtualHost:
SSLEngine On
SSLCertificateFile $httpdconfdir/ssl.crt/$domainname.crt
SSLCertificateKeyFile $httpdconfdir/ssl.key/$domainname.key"
}
prepcert

Order your SSL.  There are many websites that will sell you one. e.g. http://rapidsslonline.com (currently about $15/certificate/year).  The web server type (for your order) is Apache +mod ssl.

Follow the ordering process.  Eventually you will receive your certificate via email.  You then just need to copy that file to the right location on your server:


source /root/sslorderdetails
cat << EOJ > $httpdconfdir/ssl.crt/$domainname.crt

After the above you'll need to paste in your SSL cert (from -----BEGIN CERTIFICATE----- down to -----END CERTIFICATE----- inclusive) then hit enter then type EOJ then hit enter again.

Then open up your Apache httpd.conf file with a text editor like vi.  The file is usually /etc/httpd/conf/httpd.conf.  Then make sure that there is a VirtualHost for both regular traffic (port 80) and SSL traffic (port 433).  And add in the SSL options to the SSL VirtualHost directive.

To see the contents of the certificate, run: openssl x509 -in $httpdconfdir/ssl.crt/$domainname.crt -text | head -n 12


<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/yourdomainname"
ServerName yourdomainname
ServerAlias *.yourdomainname
</VirtualHost>

<VirtualHost youripaddress:443>
DocumentRoot "/var/www/vhosts/yourdomainname"
ServerName yourdomainname
#ServerAlias here is not going to work without giving warnings to the user
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomainname.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomainname.key
</VirtualHost>

The following code snippet should create the above entries: export httpdconfdir; export domainname; wget -qO - http://downloads.rimuhosting.com/addsslvhost | bash

Restart Apache: /etc/init.d/httpd restart.

You should now be able to browse to https://yourdomainname.com

When you go to browse the https page, do you get a warning about the certificate issuer not being recognised?  Then you may need to tell Apache about your SSL certificate issuer's certificate.  They should provide you this file.  Upload it to the /etc/httpd/conf/ssl.crt directory.  Then add an option like: SSLCACertificateFile /etc/httpd/conf/ssl.crt/ComodoSecurityServicesCA.crt after your SSLCertificateFile directive.

Some people prefer to pay for 1 certificate and they have several domain names aliased to the one domain. This can bring up warnings on browsers that the cert doesnt match the domain. There is an easy fix for this using an apache rewrite rule to redirect all those domains to the 'default' domain.

In the apache config where you have configured your port 80 Virtualhost add the following rules


RewriteEngine On
RewriteCond %{HTTP_HOST}   !^$
RewriteCond   %{HTTP_HOST}  !^domain.com [NC]
RewriteRule ^/(.*)         http://domain.com/$1 [L,R=301]

If you want the entire website to be forced into using ssl you can change the last line to be


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will ensure all domains redirect to the one with the SSL certificate.

Resolving 'Server Certificate Expired' and 'Certified By an Unknown Authority' Browser Warnings

Apache comes with a default SSL host in /etc/httpd/conf.d/ssl.conf of <VirtualHost _default_:443>.  Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added.  Change that VirtualHost to <VirtualHost 127.0.0.1:443> so that it does not override the setting for the IP you entered and restart Apache.  The web server should now start picking up the SSL VirtualHost you added.

Convert OpenSSL certificate to tomcat pks12 file

Something like the following...

openssl pkcs12 -export -in <crtfile> -out <pks21file> -name "<certificate domain name>" -inkey <keyfile>

openssl pkcs12 -export -in /etc/httpd/conf/ssl.crt/promotionalway.com.crt -out /root/sslcert/promotionalway.com.pkcs12 -name "promotionalway.com" -inkey /etc
/httpd/conf/ssl.key/promotionalway.com.key

Then in /usr/local/tomcat/conf/server.xml do something like the following...


    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
        enableLookups="true" disableUploadTimeout="true"
        acceptCount="100"  maxThreads="200" maxHttpHeaderSize="8192"
        scheme="https" secure="true" SSLEnabled="true"
        keystoreFile="/usr/local/tomcat/promotionalway.com.pkcs12" keystorePass="developer"
        keystoreType="PKCS12"
        clientAuth="false" sslProtocol="TLS"/>

Hosting

Why RimuHosting

RimuHosting