Home > Support > HOWTO List > Web > SSL

Web howtos

Securing Your Web Traffic: Installing an SSL Certificate

If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate for the affected domain.

RimuHosting staff can purchase and install an SSL certificate on any server you host with us.  Just complete an SSL support ticket type.

$20 per SSL certificate install ticket (for SSL CSR creation and install).

LetsEncrypt's auto-renewing certificates no extra cost.
Regular certificates +$20 per domain per year.
Wildcard certificates and EV certificates are +$150 per year.
Prices are USD. GST will be added for NZ-based customers.

If you would prefer to do it yourself, here is a quick outline of how the SSL certificate setup goes:

Things to know:

To get SSL running on your server we have created a helper script that simplifies the key and csr creation process. Run the script as root or with root privilege or using sudo, and follow the the instructions.

wget -q -O ./prepcert.sh http://proj.ri.mu/prepcert.sh ; bash ./prepcert.sh

At the end of the script it will suggest web server directives that can be added on your existing apache config file. The output will be something like this

You may need to add these lines to your SSL-enabled VirtualHost:
--------------------- APACHE START HERE --------------------------------
  SSLEngine On
  SSLCertificateFile /etc/pki/rhcerts/example.com/example.com.2048.crt
  SSLCertificateKeyFile /etc/pki/rhcerts/example.com/example.com.2048.key
  SSLCACertificateFile /etc/pki/rhcerts//RapidSSL_CA_bundle.pem
---------------------- APACHE END HERE ---------------------------------
ref https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

To check the contents of a csr run (for example):

openssl req  -text -noout -in /etc/pki/rhcerts/example.com/example.com.2048.csr-1469066519 -text

To check the contents of a certificate, run (for example):

openssl x509 -text -noout -in /etc/pki/rhcerts/example.com/example.com.2048.crt

Setup the SSL vhost for your domain if you havent already, and configure the certificates lines to match your newly issued files.

You should now be able to browse to https://domainname.com

Verifying a key and certificate match

Sometimes its us useful to make sure a new certificate matches what you expect. This might come about if a certificate was ordered using a different (eg older) key by mistake. Or if the certificate was generated on a different server and you want to make sure all the parts are consistent. The below commands should help...

Check the hash of the public key, CSR, or private key to make sure they match...

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Check a Certificate Signing Request (CSR) for expected values

openssl req -text -noout -verify -in CSR.csr

Check a private key for configuration details

openssl rsa -in privateKey.key -check

Check a certificate reports everything that is expected (and nothing extra)

openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12

Issues you might see

When you go to browse the https page, you get a warning about the certificate issuer not being recognised. You may need to tell Apache about your SSL certificate issuer's certificate. They should provide you this file. Upload it to the web server if it is not there already, and add a line to the virtualhost configuration like...

SSLCACertificateFile /etc/pki/rhcerts//RapidSSL_CA_bundle.pem

Some people prefer to pay for 1 certificate and they have several domain names aliased to that one domain. Visitors to one of the aliased domains will see a warning in their browsers that the certificate doesnt match the domain. This is expected.

Some certificates can be issued to cover multiple domains. This costs more than multiple regular certificates. But can be useful in reducing the web server configurations required, and overhead from managing the extra certificates.

You may want visitors to be directed to a primary domain or a specific URL. In the apache config where you have configured your port 80 Virtualhost add the following rules

RewriteEngine On
RewriteCond %{HTTP_HOST}   !^$
RewriteCond %{HTTP_HOST}  !^domain.com [NC]
RewriteRule ^/(.*)  http://domain.com/$1 [L,R=301]

If you want entire domains to be pointed to ssl one you can do something like this instead

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will ensure all domains redirect to the one with the SSL certificate.

Control panel issued certificates

Some hosting control panels will automatically provision SSL certificates for domains. If you are planning on doing a lot of website hosting and feel this might be useful feature we recomend installing VirtualminGPL when you order your server, as a stable and free option.

Specifically for Virtualmin, we have written the following guide

Resolving 'Server Certificate Expired' and 'Certified By an Unknown Authority' Browser Warnings.

Apache comes with a default SSL vhost configuration, for example on Centos that may be configured in in /etc/httpd/conf.d/ssl.conf. Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added. Change that to look like <VirtualHost> so that it does not override the setting for the IP you entered and restart Apache. The web server should now start picking up the SSL VirtualHost you added.

Removing a passphrase from an SSL certificate

There is a good guide on how to do that on the Apache wiki

Convert OpenSSL certificate to tomcat pks12 file

Something like the following...

openssl pkcs12 -export -in <crtfile> -out <pks21file> -name "<certificate domain name>" -inkey <keyfile>
openssl pkcs12 -export -in /etc/httpd/conf/ssl.crt/promotionalway.com.crt -out /root/sslcert/promotionalway.com.pkcs12 -name "promotionalway.com" -inkey /etc

Then in /usr/local/tomcat/conf/server.xml do something like the following...

    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
        enableLookups="true" disableUploadTimeout="true"
        acceptCount="100"  maxThreads="200" maxHttpHeaderSize="8192"
        scheme="https" secure="true" SSLEnabled="true"
        keystoreFile="/usr/local/tomcat/promotionalway.com.pkcs12" keystorePass="developer"
        clientAuth="false" sslProtocol="TLS"/>

Tuning SSL security

There are a few tools out there you can use to test SSL connections. The main one is openssl itself, there are also scripts that can provide a quick report to help highlight any concerns. For example the open source sslyze seems to work quite well and is being actively developed. These online resources are also very useful...

Configurations: https://ssl-config.mozilla.org/
Testing: https://www.ssllabs.com/ssltest/