Home > Support > HOWTO List > Web > SSL

Web howtos

Securing Your Web Traffic: Installing an SSL Certificate

If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate for the affected domain.

RimuHosting staff can purchase and install an SSL certificate on any server you host with us.  Just complete an SSL support ticket type.

$20 per SSL certificate install ticket (for SSL CSR creation and install).

LetsEncrypt's auto-renewing certificates no extra cost.
Regular certificates +$20 per domain per year.
Wildcard certificates and EV certificates are +$150 per year.
Prices are USD. GST will be added for NZ-based customers.

If you would prefer to do it yourself, here is a quick outline of how the SSL certificate setup goes:

Things to know:

To get SSL running on your server we have created a helper script that simplifies the key and csr creation process. Run the script as root or with root privilege or using sudo, and follow the the instructions.

wget -q -O ./prepcert.sh http://proj.ri.mu/prepcert.sh ; bash ./prepcert.sh

At end of the script it will suggest web server directives that can be added on your existing apache config file. The output will be something like this

You may need to add these lines to your SSL-enabled VirtualHost:
--------------------- APACHE START HERE --------------------------------
  SSLEngine On
  SSLCertificateFile /etc/pki/rhcerts/example.com/example.com.2048.crt
  SSLCertificateKeyFile /etc/pki/rhcerts/example.com/example.com.2048.key
  SSLCACertificateFile /etc/pki/rhcerts//RapidSSL_CA_bundle.pem
---------------------- APACHE END HERE ---------------------------------
ref https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

To check the contents of a csr run (for example):

openssl req  -text -noout -in /etc/pki/rhcerts/example.com/example.com.2048.csr-1469066519 -text

To check the contents of a certificate, run (for example):

openssl x509 -text -noout -in /etc/pki/rhcerts/example.com/example.com.2048.crt

Setup the SSL vhost for your domain if you havent already, and configure the certificates lines to match your newly issued files.

You should now be able to browse to https://domainname.com

Issues you might see...

  • When you go to browse the https page, you get a warning about the certificate issuer not being recognised. You may need to tell Apache about your SSL certificate issuer's certificate. They should provide you this file. Upload it to the web server if it is not there already, and add a line to the virtualhost configuration like {code}SSLCACertificateFile /etc/pki/rhcerts//RapidSSL_CA_bundle.pem{code}
  • 
    RewriteEngine On
    RewriteCond %{HTTP_HOST}   !^$
    RewriteCond   %{HTTP_HOST}  !^domain.com [NC]
    RewriteRule ^/(.*)         http://domain.com/$1 [L,R=301]
    

    If you want entire domains to be pointed to ssl one you can do something like this instead

    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

    This will ensure all domains redirect to the one with the SSL certificate.

    Resolving 'Server Certificate Expired' and 'Certified By an Unknown Authority' Browser Warnings.

    * Apache comes with a default SSL host, for example on Centos that may be configured in in /etc/httpd/conf.d/ssl.conf. Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added. Change that VirtualHost to <VirtualHost 127.0.0.1:443> so that it does not override the setting for the IP you entered and restart Apache. The web server should now start picking up the SSL VirtualHost you added.

    Removing a passphrase from an SSL certificate

    There is a good guide on how to do that on the Apache wiki

    Convert OpenSSL certificate to tomcat pks12 file

    Something like the following...

    openssl pkcs12 -export -in <crtfile> -out <pks21file> -name "<certificate domain name>" -inkey <keyfile>
    
    openssl pkcs12 -export -in /etc/httpd/conf/ssl.crt/promotionalway.com.crt -out /root/sslcert/promotionalway.com.pkcs12 -name "promotionalway.com" -inkey /etc
    /httpd/conf/ssl.key/promotionalway.com.key
    

    Then in /usr/local/tomcat/conf/server.xml do something like the following...

    
        <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
            enableLookups="true" disableUploadTimeout="true"
            acceptCount="100"  maxThreads="200" maxHttpHeaderSize="8192"
            scheme="https" secure="true" SSLEnabled="true"
            keystoreFile="/usr/local/tomcat/promotionalway.com.pkcs12" keystorePass="developer"
            keystoreType="PKCS12"
            clientAuth="false" sslProtocol="TLS"/>
    
    

    Tuning SSL security

    There are a few tools out there you can use to test SSL connections. The main one is openssl itself, there are also scripts that can provide a quick report to help highlight any concerns. For example the open source sslyze seems to work quite well and is being actively developed. These online resources are also very useful...

    https://mozilla.github.io/server-side-tls/ssl-config-generator/
    https://www.ssllabs.com/ssltest/