SSL tutorial

This page holds notes on setting up SSL on a webserver. I am running Apache 2.0.54 as of this writing, so if you are running a different server or a different version, you need to make allowances.

Some resources are:

SSL is an encrypted protocol for the web (and whatever else). Once your server is set up, people can access secure pages via URL's beginning with https://
and they will get at your server on port 443 rather than port 80, so you may need to make firewall arrangements to allow this.

The central issue in setting up a secure website is obtaining and installing a certificate, so I will focus on this. A certificate does two things: it validates that you are who you say you are and it encrypts information coming from, and more importantly, going to your website. It is usually the latter that your clients are most concerned about and some care is required to make sure, for example, that html forms actually submit results to a https: protected URL (just getting the form via https: doesn't really protect anything important, except in rare circumstances, but it probably does make your clients feel good).

To get a certificate you must send a CSR (certificate signing request) to an issuing agency, provide whatever verification they require, and pay them money. In return you get a certificate that is valid for some period of time which you then must install in your webserver.

On my system, the relevant Apache files are tucked away in /etc/httpd/conf.d/ssl.conf and the most relevant lines seem to be:

SSLCertificateFile /etc/httpd/conf/potroast.crt
SSLCertificateKeyFile /etc/httpd/conf/potroast.key

Here potroast.crt is the certificate (which will ultimately get mailed to you from the certificate issuing agency), and potroast.key is the server private key. Apart from a lot of swearing and dorking you will have to do with ssl.conf and perhaps (or perhaps not) a bit in httpd.conf (along with countless restarts of the apache server) the issue now revolves around producing these two files.

There are 3 places that I like to consider as sources of cheap and entirely serviceable SSL certificates (really just two, but keep reading):

Originally I did the FreeSSL thing and it was great (for 30 days), and now on going back to actually buy a certificate, I encounter the SSL247 outfit that is to all outward appearances selling the same thing and even offering a 30 day trial as well. RapidSSL is a subsidiary of Geotrust and issues single root certificates. The other major player is Verisign (of which Thawte is a subsidiary).

My setup of Apache is running MODSSL as near as I can tell. To generate the server key, do one of the following:

openssl genrsa -des3 -out potroast.key 1024
openssl genrsa -out potroast.key 1024

The first is better in the sense that you are required to enter a passphrase to protect the key. You also must remember this passphrase and enter it whenever you restart your webserver (or reboot your machine), so the choice is yours, security or convenience. Whatever the case, save and treasure this key file, because if you loose it you will have to generate a new one and obtain a new certificate. Also, this is a private key, so view it as a treasured secret.

Now the thing to do is use the key to generate a CSR, you will need (and be prompted for) the passphrase if you used one as you should.

openssl req -new -key potroast.key -out potroast.csr

After you answer a few questions, this spits out potroast.csr which is your certificate signing request. Now you go through whatever gyrations your chosen certificate vendor indicates. Typically this involves pasting the certificate into a form and answering a phone call. You may also have to get authorized people to OK the certificate being issued, or maybe even have people mailing papers of incorporation, who knows. At the end of this process (all aimed at validating that you are who you say you are), you get an email containing your certificate. It seems to work to save the whole email as potroast.crt, but it is nicer to use an editor to hack out all the mail headers and everything but the certificate itself. Copy it into /etc/httpd/conf along with the key, protect them both so only root can read them, restart apache and you are on the air!


Have any comments? Questions? Drop me a line!

Adventures in Computing / [email protected]