|
No doubt that if you've used any social networking site or purchased anything on line you've used a secure HTTPS connection. It's ubiquitous and it's the standard. So what is it and how do you use it ?
HTTPS (e.g. https://www.amazon.com) is an amalgamation of HTTP (Hyper Text Transportation Protocol) and SSL (Secure Socket Layer) that combines to create encrypted communication and secure identification in a network web servers. HTTPS connections are often used for payment transactions on e-commerce sites and sensitive transactions in various enterprise and social networking information systems.
Most modern webservers such as Apache, IIs, nginx (pronounced engine x), lighttpd (pronounced lighty), and others are cabable of running HTTPS using a SSL certificate.
Purchasing a SSL certificate is as easy as purchasing a domain name (in fact your Registrar probably offers this service) however, the cost and complexity of creating and configuring a web server will vary. Not all SSL certificates are the same and there are a plethora of configurations that a web server may have to use the SSL in various ways.
In most cases, first time LAMP administrators and web developers will be setting up an e-commerce site that uses a shopping cart & checkout system that needs to connect to a payment gateway in order to process credit cart transactions. Although setting up HTTPS is not rocket science there are so many configuration variables the task can be mired by snags that require hours of troubleshooting. Thankfully, if you RTFM (read the fucking manual) you'll soon find out that most SSL LAMP and Windows base packages offer a number of trouble shooting and diagnostic tools once the sub set of SSL applications have been installed and enabled. To be brief, this is what this post is all about, it's one step up a level in terms of difficulty after creating a basic self-singed (untrusted) certificate and enabling the web server to use it.
You can visualize the entire HTTPS round-robin process like this:
Web Browser Client ---> Web Server : The web browser asks "I would like to make a secure connection HTTPS to you. Are you are who you say your are" ?
Web Server ---> Web Browser Client : The web server says "Yes, please is my SSL certificate and please use this certificate authority (CA) and check with them to confirm."
Certificate Authority (CA) Server ---> Web Browser : The CA says "I can verify that the web server says who it is and you may proceed with a trusted and secure HTTPS connection."
If all is set right and every thing checks out the web browser and web server may proceed with a trusted and secure connection.
Admins running Windows and IIs server's you can go home now because the rest of this post is concerned about Linux systems, but please read on for a cursory understanding of the whole process. LAMP (Linux, Apache, MySql, PHP/PERL) admins your systems will vary ever so slightly. In this example a Debian 5 system running Apache 2 and PHP5 is used, in most cases I've performed the same work on Ubuntu as well as RHEL5, Fedora, & Centos linux distros.
In order to proceed here's what you'll need have and know:
1) administrator level access to your registrar and or SSL retailer.
2) an email address that you have access to that appears in your domain name WHOIS information as the administrative contact. (There's at lest 2 critical email confirmations that need to be repasted to in a timely manor in this process)
3) SSH root level access to your server or root priviledges with the ability to execute "sudo" or "sudo -i".
4) familiarity using these common unix programs in a terminal : apt-get (or yum), nano (or VI or VIM) ln, cp, chmod, & service (or she-banging from /etc/init.d/) and finally openssl (we'll learn more about that real soon)
In the next steps we'll be creating the following files: SSL Private Key file, SSL Certificate Request file, SSL Certificate, Intermediate Certificate Authority file, and finally an Apache2 virtual host configuration file.
It's assumed that you also have at least one Apache virtual (or defaul) host running in a standard config on Port 80 at this point.
OK, so open a secure shell to your server an begin work in your home or root directory by creating a working directory and then entering (cd) in to it using the following two commands:
lampserver:~# mkdir www-myserver-org-ssl-keys
lampserver:~/www-myserver-org-ssl-keys# cd www-myserver-org-ssl-keys
If your LAMP stack doesn't have mod-ssl and openssl installed please install them from your repos now using apt-get or yum. All dependencies should also resolve at the end of each transaction.
lampserver:~/www-myserver-org-ssl-keys# apt-get install openssl
lampserver:~/www-myserver-org-ssl-keys# apt-get install httpd_mod
Next generate a 2048-bit encryption private key and certificate request file using oppenssl. Check with the SSL Retailer's encryption specs, you may be able to use 1024-bit encryption or moving in the other direction perhaps you'll need something stronger. The first command is the private key creation which the server will then use in the following command to create a second file that is the SSL certificate server request file. In any event, both commands allow you to specify ANY file name and extension after the "-out" flag. For sanity sake name it something memorable. So "www.myserver.org.key" can be "www.yourdomainname.org.key" and so on.
lampserver:~/www-myserver-org-ssl-keys# openssl genrsa -out www.myserver.org.key 2048
lampserver:~/www-myserver-org-ssl-keys# openssl req -new -key www.myserver.org.key -out www.myserver.org.csr
This second command will prompt you for the following X.509 attributes of the certificate:
Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
Common Name: The Common Name is Domain Name. Enter "www.myserver.org" or if this domain full pointed to the server "myserver.org".
Once the process finishes the certificate request file (CSR) has been created so head over to your SSL retailer and begin purchasing your SSL cert.
After the purchase process begings a confirmation email will arrive in your registrar admin account simply asking you to confirming the purchase of the SSL itself.
Follow up on the email immediately and confirm the purchase and proceed to the next step and serious of questions your registrar will ask about the SSL certificate until the setup where it asks for your CSR file. As mentioned earlier, it's critical that you have access to the email account listing in the domain's WHOIS information because after you give them the CRS text that's the email address where the actual SSL certificate will be sent as plain text as well as the Intermediate Certificate authority text or a link to where it can be downloaded.
OK ? Got it ?
Use the command below and paste it the Certificate Server Request (CSR) file text into the appropriate text field at the SSL retailer's web site site.
lampserver:~/www-myserver-org-ssl-keys# nano www.myserver.org.csr (copy from terminal)
Shortly after submitting the CSR the acutal SSL Certificate and Certificate Authority file and instructions will arrive via email.
Copy the certificate file code and create your certificate on your server and paste in the long text string:
lampserver:~/www-myserver-org-ssl-keys# nano www.myserver.org.crt
Now create the intemediate certificate and paste in the INTERMEDIATE CA: section from the email
lampserver:~/www-myserver-org-ssl-keys# nano rapidssl-INTERMEDIAT.crt
Now set the proper permissions to the certs.
lampserver:~/www-myserver-org-ssl-keys# chmod 600 *
Copy the entire "www-myserver-org-ssl-key" directory to the appropriate (and secure!) place on your web server (in some Linux distro's it's /etc/pki/certs/...)
lampserver:~/www-myserver-org-ssl-keys# cp -R /root/www-myserver-org-ssl-keys /etc/apache2/
Now create the Apache virtual SSL host to run on port 443. In some cases Apache 2 might be set up to use a single monolithic "httpd.conf" file, if so paste in the new virtual host at the very end of the file.
lampserver:~/www-myserver-org-ssl-keys# nano /etc/apache2/sites-avaiable/www.myserver.ssl.org
The virtual host should look like this :
<VirtualHost 173.255.217.135:443>
ServerName myserver.org
ServerAlias www.myserver.org
ServerAlias m.myserver.org
DocumentRoot /var/www/myserver-org
ErrorLog /var/log/myserver-ssl-error.httpd.log
TransferLog /var/log/myserver-access.httpd.log
### start cert ###
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/apache2/www-myserver-org-ssl-keys/www.myserver.org.crt
SSLCertificateKeyFile /etc/apache2/www-myserver-org-ssl-keys/www.myserver.org.key
SSLCACertificateFile /etc/apache2/www-myserver-org-ssl-keys/rapidssl-INTERMEDIATE.crt
SSLVerifyClient none
SSLOptions +StdEnvVars
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
### end cert ###
<Directory /var/www/myserver-org>
AllowOverride All
</Directory>
</VirtualHost>
Create a symlink to the site-enabled folder so that Apache loads the new virtual host.
lampserver:/etc/apache2/www-myserver-org-ssl-keys# ln -s /etc/apache2/sites-available/myserver-ssl.org /etc/apache2/sites-enabled/myserver-ssl.org
Made sure apache is listening on port 443 if mod_ssl is enabled
lampserver:/etc/apache2/www-myserver-org-ssl-keys# nano /etc/apache2/ports.conf
add the following to /etc/apache2/ports.conf
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
Make sure mod_ssl is enabled using Debians a2enmod tool
lampserver:/etc/apache2/www-myserver-org-ssl-keys# a2enmod ssl
....Module ssl already enabled
Restart the apache2 web server.
lampserver:/etc/apache2/www-myserver-org-ssl-keys# service apache2 restart
Your server is now running HTTPS !
Vist https://www.myserver.org to make sure the SSL cert is working.
At this point you may want to visit some third party web sites that will scan your eniter HTTPS set up and verifiy all is working well. Here, let me google that for you -- Check out:
https://www.ssllabs.com
http://www.sslshopper.com
In the next post I'll briefly explain the use of the "openssl" comand line tool and how it can be used in troubleshoot SSL errors. until then happy SSL'ing.
 |
Subscribe to this comment's feed
