Creating a webserver isn’t hard, the problem comes when you have to use SSL certificates, sometimes the process to create them isn’t particularly clear but here is a little guide to help you achieve this in your network.

First: Install dependencies

Yes, you need them, let’s do a very basic setup (plain HTML with SSL), we can add additional features later… (make sure you run this as root)

The Ubuntu Way The CentOS way
apt-get install apache2 openssl yum -y install httpd mod_ssl openssl

Additionally you need to run a2enmod ssl after installing apache2 on ubuntu, this will enable the ssl module correctly.

Second: Create the SSL Certificate

Run the following commands:

This will create the private key that we need in order to generate the certificate request, take note of the pass phrase used here, you’ll need it later.

This will generate the certificate request but you need to answer some question, use this as an example (Consider # as comments)

Common Name is quite complex, in practice if you set a common name for a FQDN like mysite.mywebserver.com it will only work correctly for that FQDN, if you apply the certificate to another site like anothersite.mywebserver.com, it works too, but it will report that the SSL is being used on a different host and that is certainly bad if we want to keep a good level of credibility. If you have just one site to publish then go ahead and create the certificate just for it, but if you have multiple sites, then consider to create individual certificates or use a wildcard certificate by just setting a * plus your domain as the common name, i.e. *.mywebserver.com, in this case all sites coming from .mywebserver.com domain will be accepted by the certificate without problems.

Optional: Remove Pass Phrase from private key

This is completely optional, if you keep the Pass Phrase, everytime you start the apache it will ask for it. if someone “accidentally” reboot the server, Apache will wait until someone submits the pass phrase in order to continue loading, in that moment your site is totally down, and you customers may start yelling at you.

If you want to prevent this, run the following commands:

Third: Self signing or Signed by a CA

The major problem here is to understand the difference between a certificate self-signed and a certificate signed by an Authority, the functionality is still the same in both cases, the communication will be encrypted but a CA gives more than just a signed certificate, let me explain this with pictures.

Did you notice that when you browse a HTTPS site, your browser place a padlock-like icon near you url?

facebookSSL
Using chrome as our browser, if you navigate to facebook via https you will notice that padlock icon is green, this color means that the Authority is actually certifying that identity of site is valid (this means that VeriSign is saying that facebook,com is facebook.com and not a fake). This is a good advantage for site that provides e-commerce, financial or handles delicate user data. This kind of CA Certificates is quite expensive, but if you goal is e-commerce and you need people to trust you then this is a must-have, check Verisign (owned by Symantec) site here if you want to check prices.

 

Now, a good browser will alert you when something is strange on a HTTPS site, chrome does a really good job, but it may scare people.

When there is a SSL Problem

Just notice the padlock with a “Red X” and a full red alert on screen. Any common user will be too scared to proceed and that could be a real problem if you started your own small business and the people cannot trust you just after seeing this. To put this in simple words, no normal user will give you money if you don’t provide trusted identity information, this is where a self-signed cannot help, so you may want to rely on self-signed certificates on your test environments or even on you company intranet.

If you want to continue with a CA certificate, then select a good CA (like verisign) and provide them your certificate request file and the private key file, they will give further instructions when you certificate is signed.

If you want to self-sign, then run the following command

This will create a 1 year valid certificate file (you can adjust the time by using the –days attribute), now place your .crt and .key files in a good place, beyond normal users hands, like /etc/httpd/certs or /etc/apache2/certs.

Fourth: Apache HTTPD service

Now we need to make sure that our HTTP server listen on port 443 (HTTPS).

On CentOS

  1. Edit /etc/httpd/conf.d/ssl.conf, make sure to adjust the following lines:
  2. Restart the service by running: service httpd restart (if you didn’t remove the pass phrase, the daemon will ask for it at this point).

On Ubuntu

Ubuntu Apache2 is quite different, it relies on virtual hosts by default, let me show you how I did my config.

  1. Create a folder for our HTTPS site, run mkdir /var/www/securedsite
  2. Now edit /etc/apache2/sites-available/default-ssl (you can rename it if you want), and do the following adjustments:
  3. Now go run the following commands:

That’s it!, Your Webserver should now support HTTPS, go ahead and use your browser and access you fresh ssl site.

 

Follow me

Carlos Alberto Umanzor Arguedas

Web Developer at carlosumanzor.com
Web Developer, QA Engineer and Gamer Enthusiast, Developer of Linkcrawler and Father of a future computer ninja.
Follow me

Pin It on Pinterest

Shares
Share This
Optimization WordPress Plugins & Solutions by W3 EDGE