SSL certificate is used to make a website a secure. Secured Socket Layer(SSL works on an algorithm to encrypt data exchanged between browser and server.
It makes data between request unreadable and unbreakable for the interceptors or hackers. Third party services are used to encrypt the data.
Why is it importnat to Install SSL
It is a prerequisite to have an SSL installed on your server if you deal in eCommerce. That is if you allow users to pay or transfer money online. The eCommerce or payment transfer websites and actions are more prone to hacking or data stealing attempts.
For example, a hacker may try to intercept a request on a website to steal credit card information entered into a form. Also it can steal important information submitted by users which may include your identification numbers, online banking details, personal details, credit card details and many more.
How to get an SSL
There are various online hosting companies and businesses which sell SSL. My favorite one is namecheap.
How to install SSL certificate
Here is step by step guide to install SSL on a self managed Linux website. The example here applies specifically to a website running on Apache web server on Centos 7 on a bitnami install on Amazon EC2 instance. However this example may be helpful with installing on any Linux hosted Build + Apache web server.
Step 1
Generate a CSR: Using Openssl
The very first step in installing an SSL on a server is to create a CSR or Certificate Signing Request.
To create a CSR Openssl software can be use. Usually it is installed by default if you are using a pre configured server instance on Linux build. You can check if it is install by passing a command:
openssl version
If it is installed it should show something like:
OpenSSL 1.0.1g 7 Apr 2014
If it is not installed, you can install open ssl on Linux if you have command line access to server. Most of the times you could use it on your local machine to generate CSR. Installation depends upon your Linux build. For example:
sudo yum install libtool perl-core zlib-devel -y
https://blacksaildivision.com/how-to-install-openssl-on-centos
To install Openssl on Windows go to https://sourceforge.net/projects/openssl/ to download and install.
Step 2
Generate Certificate Signing Request (CSR)
Generate Private Key
In order to generate CSR you first need a RSA private key to encrypt your CSR. So create private key type
openssl genrsa 2048 > mysite-private-key.pem
genrsa – The genrsa command generates an RSA private key.
2048 is the size of the private key to generate in bits which is a default size anyway
Generate CSR
openssl req -new -key mysite-private-key.pem -out csr.pem
With the help of mysite-private-key.pem private key it will generate CSR named csr.pem. It will ask you for some information out of which FQDN is the most important one. It should use your full domain i.e. www.yoursite.com. This CSR will be used to generate a SSL at vendor where you purchased your SSL. Namecheap in my case.
Generated CSR looks like this one
-----BEGIN CERTIFICATE REQUEST----- MIIC6zCCAdMCAQAwgY0xFsuye455lVTMRAwDgYDVQQIDAdGbG9yaWRhMRAw …………………………………………………… gNfVP4gI9IJ4kA2Soqm7p8E8Xgf8R7mAs/5vNooDHw== -----END CERTIFICATE REQUEST-----
Step 3
Purchase SSL and Activate it
If you haven’t purchased a SSL certificate yet buy one at namecheap.com or your preferred hosting service provider. Once your purchase is done you are ready to sign the SSL so that it is ready to be used on your website.
Now goto your name cheap account and enter the CSR in the given field. Once you save it it will ask you to validate your domain by different methods including HTTP, Email or DNS editing method. Pick one of them and validate your domain. Refer to guide of your hosting service provider to “How to activate SSL” or similar terms.
Step 4
Once your SSL is generated and downloaed, upload all files to a secured folder on your server. Generally an SSL includes a crt, a ca-bundle file and sometimes a p7b file.
In my case I upload them to /home/bitnami/ssl/mysite.com/ so I have these three files there. Note that I also have uploaded the RSA private key to same folder in which I placed other files.
/home/bitnami/ssl/mysite.com/mysite_com.crt /home/bitnami/ssl/mysite.com/mysite-private-key.pem /home/bitnami/ssl/mysite.com/mysite_com.ca-bundle
The location is not important but the reference to the location is, which you will going to do in the next step.
Step 5
Now look for your apache vhosts config file httpd-vhosts.conf. Mine was in /opt/bitnami/apache2/conf/extra. Edit this file to include or replace reference to SSL files uploaded in previous step like this
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName mysite.com:443
SSLEngine on SSLCertificateFile "/home/bitnami/ssl/mysite.com/mysite_com.crt"
SSLCertificateKeyFile "/home/bitnami/ssl/mysite.com/mysite-private-key.pem"
SSLCertificateChainFile "/home/bitnami/ssl/mysite.com/mysite_com.ca-bundle"
</VirtualHost>
Save this file.
Step 6
Restart Apache server using following command or equivalent (Centos in example)
sudo service httpd restart