A Simple Guide to Encryption

SSL for the Web
The acronym SSL stands for Secure Socket Layer. SSL was recently renamed TLS (Transport Layer Security), but because most people are still unfamiliar with the name TLS and because the configuration files still use the name SSL, we will use the name SSL in this tutorial. SSL is a cryptographic networking protocol that allows for secure communications between a client (usually a personal computer) and a server (usually a web server on which a website is located). This tutorial will teach you how to set up your website to communicate securely with your visitors.

NOTE: In order to complete this tutorial, you'll need an existing website with a unique domain name and root access to your web server.


SSL under Apache
  1. Make sure OpenSSL and mod_ssl are installed. OpenSSL [1] is a toolkit that runs on commandline and provides transport layer security encryption on a web server. OpenSSL is usually located in the /usr/local/ssl/install/ directory. If it is missing, you will need to install OpenSSL on your server before continuing.

    Mod_ssl is a SSL Apache module that allows Apache to interface with OpenSSL in order to encrypt your website's pages. You can verify that mod_ssl is installed by opening your httpd.conf file, usually located in the /etc/httpd/conf/ directory. Make sure the following line is uncommented by removing any pound sign (#) in front of that line.

    LoadModule ssl_module modules/libmodssl.so

  2. NOTE: If OpenSSL is not in your path, you may need to enter the full path to the binary in order to complete this step. By default, it is located in /usr/local/ssl/install/openssl/bin/openssl. The key will be created in the directory from which you issue the command.

    WARNING: Be sure to write down or remember your password. This password cannot be retrieved.

    Create a private key. We will use this key later to generate a certificate signing request, which is required to purchase a SSL certificate from a certificate authority. We will generate our key with OpenSSL on your web server on commandline with the following command. You will need to replace "domain.com" with your actual domain name and enter a password which you will create when the program asks you to.

    openssl genrsa -des3 -out domainname.com.key 1024

  3. Generate a certificate signing request. A certificate signing request is required to purchase an SSL certificate from a certificate authority. You can create a certificate signing request by issuing the following command.

    openssl req -new -key domainname.com.key -out domainname.com.csr

  4. Choose a certificate authority and purchase a certificate. The two most famous certificate authorities are VeriSign [2] and GeoTrust [3], but you can also find many other companies selling certificates. You must be careful to purchase your certificate from a reputable and trusted authority. We recommend purchasing your certificate from VeriSign or GeoTrust. The authority that you choose will have a page that will ask you to either copy and paste or upload your certificate and public key to their site. You will probably receive your new certificate within a couple of minutes of completing the purchase process. Usually certificates are delivered via email.

  5. Install your certificate. Your new certificate will be a paragraph of text that will look similar to this example.

    -----BEGIN CERTIFICATE-----
    MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
    FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
    VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
    biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
    MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1
    MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS
    RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1
    c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG
    q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ
    QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z
    dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB
    Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD
    BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA
    A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7
    oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3
    j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH
    -----END CERTIFICATE-----


    If your certificate arrives as a text file attached to an email, save the text file on your computer. If it arrives in the body of the email or if is displayed on a web page, you will need to create a new file to copy and paste the certificate into. The name of this file should be "domain.com.crt," where you replace "domain.com" with your actual domain name. Be very careful to select only the text of the certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Do not use a word processor such as Microsoft Word or Works to create this file. Use only Notepad or another basic text editor. Make sure there are no extra characters including spaces and returns in the file.

    Upload the certificate file to your server. Your private key file named "domain.com.key" where you replace "domain.com" with your actual domain name should already be located on your server. Move the key file into the /etc/httpd/conf/ssl.key/ directory and the crt file into the /etc/httpd/conf/ssl.crt/ directory.

  6. WARNING: Always make a backup of your configuration file before editing it, as there is real potential to do serious damage to your web server configuration.

    Configure Apache. Now all we need to do is to tell Apache that we want to use SSL and where to find the certificate and private key. We can do this by editing the Apache configuration file /etc/httpd/conf/httpd.conf. Find the <IfDefine HAVE_SSL> section of the configuration file. If this section does not exist in your configuration file, add it to the bottom. Add a <VirtualHost> entry for your domain name there. Copy and paste the following code into the file. Change your domain name, email address, IP address, and document root to what they should be for your website and web server.

    <VirtualHost 12.34.56.78:443>
    DocumentRoot /home/sites/domainname.com/html
    ServerName www.domainname.com
    ServerAlias domainname.com
    ServerAdmin admin@domainname.com
    ErrorLog /home/sites/domainname.com/logs/error_log
    TransferLog / home/sites/domainname.com/logs/access_log
    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domainname.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    </VirtualHost>


    If you had to create a new <IfDefine HAVE_SSL> section, make sure to add an </IfDefine> tag after the VirtualHost entry listed above.

  7. Restart Apache. Use the command /etc/init.d/httpd -restart to restart Apache. This causes Apache to reload its configuration files. To begin using SSL on your website, simply change the links on your site from "http" to "https." Any portions of your site that are accessed by https are automatically encrypted. Your visitors' browsers tells them that your website is secure. In Firefox, the background of the address bar turns yellow and a lock icon appears.


    Figure 1: A yellow background
    shows the website is encrypted.


1. OpenSSL is located at
openssl.org.
2. VeriSign's SSL store is located at verisign.com/ssl.
3. GeoTrust's SSL store is located here.




Back - Hash Functions Next - SSL in cPanel or                  
Next - PGP for Email in Windows or
Next - PGP for Email in Linux