The acronym SSL stands for Secure Socket Layer. SSL was recently renamed TLS (Transport Layer Security), but because most people are still unfamiliar with the name TLS and because the configuration files still use the name SSL, we will use the name SSL in this tutorial. SSL is a cryptographic networking protocol that allows for secure communications between a client (usually a personal computer) and a server (usually a web server on which a website is located). This tutorial will teach you how to set up your website to communicate securely with your visitors.
NOTE: In order to complete this tutorial, you'll need an existing website with a unique domain name and root access to your web server.
- Make sure OpenSSL and mod_ssl are installed. OpenSSL is a toolkit that runs on commandline and provides transport layer security encryption on a web server. OpenSSL is usually located in the /usr/local/ssl/install/ directory. If it is missing, you will need to install OpenSSL on your server before continuing.
Mod_ssl is a SSL Apache module that allows Apache to interface with OpenSSL in order to encrypt your website's pages. You can verify that mod_ssl is installed by opening your httpd.conf file, usually located in the /etc/httpd/conf/ directory. Make sure the following line is uncommented by removing any pound sign (#) in front of that line.
LoadModule ssl_module modules/libmodssl.so
- NOTE: If OpenSSL is not in your path, you may need to enter the full path to the binary in order to complete this step. By default, it is located in /usr/local/ssl/install/openssl/bin/openssl. The key will be created in the directory from which you issue the command.
WARNING: Be sure to write down or remember your password. This password cannot be retrieved.
Create a private key. We will use this key later to generate a certificate signing request, which is required to purchase a SSL certificate from a certificate authority. We will generate our key with OpenSSL on your web server on commandline with the following command. You will need to replace "domain.com" with your actual domain name and enter a password which you will create when the program asks you to.
openssl genrsa -des3 -out domainname.com.key 1024
- Generate a certificate signing request. A certificate signing request is required to purchase an SSL certificate from a certificate authority. You can create a certificate signing request by issuing the following command.
openssl req -new -key domainname.com.key -out domainname.com.csr
- Choose a certificate authority and purchase a certificate. The two most famous certificate authorities are VeriSign and GeoTrust , but you can also find many other companies selling certificates. You must be careful to purchase your certificate from a reputable and trusted authority. We recommend purchasing your certificate from VeriSign or GeoTrust. The authority that you choose will have a page that will ask you to either copy and paste or upload your certificate and public key to their site. You will probably receive your new certificate within a couple of minutes of completing the purchase process. Usually certificates are delivered via email.
- Install your certificate. Your new certificate will be a paragraph of text that will look similar to this example.
If your certificate arrives as a text file attached to an email, save the text file on your computer. If it arrives in the body of the email or if is displayed on a web page, you will need to create a new file to copy and paste the certificate into. The name of this file should be "domain.com.crt," where you replace "domain.com" with your actual domain name. Be very careful to select only the text of the certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Do not use a word processor such as Microsoft Word or Works to create this file. Use only Notepad or another basic text editor. Make sure there are no extra characters including spaces and returns in the file.
Upload the certificate file to your server. Your private key file named "domain.com.key" where you replace "domain.com" with your actual domain name should already be located on your server. Move the key file into the /etc/httpd/conf/ssl.key/ directory and the crt file into the /etc/httpd/conf/ssl.crt/ directory.
- WARNING: Always make a backup of your configuration file before editing it, as there is real potential to do serious damage to your web server configuration.
Configure Apache. Now all we need to do is to tell Apache that we want to use SSL and where to find the certificate and private key. We can do this by editing the Apache configuration file /etc/httpd/conf/httpd.conf. Find the <IfDefine HAVE_SSL> section of the configuration file. If this section does not exist in your configuration file, add it to the bottom. Add a <VirtualHost> entry for your domain name there. Copy and paste the following code into the file. Change your domain name, email address, IP address, and document root to what they should be for your website and web server.
TransferLog / home/sites/domainname.com/logs/access_log
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
If you had to create a new <IfDefine HAVE_SSL> section, make sure to add an </IfDefine> tag after the VirtualHost entry listed above.
- Restart Apache. Use the command /etc/init.d/httpd -restart to restart Apache. This causes Apache to reload its configuration files. To begin using SSL on your website, simply change the links on your site from "http" to "https." Any portions of your site that are accessed by https are automatically encrypted. Your visitors' browsers tells them that your website is secure. In Firefox, the background of the address bar turns yellow and a lock icon appears.
Figure 1: A yellow background
shows the website is encrypted.