SSL certificate deployment on Linux
What is SSL?
SSL (Acronym for Secure Socket Layer) is a technology that encrypted connection between your web server and your visitors’ web browser. In order to enable SSL on your website, you will need to get an SSL Certificate that identifies you and install it on the server.
After the certificate is installed, the website can be accessed securely by changing the URL from https:// to https://.
HTTPS (Hypertext Transfer Protocol Secure) is a communications protocol used on the Internet that has a layer of security added. It is a combination of the standard HTTP protocol, and a security protocol called SSL/TLS.
Types of SSL certificate:
Basic /Positive certificate: If you want encrypted connection between your web server and your visitors’ web browser i.e. you need to redirect traffic to your website via https, you can buy a basic SSL certificate like Comodo PositiveSSL certificate. These certificates can be installed immediately as they just validate your domain name via WHOIS records and have the lowest price.
Wildcard certificate: In addition to above, if you also want to secure all your subdomains like xyz.yourdomain.com, abc.yourdomain.com (any subdomain as in *.yourdomain.com) etc you should buy a Wildcard certificate like Comodo PositiveSSL Wildcard certificate.
Below is the command to generate CSR :
Note: Generate the CSR on local machine not server.
Wildcard certificate:
~ $openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout start.yourdomain.com.key -out star.yourdomain.com.csr
If you are requesting a wildcard certificate, add an asterisk (*) on the left side of the Common Name while creating csr (e.g., *.yourdomain.com ).
Positive certificate:
~ $openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout yourdomain.com.key -out yourdomain.com.csr
For example generating CSR for positive certificate:
[root@localhost yourdomain]# openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout yourdomain.com.key -out yourdomain.com.csr
Generating a 2048 bit RSA private key
……………………………………………………………………………………………………………………………….++
…………………………………………………………+++
writing new private key to ‘yourdomain.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:enter your company name
Organizational Unit Name (eg, section) []: Example Web Administration, Web Security, Marketing, IT
Common Name (eg, fully-qualified domain name (FQDN) ) []:www.yourdomain.com
Email Address []:[email protected]Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: No need to enter any password
An optional company name []: No need to enter any optional company[root@localhost yourdomain]# Note: For Wildcard certificate you have to add star (*) before the domain name:Common Name (eg, fully-qualified domain name (FQDN)) []:*.yourdomain.com
After this you will getting the two file CSR and key file.
yourdomain.com.csr
yourdomain.com.key
The certificate authority will use the information contained in the CSR (Organization name, domain name (Common Name), public key, etc.) to create your certificate.
The E2E Networks’ sales team ([email protected]) can assist you in the process of ordering the certificate. Please share the csr , key file with range of SSL certificates which you require for your domain.
After buy SSL certificate download the certificate and unzip the folder you will get the below folder:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
yourdomain.com.crt
After that make the bundle by given order below:
cat COMODORSADomainValidationSecureServerCA.crt > bundle.crt
cat COMODORSAAddTrustCA.crt >>bundle.crt
cat AddTrustExternalCARoot.crt >> bundle.crt
And then rsync the below file from local machine to server for deploy the ssl certificate:
yourdomain.crt : Should be your primary certificate file for your domain name.
yourdomain.key : This file get after the CSR generate
bundle.crt
Installation of SSL certificate:
Why port 443 to be open ?
TCP port 443 is the standard TCP port that is used for website which use SSL. When you go to a website which uses the https at the beginning you are connecting to port 443. You should not use a different port number, because if you do then your users will need to enter the port number in the URL when accessing the Web SSL VPN.
Please refer the below link to open the port: https://www.e2enetworks.com/help/how-to-open-port-in-centos/
Deploying the SSL certificate:
For httpd :
Please add the below line on the httpd conf:
root@e2e:~# vim /etc/httpd/conf/httpd.conf
For apache2 :
Please add the below line on the httpd conf:
vim //etc/apache2/sites-available/ {select particular site.conf} file
<VirtualHost IP:443>
DocumentRoot /var/www/website
ServerName www.domain.com
SSLProxyEngine On
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLCertificateFile /file path/yourdomain.key.crt
SSLCertificateKeyFile /file path/yourdomain.key.key
SSLCACertificateFile /file path/bundle.crt
</VirtualHost>
Then restart the httpd/apache2 service
root@e2e:~# /etc/init.d/httpd restart
root@e2e:~# /etc/init.d/apache2 restart