Configure SSL on Apache

The apache web server makes it possible to deploy secure web pages using ssl. In order to configure ssl on apache follow the below steps.

If your instance of apache was installed on a Red Hat base of linux using the standard repository, your apache base will most likely be /etc/httpd/. If not you’ll need to find your ssl.conf file usually in the conf.d directory of the apache base.

Your ssl.conf file will be used to configure ssl for apache.

Once you have found your ssl.conf edit the file and add the following information.

<VirtualHost <yourvirtualip>:443>
ServerAdmin [email protected]
ServerName ssl.simplespider.com
DocumentRoot /var/www/html/simplespider.com
SSLCACertificateFile /etc/pki/tls/certs/<your_cert_chain>.crt
ErrorLog logs/ssl_error_log
LogLevel warn
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/simplespider.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/simplespider.com.key
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Restart your apache instance
service httpd restart

Configure Nginx with SSL

If your currently using nginx for web server or proxy functionality you may find the need to configure ssl on your server.

The following steps all you to easily configure your nginx server for ssl.

First create your ssl key and certificate using instructions provided on this blog.

Once created locate your default nginx configuration file.

You’ll want to add a server context section for listening on 443 like the following.

server {
    listen       443 ssl;
    ssl_certificate     wildcard.simplespider.com.chain.crt;
    ssl_certificate_key wildcard.simplespider.com.key;
    ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    server_name  example1.simplespider.com example2.simplespider.com
    }

Restart your nginx instance
  service nginx restart

SSL Vendors

SSL certificates can be created locally on most servers, but they do not provide the same level of security as a third party certificate. The customer accessing the web page using a locally signed certificate will also have to accept the certificate. For this reason it is important to purchase a certificate from a recognized vendor.

Purchasing from a well recognized vendor will help your customers trust you and have the least issues.

Well recognized vendors include:

verisign.com
thawte.com
comodo.com
entrust.com
godaddy.com

Not all certificate authorities will be 100% browser capable so using one of the listed vendors will give you the most chance of having the certificate authority available in the customers browser.

Fully installing the certificate chain will allow your customer to install additional certificate authorizes but some users may be unwilling or unable to install the certificate authority.

SSL Certificate Types

 

Different vendors provide different types of certificates with different levels of security and insurance. Most vendors offer very similar features, the basic differences are listed below.

1. EV Certificate – Extended Validation certificate, or some times called green bar certificate provides will most often have additional business level checks to verify the company. When an EV certificate is used many browser will display the browser search bar in a green color providing an additional level of confidence to the end user, knowing the company was more thoroughly validate. EV certificates often carry a higher level of insurance against fraud.

2. Standard Certificate –  A standard certificate usually provides 128 – 256 bit encryption. The certificate authority verifies the company but not at the same level as an EV certificate.

3. Wildcard Certificate – A Wildcard certificate allows a server to secure multiple sub domains on one or more servers. A subdomain is only considered the portion up till the next period in a domain. Examples are example.simplespider.com and test.simplespider.com can both use the same wild card domain, but us.example.simplespider.com can not use the same subdomain certificate because of the multiple periods before the domain name.

4. Multi Domain Certificates – A multiple domain certificate allows a single certificate to cover multiple domains. Each domain is listed in the aliases of the certificate information.

Generating SSL Certificate Request

 

openssl req -new -newkey rsa:2048 -nodes –keyout ssl.simplespider.com.key –out ssl.simplespider.com.csr

Generating a 2048 bit RSA private key
.........................................+++
..............+++
writing new private key to 'ssl.simplespider.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Florida
Locality Name (eg, city) [Newbury]: Ormond Beach
Organization Name (eg, company) [My Company Ltd]: Simple Spider
Organizational Unit Name (eg, section) []:RD
Common Name (eg, your name or your server's hostname) []:ssl.simplespider.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generating Wild Card SSL Certificate Request “CSR”

 

Wildcard ssl request allow you to secure multiple subdomains with one ssl certificate. This can reduce cost and reduce time to implement unique sub domains in your organization. For instance you can install one ssl certificate and use 1 Ip address for both example.simplespider.com and test.simplespider.com. Several certificate authorities sell wilcard certificates at different price ranges. “Thawte” currently sells wilcard ssl certificates for about $500.00 per year plus a fee for the number of servers. Commodo sells wildcard certs for a little less and allows for unlimited servers to be used,

To generate a wildcard certificate follow the same steps as a regular certificate but do not fully qualify the domain.

openssl req -new -newkey rsa:2048 -nodes –keyout simplespider.com.key –out simplespider.com.csr

Generating a 2048 bit RSA private key
.....................................................+++
..............................................................................................................+++
writing new private key to 'simplespider.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Florida
Locality Name (eg, city) [Newbury]: Ormond Beach
Organization Name (eg, company) [My Company Ltd]: Simple Spider
Organizational Unit Name (eg, section) []: R-D
Common Name (eg, your name or your server's hostname) []:*.simplespider.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: