Notes (2) – Setup SSL Certificate for your site

By Nethru Limited (www.nethru.com)

If you would like to setup SSL certificate for your website, here are some steps that may help. Before you start the setup process, you have to buy and get a SSL certificate first.

Some common certificate authorities like VeriSign, Comodo Group, GoDaddy, GlobalSign, etc, which have to be paid for a cert, and also StartSSL, which have both free and paid plans.
(For details, please visit their official websites)

Setup Steps:

1. Generate Private Key and Certificate Signing Request (CSR)

# server.key - your private key
# server.csr - the CSR to be submit to your certificate provider
$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

2. Enter the information required for your cert.
3. Submit the CSR file to your certificate provider.
4. If you meet the requirement of your certificate provider, you should receive the signed cert of your domain, intermediate certificate file and the root certificate file.
5. Copy all the files to your server.
6. Decrypt the private key you generated in step 1.

$ openssl rsa -in server.key -out private.key

7. Protect your keys so that other users in the server cannot view the contents

$ chmod 600 /path/to/your/certs

For Apache Users:

1. Find the block of your site inside the Apache configuration files, the files are under the directories like /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or in a file called ssl.conf.
2. Configure the block for the SSL-enabled site

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html
ServerName www.yourdomain.com
SSLEngine on
# Signed cert for your domain received from your certificate provider
SSLCertificateFile /path/to/your_domain_name.crt
# The private key you decrypted in setup step 6
SSLCertificateKeyFile /path/to/private.key
# The intermediate certificate file you received from your certificate provider
SSLCertificateChainFile /path/to/Intermediate_Cert.crt
</VirtualHost>

3. Restart your Apache server and try the result.

$ apachectl stop
$ apachectl start

For Nginx Users:

1. Create an unified certificate.

$ cat your_domain_name.crt Intermediate_Cert.crt RootCA.pem > ssl-unified.crt

2. Configure the server block of your site.

server {
  listen       443 ssl;
  server_name  www.yourdomain.com;

  # The unified cert generated in previous step.
  ssl_certificate      /path/to/ssl-unified.crt;
  # The private key you decrypted in setup step 6
  ssl_certificate_key  /path/to/private.key;

  ssl_session_cache   shared:SSL:10m;
  ssl_session_timeout 10m;

  ...
}

As there are many different web servers, if you are using other servers that are not included in this article, please search how to configure it for SSL in Google.