Wednesday 8 May 2013

Secure your website with SSL - guidelines and experience


1.
First generate the key file
$ openssl genrsa -des3 -out server.key 2048
It will ask for a pass phrase, which will be further used to start the web server, so save it properly

2.
Now generate the CSR (Certificate Signing Request) file
$ openssl req -new -key server.key -out server.csr

This ask informations like, Location, Company Name, Common Name. Its better to ignore the "challenge password". Be careful with entering common name, which has to be your domain name.

If you serve your users with www.example.com, common name should be "www.example.com". Once certificate is issued for www.example.com, it won't be valid for example.com. If you want to secure with and without www, there is a certain preference you'll have to choose at the time of buying the certificate. If you want to secure all subdomains, there will be different prerefernece as well. Depending of number of sub domains you are looking for to make secure, cost will also vary. As of today verisign charges $ 400 USD for one domain, $ 600 for with and without www, and around $ 1500 USD for securing infinite sub domains.

3. Now use this CSR and avail the certificates which is crt file from any CA (certificate authority) company like verisign(costliest), go daddy cheapest (may be $ 10 USD)

4. Once you buy the SSL certificate, the product management will guide you on how to get the certificates. Its very simple.

5. In case of verisign, they will take average of 2 to 4 days for the entire process execution, as they will validate "CSR Verification", "Proof of Organization" and "Proof of Domain Registration".
They would ask company registration certificates also as a part of process. But if you buy from go daddy, no verification process, only based on CSR file they will issue you the certificates within a minute.

6. At the time of downloading the certificates makes sure that you also download the intermediate certificate. Intermediate certificates are connecting the certificate chains. In few browsers(without having intermediate certificate), some users might face unwanted error message.

7. Deploying the certificates, copy these 3 files at the following places and restart Apache

$ cp server.key /etc/ssl/private/
$ cp example.com.crt /etc/ssl/certs/
$ cp intermediate.crt /etc/ssl/certs/


8. Now change in apache
Enable the ssl module, if you are on debian(Ubuntu, RedHat) systems then you can use command a2enmod ssl.
Go to virtual host configuration and write these lines

SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3

SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
     
$ /etc/init.d/apache2 restart (It will ask for the pass phrase that you created at step 1)
- and its Done :)
8. To validate everything done properly or not there are several websites to check one is, http://www.sslshopper.com/ssl-checker.html