SSL Overview and how to Install SSL Certificates on Nginx/Apache
Overview on SSL (Secure Socket Layer) perspective of site security and Linux
SSL (Secure Socket Layer) is a protocol used in WebServer to make the secure connection between user and the web application/website.
As you may already know how web works, your browser(Requests/Send) information to Server and server will process it and sends back some other information. This information is sent via packets via internet, if running on http this packets can be easily eavesdropped and the information can be easily read by anyone. So now bring https or SSL into picture…if we use https the information in packets are encoded based on the SSL certificate and its highly difficult to decode.
When you should you use SSL?
- If you are accepting online payments.
- Authentications, If you have sensitive information stored in your portal. And customer or your employees will login to that portal. Typically any logins to your web application
- Building trust of your customers.
- If your site is popular one, using SSL can help in lowering the Web Application threats
What is SSL?
SSL stands for Secure Socket Layers is a protocol by which enables services that communicate over the Internet to do transactions so securely. SSL has recently been replaced by TLS (Transport Layer Security). TLS is newer and more secure than SSL. SSL behaves as a digital passport which verifies the credentials of both yourself/users and the end web server. When both identities are verified, SSL grants a secured connection through HTTPS. This process is performed using certificates.
Below are the information carried by the SSL protocol:
- The Web Application or Website owners name
- Certificates serial number used for identification
- The Certificates expiration date
- The Certificates public key used to encrypt information
- The Certificates private key used to decrypt information (usually coming from a web server)
Different Types of SSL
In general there are three different types of SSL certificates you could use. Also you can get free free certificate as a limited-time trial offer with less features.
A. Dedicated SSL This is the most secure and evidently the most expensive solution. An HTTPS connection is only verified for your root domain targeted via a designated IP address.
B. Shared SSL Web hosts which offer shared hosting will sometimes have multiple domain names pointing to the same IP address. In this case its much easier for the host to manage one single SSL on each server spanning an array of different websites.
C. Wildcard SSL These can be similar to a dedicated or shared SSL certificate based on server configuration. Wildcard SSL certs will target multiple subdomains for your website. This is a viable solution if you split up different functions of your website e.g. login.yourdomain.com, pay.yourdomain.com, etc.
Initial information to create SSL certificates in Linux
Major objects to cover during generating and configuring SSL certificate in your Web Application or Website in Linux.
- OpenSSL updated version to be installed in your server
- Chose high-end encryption bit i.e: rsa:2048 rsa:1024
- Signature algorithm i.e: SHA1, SHA256
- Proper Certificate information with below information:
- Common Name
- Organization Unit
- Organization Name
- Proper Communication Address with Postal Code
Process to create SSL certificates in Linux
- Create CSR in your server
- Submit CSR to CA
- Configure SSL certificate in your Web Application
- Validation process of your Web Applications
1. Create CSR in your server
Below command to create CSR (Certificate Signing request) with a set of key file.
# openssl req -new -newkey rsa:2048 -nodes -keyout ktree.com.key -out ktree.com.csr
Generating a 2048 bit RSA private key
…………………………………………………………………….+++……….+++
writing new private key to ‘mywebsite.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Telengana
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]: KTree Computers Solutions
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:ktree.com
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:KTree Computers Solutions Pvt. Ltd.
2. Submit CSR to CA
Based on your choice you can register with a reputed/popular CA.
SSL Certificate Provider are called as CA (Certificate Authorities) most popular global CA in the market are as below:
- https://www.comodo.com/
- https://www.digicert.com/ssl-certificate.htm
- https://in.godaddy.com/web-security/ssl-certificate
- https://www.symantec.com/ssl-certificates/?
- https://www.thawte.com/ssl/
- https://ssl.trustwave.com/
Chose a proper subscription/tariff based on your SSL certificate requirement and submit the generated CSR. Based on provided address during the CSR generation, CA will carried out a background address verification. If your address verification is succeed you will receive a signed certificate file into your registered communication email-id with the same file name, but with the file extension CER, from the CA. Before continuing, ensure that There is only one CER file. In some cases, you may receive CAs chain certificates as individual files. Any blank lines in the CER file must be removed.
3. Configure SSL certificate in your Web Application
Most popular adopted Web Server software types are as below:
- Apache2
- NGINX
- Java Apache-Tomcat
- Oracle WebLogic
- IBM HTTP Server and WebSphere
- Microsoft IIS
Configure your web servers virtual host listening SSL request with port no 443, standard SSL port no is 443. Add your CRT and KEY file path as well CAs chain certificates file.
Apache virtual host confs as below, before going to configure enable SSL module for apache.
Command: a2enmod ssl
Open virtual host (sites-enabled file ) and add below confs:
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ktree.com.crt
SSLCertificateKeyFile /etc/ssl/certs/ktree.com.key
</VirtualHost>
Restart apache2 service
#service apache2 restart
NGINX virtual host confs as below:
Open virtual host (sites-enabled file ) and add below confs:
server {
listen 443;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl on;
ssl_certificate /etc/ssl/certs/ktree.com.crt;
ssl_certificate_key /etc/ssl/certs/ktree.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}
Check NGINX is configured properly with SSL certs
#nginx -t
Restart apache2 service
#service nginx restart
4. Verify your Web Applications/Web Site with SSL or HTTPS
Browse your site URL with https shown below URL:
5. Validation and improving SSL standard process of your Web Applications/Web Site
Also you can validate your SSL certificate error or warnings using few third party online tools, which will suggest you to improve and strengthen your SSL configurations.
Following are the websites which can scan your SSL/HTTPS protocol and suggest to improve the standard.