SSL(Secure Sockets Layer) certificate is must for any e-commerce or data based applications. Because, nowadays to run any social applications like Google or Facebook, SSL/HTTPS URL is must to get geo location or any map related stuff. Long time back, I have already discussed with the installation of SSL certificate. But, I missed few configuration settings to get A+ rating for the website. A+ rating helps in standard approval for the website to work smoothly in all and any platform.
Live Demo A+ Rating
COMODO company provides positive SSL certification for 8.67$. There are some guidelines to get A+ rating even after your purchase of the certificate. Few proper Apache and openssl configurations are must to achieve it. Follow this tutorial to easily get A+ rating.
Step 1
Open your server terminal and generating KEY file
root:/home# openssl genrsa -out domain.key 2048
Generating RSA private key, 1024 bit long modulus
....++++++
............++++++
e is 65537 (0x10001)
Generating RSA private key, 1024 bit long modulus
....++++++
............++++++
e is 65537 (0x10001)
Step 2
Generating server CRT certificate file with domain.key.
root:/home# openssl req -new -key domain.key -out domain.crt
Enter pass phrase for domain.key: Key Password
Country Name (2 letter code) [AU]:IN // Country Code
State or Province Name (full name) [Some-State]:Tamilnadu // State
Locality Name (eg, city) []:Chennai // City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:9lessons
Organizational Unit Name (eg, section) []:software
Common Name (eg, YOUR name) []:www.domain.com //
Email Address []:[email protected] // Domain Verification
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SSL Password // No special characters
An optional company name []:egglabs
Enter pass phrase for domain.key: Key Password
Country Name (2 letter code) [AU]:IN // Country Code
State or Province Name (full name) [Some-State]:Tamilnadu // State
Locality Name (eg, city) []:Chennai // City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:9lessons
Organizational Unit Name (eg, section) []:software
Common Name (eg, YOUR name) []:www.domain.com //
Email Address []:[email protected] // Domain Verification
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SSL Password // No special characters
An optional company name []:egglabs
COMODO Positive SSL
I got the positive SSL from SSL2BUY.com, once your SSL certificate order is successful. Download the domain.crt from your server and submit this to SSL provider. SSL provider company eg. COMODO will send you the domain verification mail to [email protected] which you specified email in the CRT file.
COMODO Certificate Files
COMODO will send you the following certificate files.
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)
Create A COMODO Bundle File
Use terminal and combine following files to create a bundle, make sure follow the same following order.
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ca-bundle.crt
If you are a Windows user, use notepad and copy all of these files to create a bundle file.
Openssl
Try to use Openssl 1.0.2, lower versions has some vulnerability issues. I am using latest XAMPP server.
Step 3
Copy all of the certificate files into XAMPP SSL directories.
root:/home# cp www_example_com.crt /opt/lampp/etc/ssl.crt/www_example_com.crt
root:/home# cp domain.key /opt/lampp/etc/ssl.key/domain.key
root:/home# cp ca-bundle.crt /opt/lampp/etc/ssl.crt/ca-bundle.crt
root:/home# cp domain.key /opt/lampp/etc/ssl.key/domain.key
root:/home# cp ca-bundle.crt /opt/lampp/etc/ssl.crt/ca-bundle.crt
Step 4
Enable SSL extension in Apache configuration file edit vi /opt/lampp/etc/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Step 5
Modify the SSL configuration file vi /opt/lampp/etc/extra/httpd-ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/opt/lampp/htdocs"
ServerName www.domain.com
ServerAdmin [email protected]
ErrorLog /opt/lampp/logs/error_log
TransferLog /opt/lampp/logs/access_log
# Server Certificate:
SSLCertificateFile /opt/lampp/etc/ssl.crt/www_example_com.crt
# Server Private Key:
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/domain.key
# Certificate Authority (CA):
SSLCertificateChainFile /opt/lampp/etc/ssl.crt/ca-bundle.crt
</VirtualHost>
# General setup for the virtual host
DocumentRoot "/opt/lampp/htdocs"
ServerName www.domain.com
ServerAdmin [email protected]
ErrorLog /opt/lampp/logs/error_log
TransferLog /opt/lampp/logs/access_log
# Server Certificate:
SSLCertificateFile /opt/lampp/etc/ssl.crt/www_example_com.crt
# Server Private Key:
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/domain.key
# Certificate Authority (CA):
SSLCertificateChainFile /opt/lampp/etc/ssl.crt/ca-bundle.crt
</VirtualHost>
In the same file, copy the following code after the Listen 443 line. Make sure don't duplicate these configurations. These configuration will protect from POODLE, OpenSSL Padding Oracle vulnerability, BEAST and Heartbleed etc attacks.
Listen 443
SSLInsecureRenegotiation off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:RSA+AESGCM!aNULL:!MD5:!DSS:!LOW:!MEDIUM
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
SSLInsecureRenegotiation off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:RSA+AESGCM!aNULL:!MD5:!DSS:!LOW:!MEDIUM
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
Step 6
Enable the SSL port for your server 443
Thank you buddy for showing the exact procedure to use SSL certificate. I bought SSL on black friday now i will give it a try for my blog.
ReplyDeleteGreat !!
ReplyDeleteThis is a valuable information. Thanks for sharing this.