What is an SSL Cert?
SSL stands for Secure Sockets Layer, a cryptographic method that was developed in the mid-90s to add a layer of encryption to web communications. You’ve probably seen that most we addresses take the form of http://website.com or https://website.com. The former is the usual, non-encrypted version and the latter is the encrypted version supported by SSL.
It works by using a public/private keypair. When a user requests information from a website the client computer and server negotiate the encryption and responses are decrypted on the client for display in your browser. All of this is transparent to the user. In practice the encryption and decryption are quick enough to be unnoticeable.
Why is it so important?
a) SSL is essential if one wants to ensure that no-one is able to read your traffic. For example, imagine you are on an online store without SSL protection. It would be possible for a third party to listen in to your communications and view any transmitted data in the clear, e.g. your credit card details. Fortunately almost all ecommerce websites implemented SSL years ago. It is, however, important to note that many non-ecommerce websites do not support SSL and some of these can expose your data, e.g. username, email address and anything else you enter onto a web form.
b) In an attempt to improve the state of web security many browsers are now warning users that they are at risk when they visit a non-SSL website. Best to implement SSL in case your readership ends up being scared off. If a cert is present, you can click on an icon in your browser to view the details of the cert, including site, company and validity.
How do I obtain an SSL Cert?
There are a variety of methods, some free, some paid and the most suitable method depends on your skill level and web hosting. If you are on a typical shared hosting plan, e.g. Go Daddy, Blacknight, etc, you can ask your provider. They will charge a small fee for implementation.
If, like me, you host your own websites on a dedicated server or VPS you can either purchase a cert from an accredited source or get a free cert from a service like LetsHost or Cloudflare. There are, of course, some limitations to the latter, so I generally purchase my certificates. They are not expensive.
In my case I usually purchase a Greenbar or PostiveSSL from SSLs.com. Positive SSL certs are issued by Comodo, one of the largest providers. This is a very basic cert, but it does offer all you need for a basic website or blog.
Getting an SSL for a Linux Install
This website is hosted on a Linux server that I maintain so I can’t just ask my hosting provider to do the work for me. So I’ve ordered a PositiveSSL on SSLs.com. Remember that that the cert contains some identification information about your website? We will need to encode this into a CSR file for Comodo to process. First step? Log into the server, generate a key and CSR. I will use openssl to do this.
Here I’m creating a new key, with sha256 and rsa 4096 encryption and outputting a csr file. I generally use 4096, many are quite content with 2048. The system will generate the key and as a series of questions about the site details:
openssl req -nodes -newkey rsa:4096 -sha256 -keyout cmsbloke.key -out cmsbloke.csr
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
A challenge password []:
An optional company name []:
Fill in the details and the csr will be generated. Load it up and you will see an included certificate. This is required for the next step.
# less cmsbloke.csr
Time to head over to our control panel on SSLS.com and paste the CSR contents when asked. You will be given a number of options to verify that you are the website owner. Select “Upload a file”. You will be issued with a file to upload to a specific location on your website. Upload it and your SSL certificate will be issued once the authority verifies that the file is accessible.
Right, after a few minutes wait my SSL certificate has been delivered by Comodo. The zip file contains the usual components
cmsbloke.com.crt
cmsbloke.com.ca-bundle
Both need to be installed. I’m using apache so I will open the relevant vhost, make a clone for port 443 and enter the following details into the new vhost.
SSLEngine on SSLCertificateFile /etc/apache2/.ssl/cmsbloke.com.crt SSLCertificateChainFile /etc/apache2/.ssl/cmsbloke.com.ca-bundle SSLCertificateKeyFile /etc/apache2/.ssl/cmsbloke.key
The relevant files being the two aforementioned and the key that the CSR was based off. Restart apache to activate.
Remember to update your cms settings with the new address. For wordpress go into Settings | General and update the wordpress and site urls.
To ensure that all of your clients are reaching you via ssl add a rule to your htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
This will enforce a https connection.
great artice