Holy SSL Batman…

Just for fun and, well, a learning experience I have SSL’d my site. Why? Why not.

Every good Infrastructure Engineer/Manager should know how and now I do. It was much simpler than I thought.

If you need a good, simple SSL certificate that will cost you nothing I recommend www.startssl.com They offer a simple Class 1 SSL certificate that is great for blogs and non-eCommerce platforms. They’re not as secure as Class 2 or 3 but you have to understand what the classes mean.

Basically a Class 1 doesn’t require any extensive proof of who you or your organization are. The other Classes verify more information about who is getting the certificate and what they’re doing with it. Since my site is just my useless thoughts, Class 1 is just fine.

Hit them up if you need a simple SSL cert. Class 1 certificates are free so if you’re experimenting that’s definitely the way to go.

More on what I did after the jump.

Essentially I signed up on their site. READ THE DIRECTIONS.

I got my ssl.key and ssl.crt files plus a few others and configured Apache to use them. An example Apache virtual host block looks like the one below. Notice the redirect host first. This will redirect non SSL requests to the SSL site without a lot of fuss with the .htaccess file.

<virtualhost *:80>
ServerName www.yourserver.com
HostNameLookups on
ServerAlias www.yourserver.com
Redirect permanent / https://www.yourserver.com/

<virtualhost *:443>
ServerName www.yourserver.com
HostNameLookups on
ServerAlias www.yourserver.com
UseCanonicalName off
DocumentRoot /var/www/www.yourserver.com

<directory />
Options FollowSymLinks
AllowOverride all
Order allow,deny
allow from all

SSLEngine on
SSLProtocol +SSLv3 +TLSv1
SSLCertificateFile /var/www/ssl.crt
SSLCertificateKeyFile /var/www/www.yourserver.com.key.nopass
SSLCertificateChainFile /var/www/sub.class1.server.ca.pem
CustomLog /var/log/apache2/www.yourserver.com-ssl-request.log 
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

Keep in mind that you want your certificate files in a non accessible area to web users. You can also decrypt the .key file so that Apache won’t ask for the decryption password each time the daemon restarts. This may not be secure but in my case I really don’t care.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s