Setting Up an SSL Website

Note: This process has been completely automated by the installer, so the rest of this page is now redundant.


CentOS

First install the Apache SSL module with

yum -y install mod_ssl

You need to install a proper commercial certificate which you can buy from many certificate authorities out there such as StartSSL, GoDaddy, Thawte, Verisign and many others. Whichever one you choose, you must first generate the Certificate Signing Request "CSR" like this:

openssl req -newkey rsa:2048 -keyout zendto-ssl.pass.key -out zendto-ssl.csr
Give a simple short password to the 2 passphrase prompts, you will remove the passphrase again in a minute. Then answer the questions as follows, substituting your country, organisation and so on as relevant. The important ones to note are:
  • Common Name: this must be the public name by which the web server is known. This is the name people will go to in their web browsers.
  • Email Address: this is often the email address to which the SSL certificate authority you use will send reminders about renewals.
  • 'extra' attributes: these can be safely left blank.
Country Name (2 letter code) [US]:US
 State or Province Name (full name) [Oregon]:Oregon
 Locality Name (eg, city) [Portland]:Portland
 Organization Name (eg, company) [My Company Ltd]:University of Portland
 Organizational Unit Name (eg, section) []:Computer Science
 Common Name (eg, your name or your server's hostname) []:www.zendto.portland.edu
 Email Address []:helpdesk@portland.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
If you leave the passphrase on your key file zendto-ssl.pass.key then your web server will not be able to start automatically when your server boots, which is a Very Bad Thing(tm). So remove the passphrase again right now like this:
openssl rsa -in zendto-ssl.pass.key -out zendto-ssl.key
At the prompt, enter the same passphrase as you did right at the start of these instructions.

Submit the zendto-ssl.csr file as your Certificate Signing Request (or "CSR") to your certificate authority. Once they have approved your application, they will send you a certificate file which you should call zendto-ssl.crt. To be sure you have the right file (some Certificate Authorities send you a zip file containing all sorts of things), take a look at the certificate file. It is text-based and is just about human-readable. It should start something like this:

-----BEGIN CERTIFICATE-----
MIIEPjCCA6egAwIBAgICGRgwDQYJKoZIhvcNAQEFBQAwgcsxCzAJBgNVBAYTAi0t

Now copy the files in place and set their permissions:

cp zendto-ssl.key /etc/pki/tls/private
cp zendto-ssl.crt /etc/pki/tls/certs
chmod go-rwx /etc/pki/tls/certs/zendto-ssl.crt
chmod go-rwx /etc/pki/tls/private/zendto-ssl.key
Now you need to create the virtual host in your Apache configuration to use the files you have put in place. Fortunately, most of the work has already been done for you by CentOS. Edit the file /etc/httpd/conf.d/ssl.conf.

  1. Uncomment the "DocumentRoot" setting and set it to "/opt/zendto/www". Note that the double quotes are part of the setting.
  2. Uncomment the "ServerName" setting and set it to the name of the web server just as you put in the CSR above. In my example above, you would set it to "www.zendto.portland.edu:443".
  3. Find the "SSLCertificateFile" setting and set it to "/etc/pki/tls/certs/zendto-ssl.crt".
  4. Find the "SSLCertificateKeyFile" setting and set it to "/etc/pki/tls/private/zendto-ssl.key".

There is one last thing to do. You don't want your website to be available over http any more, only https. So you need to change the settings of your default http site so that it redirects the visitor to the https site. Edit /etc/httpd/conf/httpd.conf. At the end of the file add these 4 lines:

# Force http redirect to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Now just restart Apache, and if you have done everything correctly, it should start up okay:
service httpd restart

Now visit the new site using a web browser, and you should immediately find yourself at the ZendTo main menu with "https" in the address bar of your web browser.

Ubuntu

Before you start, become the root user like this:

sudo su -
You need to install a proper commercial certificate which you can buy from many certificate authorities out there such as StartSSL, GoDaddy, Thawte, Verisign and many others. Whichever one you choose, you must first generate the Certificate Signing Request "CSR" like this:
openssl req -newkey rsa:2048 -keyout zendto-ssl.pass.key -out zendto-ssl.csr
Give a simple short password to the 2 passphrase prompts, you will remove the passphrase again in a minute. Then answer the questions as follows, substituting your country, organisation and so on as relevant. The important ones to note are:
  • Common Name: this must be the public name by which the web server is known. This is the name people will go to in their web browsers.
  • Email Address: this is often the email address to which the SSL certificate authority you use will send reminders about renewals.
  • 'extra' attributes: these can be safely left blank.
Country Name (2 letter code) [US]:US
 State or Province Name (full name) [Oregon]:Oregon
 Locality Name (eg, city) [Portland]:Portland
 Organization Name (eg, company) [My Company Ltd]:University of Portland
 Organizational Unit Name (eg, section) []:Computer Science
 Common Name (eg, your name or your server's hostname) []:www.zendto.portland.edu
 Email Address []:helpdesk@portland.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
If you leave the passphrase on your key file zendto-ssl.pass.key then your web server will not be able to start automatically when your server boots, which is a Very Bad Thing(tm). So remove the passphrase again right now like this:
openssl rsa -in zendto-ssl.pass.key -out zendto-ssl.key
At the prompt, enter the same passphrase as you did right at the start of these instructions.

Submit the zendto-ssl.csr file as your Certificate Signing Request (or "CSR") to your certificate authority. Once they have approved your application, they will send you a certificate file which you should call zendto-ssl.crt. To be sure you have the right file (some Certificate Authorities send you a zip file containing all sorts of things), take a look at the certificate file. It is text-based and is just about human-readable. It should start something like this:

-----BEGIN CERTIFICATE-----
MIIEPjCCA6egAwIBAgICGRgwDQYJKoZIhvcNAQEFBQAwgcsxCzAJBgNVBAYTAi0t

Now copy the files in place and set their permissions:

cp zendto-ssl.key /etc/ssl/private
cp zendto-ssl.crt /etc/ssl/certs
chmod g=r,o-rwx /etc/ssl/private/zendto-ssl.key
chgrp ssl-cert /etc/ssl/private/zendto-ssl.key
From now on I am going to assume that you are using the Ubuntu VM distribution of ZendTo, as I have already done most of the work for you.

You don't want your website to be available over http any more, only https. So you need to change the settings of your default http site so that it redirects the visitor to the https site. Edit /etc/apache2/sites-enabled/000-zendto. Look for a line containing "DocumentRoot". Immediately after that line, add another 4 lines that say this:

# Force http redirect to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Then enable the "rewrite" module like this:
a2enmod rewrite
Now just restart Apache, and if you have done everything correctly, it should start up okay:
apachectl restart

Now visit the new site using a web browser, and you should immediately find yourself at the ZendTo main menu with "https" in the address bar of your web browser.