Adding an SSL certificate

SSL certificates are so cheap, there really isn't much excuse to not set one up, even on a small site like this. If you don't buy the security arguments, then Google giving a slight SEO boost should be enough of a reason on its own.

Generate an CSR

	
		openssl genrsa -out chrishewett.com.key 2048
		# Generating RSA private key, 2048 bit long modulus
		# .............+++
		# ...................................................+++
		# e is 65537 (0x10001)
		openssl req -new -key chrishewett.com.key -out chrishewett.com.csr
		# You are about to be asked to enter information that will be incorporated 
		# into your certificate request. 
		# What you are about to enter is what is called a Distinguished Name or a DN. 
		# There are quite a few fields but you can leave some blank 
		# For some fields there will be a default value, 
		# If you enter '.', the field will be left blank. 
		# ----- 
		# Country Name (2 letter code) [XX]:GB 
		# State or Province Name (full name) []:United Kingdom 
		# Locality Name (eg, city) [Default City]: 
		# Organization Name (eg, company) [Default Company Ltd]: 
		# Organizational Unit Name (eg, section) []:
		# Common Name (eg, your name or your server's hostname) []:chrishewett.com 
		# Email Address []:
		#  
		# Please enter the following 'extra' attributes 
		# to be sent with your certificate request 
		# A challenge password []:
		# An optional company name []:
		# 
		cat chrishewett.com.csr 
		# -----BEGIN CERTIFICATE REQUEST----- 
		# csr key...
		# -----END CERTIFICATE REQUEST----- 
	

Purchase / Renew

Purchase or renew the SSL with a certificate provider (I personally used NameCheap but it does not really matter, most place are just resellers of the big certificate authorities).

Activation

After purchase it will ask you for the CSR generated above to activate the certificate. Enter this and perform any validation hoops you have to go through to confirm the domain and you should be sent the .crt and .ca-bundle files for the domain.

Install

	
		yum install mod_ssl
		# # Disable SSLv3 to stop POODLE bug
		nano /etc/httpd/conf.d/ssl.conf
		# SSLProtocol all -SSLv2 -SSLv3
		# Find the location of the ssl directory on the OS
		openssl version -a | grep OPENSSLDIR
		# OPENSSLDIR: "/etc/pki/tls"
		# Upload using roots SFTP the ca-bundle/crt/key files to the correct directories
		nano /etc/httpd/conf/httpd.conf
	
	
		<VirtualHost *:443>
			ServerName chrishewett.com
			ServerAlias www.chrishewett.com
			DocumentRoot /home/sites/chrishewett_com/app/public
			DirectoryIndex index.php
			<Directory /home/sites/chrishewett_com/app/public>
				AddType application/x-httpd-php .php
				Options +ExecCGI +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
				AllowOverride All
				Require all granted
			</Directory>
			SSLEngine on
			SSLCertificateKeyFile /etc/pki/tls/private/chrishewett_com.key
			SSLCertificateFile /etc/pki/tls/certs/chrishewett_com.crt
			SSLCertificateChainFile /etc/pki/tls/certs/chrishewett_com.ca-bundle
		</VirtualHost>
	
	
		systemctl reload httpd.service
		# Add the site to you hosts file with the correct IP and browse to chrishewett.com, you should see '1'
	
Load Comments...