SSL certificates are so cheap, there really isn't much excuse to not set one up, even on a small site like this. If you don't buy the security arguments, then Google giving a slight SEO boost should be enough of a reason on its own.
Generate an CSR
openssl genrsa -out chrishewett.com.key 2048 # Generating RSA private key, 2048 bit long modulus # .............+++ # ...................................................+++ # e is 65537 (0x10001) openssl req -new -key chrishewett.com.key -out chrishewett.com.csr # You are about to be asked to enter information that will be incorporated # into your certificate request. # What you are about to enter is what is called a Distinguished Name or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [XX]:GB # State or Province Name (full name) :United Kingdom # Locality Name (eg, city) [Default City]: # Organization Name (eg, company) [Default Company Ltd]: # Organizational Unit Name (eg, section) : # Common Name (eg, your name or your server's hostname) :chrishewett.com # Email Address : # # Please enter the following 'extra' attributes # to be sent with your certificate request # A challenge password : # An optional company name : # cat chrishewett.com.csr # -----BEGIN CERTIFICATE REQUEST----- # csr key... # -----END CERTIFICATE REQUEST-----
Purchase / Renew
Purchase or renew the SSL with a certificate provider (I personally used NameCheap but it does not really matter, most place are just resellers of the big certificate authorities).
After purchase it will ask you for the CSR generated above to activate the certificate. Enter this and perform any validation hoops you have to go through to confirm the domain and you should be sent the .crt and .ca-bundle files for the domain.
yum install mod_ssl # # Disable SSLv3 to stop POODLE bug nano /etc/httpd/conf.d/ssl.conf # SSLProtocol all -SSLv2 -SSLv3 # Find the location of the ssl directory on the OS openssl version -a | grep OPENSSLDIR # OPENSSLDIR: "/etc/pki/tls" # Upload using roots SFTP the ca-bundle/crt/key files to the correct directories nano /etc/httpd/conf/httpd.conf
<VirtualHost *:443> ServerName chrishewett.com ServerAlias www.chrishewett.com DocumentRoot /home/sites/chrishewett_com/app/public DirectoryIndex index.php <Directory /home/sites/chrishewett_com/app/public> AddType application/x-httpd-php .php Options +ExecCGI +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch AllowOverride All Require all granted </Directory> SSLEngine on SSLCertificateKeyFile /etc/pki/tls/private/chrishewett_com.key SSLCertificateFile /etc/pki/tls/certs/chrishewett_com.crt SSLCertificateChainFile /etc/pki/tls/certs/chrishewett_com.ca-bundle </VirtualHost>
systemctl reload httpd.service # Add the site to you hosts file with the correct IP and browse to chrishewett.com, you should see '1'