wiki:faq/security/use-apache-ssl

Version 5 (modified by Daniel Kahn Gillmor, 7 years ago) (diff)

--

How do I enable my site to be accessed securely (via https)?

Please see ticket #407 - includes a proposal for changing this process. Until that ticket is closed, please take the following steps to add a ssl certificate and key to your web site.

If you want to learn more about SSL certificates, please see our related FAQ.

  1. Submit a new ticket requesting a dedicated IP address.
  2. Once you receive the IP address, login to the Members Control Panel, select your DNS service, and edit the records of type "A," changing the IP address of these records to match the IP address you were assigned.
  3. Generate a private key. Ideally you should take this step on a secure personal computer and then copy the key to our server, however, you can secure shell into our servers and run the following commands from a terminal. If you are windows user, you can downloand OpenSSL for windows, linux and MacOSX users will most likely have it installed already. You can create a private key by typing:
    openssl genrsa -out yourdomain.org.key 2048
    
  4. You should change the permission on the key so that it is not world readable:
    chmod 440 yourdomain.org.key
    
  5. Next, generate a certificate signing request:
    openssl req -new -key yourdomain.org.key -out yourdomain.org.csr
    
  6. You will be prompted to answer several questions. Most of the are self-explanatory. The most critical question, however, is not very intuitive: The common name. When you are asked to enter the common name be sure to enter your domain name exactly as you want people to access it. If you want people to access your site using https://www.example.org, then enter: www.example.org. If you want people to access your site using https://example.org, then enter: example.org as the common name. The certificate signing request is now in the file this command created (whatever file name you chose for yourdomain.org.csr)
  7. Next, submit your certificate signing request to a certificate authority. They will charge you a fee and return a certificate file. At this point, you will have three files: a key, a certificate signing request, and a certificate file.
  8. Keep a backup of all of these files in a safe place (safe - meaning they will not be overwritten and meaning they will not be easy accessed by others).
  9. Create a directory on our server called ssl in your include directory. Make sure this directory is only readable by you:
    chmod 750 ssl
    
  10. Copy both your key and your certificate file into this directory
  11. Go to the Members Control Panel and select the Web Config service
  12. Click to add a new item. Select status enabled, choose the user that owns your existing web directory, for port choose "https" and for IP address, enter the IP addressed assigned to you in the first step.
  13. Before submitting, add the following lines to the settings (be sure to edit these lines to match your directories!)
    # SSL Stuff
    SSLEngine On
    SSLCertificateFile /home/members/your-member-name/sites/your-domain-name/include/ssl/yourdomain.crt
    SSLCertificateKeyFile /home/members/your-member-name/sites/your-domain-name/include/ssl/yourdomain.key