How to install an SSL-certificates

From ISPWiki
Jump to: navigation, search


This article will walk you through the steps you need to perform to install an SSL-certificate on your server.

You will need a secret key and certificate. The certificate itself is not trusted by browsers. It must be associated with root certificates from a Certification Authority using one or several intermediate certificates (certificate chain).

A secret key is generated during the order process and is automatically saved in the Client area. A Certification Authority sends the certificate and certificates chain to the Administrative email. Additional data are saved in the Client area -- SSL-certificates -- Information.


How to install an SSL-certificate with ISPmanager

If you use ISPmanager to manage your server, you can install an SSL-certificate directly from the web-interface of the control panel.

Complete the following two steps:

1. Navigate to the SSL-certificates module, add a new certificate, and enter its key, required parameters and chains.

Ssl2-2-en.png

Clicking "Add" will start the Wizard:

Step 1. Select a certificate Select «existing».

Step 2. Create a certificate. Enter the certificate data, key, and chain.

2. Navigate to the "WWW-domains" to install the SSL to the domain. Select the domain and click "Edit". If you don't have a domain, you should first create it in the control panel. On the form that will open, select the «Secure connection (SSL)» check box, and in the «SSL-certificate» field select the newly created certificate.

Add-ssl-en.png

Clicking OK on the creation/edit form will install the SSL-certificate in the selected domain name.

How to install an SSL certificate manually

Installation of the SSL certificate via the command line (cli) means that you need to specify the certificate, its key and chain in the configuration file of the web-server. Directives may vary depending on a web-server that you run. In order to define which web-server handles an SSL-certificate, execute the command

ss -napt | grep 443

The command will output the web-server that accepts connections to domain via httpS

Nginx

In order to install an SSL certificate to a domain running on Nginx, you will need to edit the configuration file of the domain name. Sometimes, configuration of domain names is defined in the Nginx configuration file (/etc/nginx/nginx.conf). Very often every domain has its own configuration file, for example /etc/nginx/vhosts/username/domain.com

Open the file to see the domain's configuration:

server {
	server_name domain.com www.domain.com;
 …

}

If the SSL is not activated for the domain, edit the listen directive and add ssl on

listen IP-address:443;	
ssl on;

ssl_certificate_key and ssl_certificate directives define the paths to the key and certificates files. The certificate chain is specified on the certificate file.

We'll now try to make a chain for the Comodo Positive SSL certificate. The Certification Authority will send the files domain.crt, PositiveSSLCA2 and AddTrustExternalCARoot. The certificate chain will consist of the contents of the PositiveSSLCA2 + AddTrustExternalCARoot files. Therefore, domain.crt should contain the domain's certificate + PositiveSSLCA2 + AddTrustExternalCARoot certificates.

For better security we use ciphers and protocols with the ssl_ciphers and ssl_protocols directives

The following is the example of the domain configuration file running Nginx

server {
	server_name domain.com www.domain.com;
	ssl on;
	ssl_certificate "/var/www/httpd-cert/test/domain.com.crt";
	ssl_certificate_key "/var/www/httpd-cert/test/domain.com.key";
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	listen IP-адрес:443;	
	add_header Strict-Transport-Security "max-age=31536000;";
	charset off;
	index index.php;
	disable_symlinks if_not_owner from=$root_path;
	set $root_path /var/www/test/data/www/isptst.example.com;
	root $root_path;
	
	location / {
		location ~ [^/]\.ph(p\d*|tml)$ {
			try_files /does_not_exists @php;
		}
	}
	location @php {
		…
	}
} 

Before restarting the web-server, execute nginx -t , This command will find the syntax errors in the configuration files, if any.

Restart Nginx

systemctl restart nginx

Apache

In order to install an SSL certificate on a domain running Apache, you will need to edit the configuration file of the domain name. Sometimes, configuration of domain names is defined in the Apache configuration file /etc/apache2/apache2.conf (Debian), /etc/httpd/conf/httpd.conf (CentOS). Very often every domain has its own configuration file, for example /etc/httpd/conf/vhosts/username/domain.com

Open the domain's configuration file, and add the following directives into the <VirtualHost IP-address:443> section of the domain:

	<VirtualHost IP-address:443>
	SSLEngine on
	SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
	SSLCertificateFile /etc/ssl/ssl.crt/domain.crt
	SSLCACertificateFile /etc/ssl/ssl.crt/domain.ca-bundle
	SSLHonorCipherOrder on
	SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	…..
	</VirtualHost>

please note: the certificate chain is specified into a separate file, which is defined by the SSLCACertificateFile directive.

Before restarting the web-server, execute apachectl -t , This command will find the syntax errors in the configuration files, if any.

Restart Apache

apachectl graceful