Secure HTTP (SSL/TLS) is a must if you have a website with authentication or any sensitive data. For our University Digital library I needed to set up HTTPS last week. Here I will be explaining step by step methods to implement HTTPS.
Hypertext Transfer Protocol Secure / HTTPS are a protocol to transfer encrypted data over the Web. SSL is a protocol for cryptographically securing transactions between a web browser and a web server.
First let me explain what is the basic difference between http & https.
- HTTPS connects on port 443, while HTTP is on port 80
- HTTPS encrypts the data sent and received with SSL (Secure Sockets Layer), while HTTP sends it all as plain text
Most of us know that they should look for the https in the URL and the lock icon in their browser when they are making a transaction online. So if your site is not using HTTPS, you will lose customers. But even still, it is common to find Web sites that collect money including credit card data over a plain HTTP connection. This should avoid
With this tutorial you can learn how to setup a secure HTTP on Apache web server in Ubuntu 10.04 or Higher.
- apache2 (Web Server)
- And 🙂 Patient, because it will take some time to learn.
Step 1 : Creating a Certificate
This first and one of the most important steps is to create certificates. The certificates can create with or without passphrase.
For testing purposes, or for small LANs, you can create a self-signed certificate with openssl. This can be done by issuing this command:
openssl genrsa -des3 -out server-sec.key 4096
…and certificate signing request (CSR)
openssl req -new -key server-sec.key -out server.csr
Generate the server certificate by signing it with server key
openssl x509 -req -days 365 -in server.csr -signkey server-sec.key -out server.crt
You must keep the server-sec.key in a secure location with r/w permission only to root. After that lets generate a password-less copy of the key for Apache use.
openssl rsa -in server-sec.key -out server.key
Now you got four different files
server.key (passwordless key for Apache)
server.csr (certificate signing request)
server-sec.key (server key)
Step 2: Setup SSL configuration in Apache
In this step, you must enable SSL website in Apache by creating a symbolic-link of ‘default-ssl’.
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
Then you can edit /etc/apache2/sites-available/default-ssl file using text editors like VIM or nano.
Add the SSLEngine on in same file and also comment the default SSLCertificate File path and include your file path.
Step 3: Final step, Moving certificates and activating SSL
After saving the config file, as root create a directory ssl inside /etc/apache2. Then copy the certificate and server key to this directory.
mkdir /etc/apache2/ssl cp server.key /etc/apache2/ssl cp server.crt /etc/apache2/ssl
After that, enable SSL module by typing
Finally, restart apache2 by typing (as root, sudo) :
And you are done 🙂
If everything works fine you will see a page like this