Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

HowTo: Render SSL on your Hosted Websites

openssl

~~   Forward   ~~

With all the websites that still do not use SSL, and the clear benefits that SSL provides, the only reason I can see that people are still not using it is that it’s not straightforward for the time-challenged and the uninitiated.   So let’s do this.

Secure Sockets Layer is currently the most common method of encrypting access to websites.   It’s used by all manner of e-commerce, banking, security and other websites, and is highly advisable for all sites as it provides protection for your visitors and you.   SSL is a streaming cipher (as opposed to a block-cipher, i.e. for disks) which offers perfect forward secrecy as it uses a long-term public/private keypair, to exchange short-term symmetric keys for streaming.

This HowTo assumes that you have one or more websites residing with a hosting firm, and that you control them with cPanel.   It also assumes that you’d like to have your SSL certificates, eh, without cost.

As you look in cPanel in the Security section, you will probably not find the SSL/TLS Manager.ssltls   Open a ticket with your hoster and ask that they turn it on;   generally it’s no big deal even though they make a few cents when you buy their partners’ certificates.   It’s either that, or they’ll be fussing with you endlessly getting this done, and they know which is easier.

There are two methods for getting your domain encryption keys into your hosted sites:

  • cPanel|Security|SSL/TLS Manager|Certificate Signing Requests (CSR) – This generates your private key locally and automatically installs it.   You’ll then enter the CSR data into the Certificate Signing Authority and they will generate a certificate (public key) for you, which you will enter at your hoster.
  • Roll your own.

I use the latter method as I have complete control, and can locally save all keys.

Web SSL certificates can cost anywhere from $17/year to $192/biennially, but there are a very few certificate authorities who provide free certs.   My choice is StartSSL because they are fast, and their process is straightforward if you understand what’s going on.   But don’t slip up or they’ll want to charge you at the drop of a hat.

~~   Create an Account With StartSSL, With Auto-Login Cert   ~~

For this process, if you have the NoScript addon in your browser, unfortunately you must Enable Scripts Globally;   and if you have the RequestPolicy addon you must Temporarily Allow All Requests.   At StartSSL start with the ExpressLane button, and fill in a name, address, etc.   For the email, I suggest you first in your hoster’s cPanel, create an email address for your domain of postmaster@{yourdomain}.com (or webmaster), as this will be needed later.   Then back in StartSSL fill that in for your email address.   Complete the verification.   Then it may require approval by StartSSL staff, which usually comes within an hour.   With that approval you’ll get a verification code, so enter that at the link given.

Next you’ll generate a browser certificate for login to StartSSL which they will install in your browser for automatic authentication and login.   High-grade is the default.   It’s a very good idea to back up this login cert, in case you change browsers or something happens;   in Firefox/Iceweasel/TorBrowser:   hamburger|Preferences|Advanced|Certificates|View|YourCerts.   Select the cert and Backup.   When I don’t need the login cert to renew my domain certs, I always remove it from my browser as it could leak information about me;   I can always Import it when I need it.   But if you lose your signon cert, you’ve lost your StartSSL account.   At StartSSL, Finish.

~~   Generate the Domain Private Key   ~~

Now it’s time to validate that you control your domain.   Hit the Validations Wizard tab and Type: Domain Validation.   Enter your domain name, and now it wants you to prove you own that domain by creating an email account, so first go to your domain’s cPanel and create postmaster@{domainname}.com (or webmaster).   Back at StartSSL, Continue and it will finger that email to be sure it exists, and send a validation code there.   Validate, and Finish.

~~   Generate the Domain Public Certificate/Key   ~~

Finally, we make our domain keys.   Hit the Certificates Wizard tab and choose Certificate Target: Web Server.   We will first make the domain’s private key, and the key itself will be encrypted, so that’s what this password is for.   Set your keysize to 4096 (High) and Continue.   It will cogitate for a bit and eventually regurgitate a key.   Copy and paste this into a text file named something like startssl_{domainname}.key.   This is the encrypted private key for your domain.   Continue and select your domain, at which point it will want a subdomain, so enter www .

It now has enough information to generate your domain certificate (public key), so turn it aloose.   It will regurgitate your cert, so copy that and paste it into a file named something like startssl_{domainname}.crt.   This is your domain’s public key which will be handed out to any browser that visits your domain, and validated against StartSSL’s signature and the domain private key.

~~   Setting Up Your Domain for SSL   ~~

One more thing:   We have to decrypt that private key in order to use it.   Hit the Tool Box tab and Decrypt key.   Copy and paste your key, and enter its password.   Continue and it presents your decrypted private key for your domain.   Copy and paste this into a file named something like startssl_{domainname}_decrypt.key and save it in a safe place with the other keys.   Set permissions on these to 700.

Back in your domain cPanel, Security|SSL/TLSManager|InstallandManageSSL.   Select your domain, and copy/paste your public cert from startssl_{domainname}.crt.   Copy and paste your decrypted private key from startssl_{domainname}_decrypt.key, and Install.   Now try that site with SSL by pointing your browser at https://{domainname}.com and you should get the normal Lock as you see with encrypted sites.

~~   Forcing to SSL Only   ~~

Last step is to set your domains such that users get SSL all the time, even if they’ve asked for the non-SSL site name.   Create a text file called .htaccess:   (Careful of the word-wrap)

# Enable https (StartSSL.com)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}

This is an instruction file to the web server which, first loads the Rewrite module into the web server, to rewrite incoming URL requests.   Then it filters for the condition when that URL hasn’t asked for SSL, and rewrites the URL from http to https, and points it to the SSL port.   This rewrite will occur even if the user requests a subdirectory, or specific web page in your domain.

This .htaccess file goes in the home directory of your domain.   If you have AddOn domains under the primary (multiple domains sharing an IP address), they will be automatically routed to SSL as well, but each one must have its own certificate.   You only need the .htaccess file in the home of the primary domain.

If you have one or more addon domains which do not have an SSL certificate but your primary domain does, modify the .htaccess file as follows:

# Enable https (StartSSL.com)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}
RewriteCond %{HTTP_HOST} !^(www\.)?non-ssl-domainname\.com$ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

You can get certs for multiple domains by making multiple accounts at StartSSL.

,'after' => '

') )