...
From the results, we chose a free simple SSL certificate from the CA StartCom in a SSL certificate package called StartSSL Free.
Note there is a newer service (checked July 2018), a non-profit called Let's Encrypt that provides free SSL certificates. To understand what you get, you may look at their Hello World site.
SSL Setup (using openssl)
Server keys must be generated for the Certificate Signing Request (CSR). Openssl will be used to generate this CSR.
...
Warning | ||
---|---|---|
| ||
To verify your signed server certificate in Windows make sure change the certificate has a crt file extensionfile extension to crt. Then just double-click the file and you should at minimum confirm,
ADD IMAGE ... |
Warning |
---|
Q: I did not register the certificates, someone just sent me a bunch of files and I do not know what is what. A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files. |
...
Panel |
---|
/etc/ssl/private/ # Only view-able by root the standard location for the private keys |
However, we see some issues with this. First putting For now we will use this structure.
Warning |
---|
This needs some consideration of structure and permissions. However, are the issues with using the default Ubuntu locations.
|
...
|
...
So the BonsaiFramework will use the following directories,
Warning |
---|
This needs some consideration of structure and permissions. |
...
|
...
|
...
|
...
Store Public Key
Store the public key in the public folder,
...
Panel | |||||
---|---|---|---|---|---|
If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/
Again, I will stress that this is very important! |
...
Info | ||
---|---|---|
On the topic of having SSL support for both https://www.earth.com and http://earth.com, when inspecting the certificate, navigate to,
Under the Certificate Subject Alt Name will see both DNS entries,
|
Checking for Mixed Content
If you inline load images without using a relative path you will get mixed content which makes your page insecure. Tools to check this,
- https://www.jitbit.com/sslcheck/
- https://developers.google.com/web/tools/lighthouse/audits/mixed-content
- https://www.whynopadlock.com/check.php
And here's an example page of common mixed content errors.
Clean Up
Some CSR requests may be re-used to renew the Signed SSL Certificate. However, often most CA's will by process ask for a new CSR even if the original may be reused. To
Check with your CA to see how the CSR renewal process works. If the requirement is for a new csr, to avoid confusion it is best to delete the csr request once everything is proven to be working,
...
[Thu Jan 26 19:13:25 2012] [warn] RSA server certificate CommonName (CN) `domain name`www.domain.com' does NOT match server name!?
Check that you have not enabled the virtual host SSL instead of the just the virtual host because what is happening is with the virtual host SSL enabled its matching www.domain.com-ssl agains the common name www. domain.com.
...
References
https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.
...