When designing a website that will handle sensitive information like users’ private or financial data or sensitive company documents, security has got to be the top priority. Our customers should always feel safe – and actually, be safe – when visiting our site. We’re going to walk through the process of purchasing and then applying SSL certificates on a Linux-based web server.
Why do you need SSL certificates?
Imagine that you are sitting in front of your computer in India and considering placing an order through an e-commerce website hosted in the US. If you decide to complete your transaction, messages containing your personal and credit card information will likely travel across networks in many countries. Without SSL certificates, neither you nor the e-commerce server will have any control over the routes they’ll follow: if your connection is not encrypted, anyone at any point along the route will be able to freely read the contents in plain text.
Once customers figure this out (and that won’t take long), they won’t be back.
Using the Hypertext Transfer Protocol Secure (HTTPS) for a browser session guarantees that the website you are accessing has been authenticated by a third party Certification Authority (CA). According to the Internet-Draft of the SSL Protocol, SSL is meant “to provide privacy and reliability between two communicating applications.”
An “authority” for SSL certificates is an entity which issues digital SSL certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what they have issued and the information used to issue it and are audited regularly to make sure that they are following defined procedures. Well-known commercial authorities include GeoTrust and GlobalSign. A new free, automated, and reliable Certification Authority called Let’s Encrypt is just now in the process of getting started. They will definitely be worth a look once they’re fully up and running.
How SSL Works
SSL works through a series of quick messages sent back and forth between your browser and the web server.
- A browser attempts to connect to a web site secured with SSL.
- The browser requests that the web server identify itself.
- The server sends the browser a copy of its SSL Certificate.
- The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
- The server sends back a digitally signed acknowledgment to start an SSL encrypted session.
- Encrypted data is shared between the browser.
Purchase and install an SSL certificate
To purchase and properly apply an SSL certificate, you will need to generate a Certificate Signing Request (CSR) for the web server you plan to secure. The CSR contains your certificate-application information.
First, install Open-SSL on your server. This is done through your Linux package manager. For a Distro using RPM, you can install it with yum:
yum install openssl openssl-devel
Now create a RSA key for your Apache server. We are going to place our key in a new directory in our user’s home folder
mkdir ~/domain.com.ssl/ cd ~/domain.com.ssl/
Type the following command to generate a private key and CSR.
openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048 openssl req -new -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When creating a CSR you must enter the information to be displayed in the certificate. The following characters are not accepted: <>~ ! @ # $ % ^ * / \ ( ) ?.,&
Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: California Locality Name (eg, city) : Oakland Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd Organizational Unit Name (eg, section) : IT Common Name (eg, YOUR name) : mydomain.com Email Address :email@example.com Leave the challenge password blank (press enter)
Now, from the web site of the SSL certificates vendor you choose, select a certificate type. You can choose from:
- Single domain SSL certificates: for a single site only.
- Multiple domain SSL certificates: a single certificate that can be used to protect multiple websites (these obviously cost more than single site certificates).
- Wildcard SSL certificates: to include subdomains.
Finally, apply the certificates on your web server by editing your Apache virtual host configuration (and restarting Apache).
<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt </VirtualHost>
To learn more about training material on all-things security, visit Cloud Academy Security Library or for more an in-depth training on SSL/TLS best practices, take a look at Best Practices for Deploying SSL/TLS hands-on Lab.
6 Ways to Prevent a Data Breach
The cloud is a new territory for the digital world. But with all of its benefits, there also comes risks and dangers. If your business depends on the cloud to store data, you’re probably facing a number of problems about how to best secure your data. According to studies, as many as 95 ...
Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More
Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...
OWASP Top 10 Vulnerabilities
Over the last few years, more than 10,000 Open Web Application Security Project (OWASP) vulnerabilities have been reported into the Common Vulnerabilities and Exposures (CVE®) database each year. This is a list of common identifiers for publicly known cybersecurity vulnerabilities. Curr...
Blog Digest: AWS Breaking News, Azure DevOps, AWS Study Guide, 8 Ways to Prevent a Ransomware Attack, and More
New articles by topicAWS Azure Data Science Google Cloud Cloud Adoption Platform Updates & New Content Security Women in TechAWSBreaking News: All AWS Certification Exams Now Available Online As an Advanced AWS Technology Partner, C...
8 Ways to Protect Your Data From a Ransomware Attack
Ransomware attacks have continued to grow both in scope and audacity over the past several years.This type of malware has become one of the biggest cybersecurity threats for enterprises, and experts predict the situation is only going to get worse. The WannaCry ransomware incident o...
Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more
With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...
Azure Security: Best Practices You Need to Know
When it comes to Azure Security best practices, where do you begin? In a lot of ways, Azure is very similar to any other data center. But with that said, Azure can also be very different. Securing Azure can pose many unique challenges. The security of resources hosted in Azure is of the...
Cloud Computing Solutions: 7 Trends for the Future
The world of cloud computing is in a state of flux. Not long ago, the cloud was considered an emerging technology, known only to IT specialists. Today it is a part of everyday life – 96% of businesses use the cloud in one form or another, and this number only looks set to grow. Whether ...
AWS Security Groups: Instance Level Security
Instance security requires that you fully understand AWS security groups, along with patching responsibility, key pairs, and various tenancy options. As a precursor to this post, you should have a thorough understanding of the AWS Shared Responsibility Model before moving onto discussi...
7 Key Cybersecurity Threats to Cloud Computing
When businesses consider cloud computing, one of the major advantages often cited is the fact that it can make your business more secure. In fact, in recent years many businesses have chosen to migrate to the cloud specifically for its security benefits. So, it might surprise you to lea...
DevSecOps: How to Secure DevOps Environments
Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...
Top 10 Things Cybersecurity Professionals Need to Know
There has been an increase in data breaches over the recent years. With almost 143 million Americans who have had their data compromised in data breaches. These breaches include all sorts of sensitive data, including financial information, election controversies, social security, just t...