SSL Certificates: How to Secure Your Website

When designing a website that will handle sensitive information like users’ private or financial data or sensitive company documents, security has got to be the top priority. Our customers should always feel safe – and actually, be safe – when visiting our site. We’re going to walk through the process of purchasing and then applying SSL certificates on a Linux-based web server.

Why do you need SSL certificates?

Imagine that you are sitting in front of your computer in India and considering placing an order through an e-commerce website hosted in the US. If you decide to complete your transaction, messages containing your personal and credit card information will likely travel across networks in many countries. Without SSL certificates, neither you nor the e-commerce server will have any control over the routes they’ll follow: if your connection is not encrypted, anyone at any point along the route will be able to freely read the contents in plain text.

Once customers figure this out (and that won’t take long), they won’t be back.

To address concerns about data moving around the web, Netscape (also known for their once-dominant web browser and their still-dominant Javascript) developed the Secure Sockets Layer protocol.

SSL Certificates SSL / TLS History Screen

Using the Hypertext Transfer Protocol Secure (HTTPS) for a browser session guarantees that the website you are accessing has been authenticated by a third party Certification Authority (CA). According to the Internet-Draft of the SSL Protocol, SSL is meant “to provide privacy and reliability between two communicating applications.”

An “authority” for SSL certificates is an entity which issues digital SSL certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what they have issued and the information used to issue it and are audited regularly to make sure that they are following defined procedures. Well-known commercial authorities include GeoTrust and GlobalSign. A new free, automated, and reliable Certification Authority called Let’s Encrypt is just now in the process of getting started. They will definitely be worth a look once they’re fully up and running.

How SSL Works

SSL works through a series of quick messages sent back and forth between your browser and the web server.

  1. A browser attempts to connect to a web site secured with SSL.
  2. The browser requests that the web server identify itself.
  3. The server sends the browser a copy of its SSL Certificate.
  4. The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
  5. The server sends back a digitally signed acknowledgment to start an SSL encrypted session.
  6. Encrypted data is shared between the browser.

Purchase and install an SSL certificate

To purchase and properly apply an SSL certificate, you will need to generate a Certificate Signing Request (CSR) for the web server you plan to secure. The CSR contains your certificate-application information.

First, install Open-SSL on your server. This is done through your Linux package manager. For a Distro using RPM, you can install it with yum:

yum install openssl openssl-devel

Now create a RSA key for your Apache server. We are going to place our key in a new directory in our user’s home folder

mkdir ~/domain.com.ssl/
cd ~/domain.com.ssl/

Type the following command to generate a private key and CSR.

openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
openssl req -new -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr

When creating a CSR you must enter the information to be displayed in the certificate. The following characters are not accepted: <>~ ! @ # $ % ^ * / \ ( ) ?.,&

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: Oakland
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mydomain.com
Email Address []:nitheeshp@outlook.com
Leave the challenge password blank (press enter)

Now, from the web site of the SSL certificates vendor you choose, select a certificate type. You can choose from:

  • Single domain SSL certificates: for a single site only.
  • Multiple domain SSL certificates: a single certificate that can be used to protect multiple websites (these obviously cost more than single site certificates).
  • Wildcard SSL certificates: to include subdomains.

Finally, apply the certificates on your web server by editing your Apache virtual host configuration (and restarting Apache).

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

To learn more about training material on all-things security, visit Cloud Academy Security Library or for more an in-depth training on SSL/TLS best practices, take a look at Best Practices for Deploying SSL/TLS hands-on Lab.

Avatar

Written by

Nitheesh Poojary

My professional IT career began nine years back when I was just out of my college. I worked with a great team as an infrastructure management engineer, managing hundreds of enterprise application servers. I found my passion when I got the opportunity to work with Cloud technologies: I'm addicted to AWS Cloud Services, DevOps engineering, and all the cloud tools and technologies that make engineers' lives easier. Currently, I am working as a Solution Architect in SixNines IT. We are an experienced team of engineers that have helped hundreds of customers move to the cloud responsibly. I have achieved 5 AWS certifications, happily helping fellow engineers across the globe through my blogs and answering questions in various forums.

Related Posts

Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security
Avatar
Paola Di Pietro
— July 19, 2019

Top 10 Things Cybersecurity Professionals Need to Know

There has been an increase in data breaches over the recent years. With almost 143 million Americans who have had their data compromised in data breaches. These breaches include all sorts of sensitive data, including financial information, election controversies, social security, just t...

Read more
  • Azure
  • cyber security
  • Security
Avatar
Stuart Scott
— July 18, 2019

AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security

If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog.   It can be both d...

Read more
  • AWS
  • Compute
  • Database
  • fundamentals
  • networking
  • Security
  • Storage
Avatar
Adam Hawkins
— April 16, 2019

The Convergence of DevOps

IT has changed over the past 10 years with the adoption of cloud computing, continuous delivery, and significantly better telemetry tools. These technologies have spawned an entirely new container ecosystem, demonstrated the importance of strong security practices, and have been a catal...

Read more
  • DevOps
  • Security
Avatar
Adam Hawkins
— March 21, 2019

How DevOps Increases System Security

The perception of DevOps and its role in the IT industry has changed over the last five years due to research, adoption, and experimentation. Accelerate: The Science of Lean Software and DevOps by Gene Kim, Jez Humble, and Nicole Forsgren makes data-backed predictions about how DevOps p...

Read more
  • DevOps
  • Security
Avatar
Stuart Scott
— November 29, 2018

New Security & Compliance Service: AWS Security Hub

This morning’s Andy Jassy keynote was followed by the announcement of over 20 new services across a spectrum of AWS categories, including those in Security and Compliance, Database, Machine Learning, and Storage.   One service that jumped out to me was the AWS Security Hub, currently...

Read more
  • AWS
  • re:Invent 2018
  • Security
Alex Brower
Alex Brower
— October 17, 2018

Interview: Q&A with John Visneski

Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...

Read more
  • Security
John Visneski
John Visneski
— October 2, 2018

Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. If you missed the webinar we organized in collaboration with John Visneski you can still watch it on demand, simply click here.  The reasoning behind the popularity of this perspective is clear, if no...

Read more
  • Security
Albert Qian
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
Avatar
Cloud Academy Team
— August 29, 2018

4 Reasons You Need to Include Business Stakeholders in Cloud Training

Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...

Read more
  • Cloud Adoption
  • Security
Aaron McKeown
Aaron McKeown
— August 1, 2018

Build a Security Culture Within Your Organization

At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture? At Xero, we...

Read more
  • Security
Albert Qian
Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

(Update) The Azure 70-535 exam was retired on December 31, 2018, and it was replaced by the AZ-300 and AZ-301 exams. To prepare for these exams, we recommend the Cloud Academy's AZ-300 Exam Preparation: Technologies for Microsoft Azure Architects and the AZ-301 Exam Preparation: Designi...

Read more
  • Azure
  • Compute
  • Database
  • Security