Now you know how SSL works and how you can get one. It's time to secure our website connection.
The first thing we need to do is ensure the private key, the certificate, and the CA's intermediate certificates are located on the machine where the website is hosted but not in the website root directory. We must keep the private key secure.
Here is how the private key (located at /var/certificates/example.com.key) file should look like:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANx715AmXSr8RTIQfIgAAECggEANYzLwNPLOlRfwE81BEoeBgkqklW ... UshV/35RY677Xe739BYnl+hZO5DBGNPeU/grdKdTqyZD/b2DtS5bK -----END PRIVATE KEY-----
This is how the certificate file (located at /var/certificates/example.com.crt) should look like:
-----BEGIN CERTIFICATE----- MIIFQjCCBCa9qjIx2VwiQeoLBzE0pahyM4Z9MJLNE5tOuQOIFZhbGlkYXRlZg7EB ... HLmJnggdhbqMjQjZWipQ -----END CERTIFICATE-----
And finally this is how the intermediates file (located at /var/certificates/example.com.chain) should look like:
-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIB01PRE8gUlNBIENlcngKCAgEAkehUktIKVrGsDKCAgEAkehUk ... pQ8pTIqXOi6YEbvFScL -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAw1jSz9AdDTScBkxwtiBhcNMjkwMjExMjM1OTU5WjASIwDQYJKoZ ... hZ7Q7drNJ3gjIVq4rXmsX -----END CERTIFICATE-----
As you can see, we've concatenated the intermediate certificates provided by our Certificate Authority.
The next step is to edit the Apache configuration file (httpd.conf). Find or create <VirtualHost> that is configured to accept secure connections on port 443 and add the highlighted lines:
<VirtualHost *:443> ServerName example.com DocumentRoot "/var/www" SSLEngine on SSLCertificateFile /var/certificates/example.com.crt SSLCertificateKeyFile /var/certificates/example.com.key SSLCertificateChainFile /var/certificates/example.com.chain SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" </VirtualHost>
Then test the configuration file using the following command
and if the file is valid run the following command to apply the new configuration
That's it. Now visitors can access your website securely.