What is SSL.

The Secure Socket Layer protocol was created by Netscape to ensure secure
transactions between web servers and browsers.SSL (Secure Sockets Layer), also known
as TLS (Transport Layer Security). The protocol uses a third party, a Certificate
Authority (CA), to identify one end or both end of the transactions.

Who are providers of SSL.

Though there are a large number of entities selling secure certificates, there are
primarily 6 major SSL certificate providers. They are given below.

The primary SSL certificate providers are:

* Verisign
* Thawte
* InstantSSL
* Entrust
* Baltimore
* Geotrust

How SSL works.

To initiate an SSL session, a web browser first makes contact with a webserver on
port 443, also known as HTTPS port. Once a socket connection has been established
b/w two machines, the following occurs.

1. A browser requests a secure page (usually https://).
2. The web server sends its public key with its certificate.
3. The browser checks that the certificate was issued by a trusted party
(usually a trusted root CA), that the certificate is still valid and that the
certificate is related to the site contacted.
4. The browser then uses the public key, to encrypt a random symmetric
encryption key and sends it to the server with the encrypted URL required as
well as other encrypted http data.
5. The web server decrypts the symmetric encryption key using its private key
and uses the symmetric key to decrypt the URL and http data.
6.The web server sends back the requested html document and http data encrypted
with the symmetric key.
7.The browser decrypts the http data and html document using the symmetric key
and displays the information.

Before going to SSl I would like to share some light on Cryptographic techniques.
1)Cryptographic Algorithms

Cryptographic Algorithms-
Suppose I want to send a message to bank requesting transfer of some money. I would
like the information to be private as it contains my account number and amont to
transfer. One solution is to use a cryptographic Alogrithms a technique that would
transfer my message in a encrypted form, unreadable except by bank. Once in this
form message may be encrypted only by the way of secret key. Two types of

1)Conventional cryptography.
Also known as symetric cryptography,requires sender and receiver to share a key.
also known as symmetric cryptography, requires the sender and receiver to share a key:
a secret piece of information that may be used to encrypt or decrypt a message.
If this key is secret, then nobody other than the sender or receiver may read the
message

2)Public key cryptography

Also known as asymmetric cryptography, it uses two keys each of may use to encrypt
message.
If one key is used to encrypt a message then the other must be used to decrypt it.
This makes it possible to receive secure messages by simply publishing one key (the
public key)
and keeping the other secret (the private key)

Creating a Certificate Service Request.

#cd /etc/httpd/conf
#make certreq

How to implement SSL in Windows Server.

1. Open the IIS Manager from the Programs | Administrative Tools menu.

2.In the left pane of the console, expand the node for your Web server name ,
and then expand the Web Sites folder

3. Right click the Web site for which you want to use SSL, and then select
Properties from the context menu.
This opens the Properties sheet for the site.

4.Under Secure Communications, click the Server Certificate button. This invokes the
Web Server Certificate Wizard.

5.Click the Next button on the first page of the Wizard.

6.On the Server Certificate page, you’ll see the following choices: Create a new
certificate,
Assign an existing certificate, Import a certificate from a Key Manager backup file,
Import a certificate from a .pfx file, or Copy or move a certificate from a remote
server to this site.
Make the appropriate selection and follow the steps.

7.To import a certificate, you’ll need to know:

* The path where the certificate is stored
* The password on the .pfx file.

8.To create a new certificate, you’ll need to send the request to a certificate
authority on your network,
or prepare the request and send it manually to a CA that’s not on your network.
You must enter the URL for the Web site and, if you intend to make the site
available over the Internet,
the name must match the external fully qualified domain name for the site.
If the site will only be available to intranet users, you can use the NetBIOS name.

9.If you’re creating a new certificate, you’ll need to enter your geographic location
(country, state/province and city/locality) on the Geographical Information page.

10.The certificate request will be saved as a text file if you chose to create the
request manually and send it later. Enter a name for the text file

11.Review the request information on the Request File Summary page and click
Next to generate the file. You can e-mail the file to a certification authority.

What is CA bundle.
The Intermediate CA certificates are contained within the ca-bundle file

What is CSR.
The Certificate Signing Request (CSR) contains information about your organization and the domain you wish to secure.

How to Install SSL on plain Linux Server.

First login to your server as root via SSH

Generating RSA & CSR (Signing Request)

# cd /etc/httpd/conf/ssl.key

# openssl genrsa -out www.yourdomain.com.key 1024

Generating the CSR using the RSA Private Key you have just generated

# cd /etc/httpd/conf/ssl.csr

# openssl req -new -key www.yourdomain.com.key -out www.yourdomain.com.csr

You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.
Do not enter these characters ‘< > ~ ! @ # $ % ^ * / ( ) ?.,&’ because they will not be accepted.

Common Name: the domain for the web server (e.g. www.yourdomain.com)
Organization: the name of your organization (e.g. Company Name)
Organization Unit: the section of the organization (e.g. Sales)
City or Locality: the city where your organzation is located (e.g. London)
State or Province: the state / province where your organzation is located (e.g )
Country: the country where your organzation is located (e.g GB) **NOTE the use of GB rather than UK when in the United Kingdom**

You may be asked for a challenge password. You can skip this by just hitting enter

Now you should have:

/etc/httpd/conf/ssl.key/www.yourdomain.com.key
/etc/httpd/conf/ssl.csr/www.yourdomain.com.csr

Make a backup copy of your private key! If you lose it, you will have to purchase a new SSL Certificate!

You can now view your CSR by:

# more www.youromain.com.csr

Send the CSR information to CA for validation.

Installing the SSL Certificate for Apache

# cd /etc/httpd/conf/ssl.crt

Copy the certificate from your account into a file called www.yourdomain.com.crt
Open your httpd.conf file and place the following code in your virtualhost

<IfDefine SSL>
<VirtualHost 12.34.56.87:443> **ENTER YOUR OWN DEDICATED IP ADDRESS**
ServerAdmin …your details…
DocumentRoot …your details….
ServerName www.yourdomain.com
SSLEnable
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yourdomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.yourdomain.com.key
</VirtualHost>
</IfDefine>

Restart apache
# /etc/rc.d/init.d/httpd restart

You should now be able to access https://www.yourdomain.com

Article Authored by Siby

Author, Siby, is a Systems Engineer with SupportPRO. Siby specializes in Cpanel and DirectAdmin servers. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.