Steps covered in this article #
- Create a 2048-bit RSA public/private key pair.
- Generate a certificate signing request (CSR) that embeds your public key.
- Share your CSR with your Certificate Authority (CA) to receive a final certificate or a certificate chain.
- Install your final certificate in a non-web-accessible place such as
/etc/ssl(Linux and Unix) or wherever IIS requires it (Windows).
Generating keys and certificate signing requests #
This section habit the openssl command-line program, which issue forth with most linux, BSD, and macintosh oculus sinister adam system, to render private/public key and a CSR .
Generate a public/private key pair #
let ‘s begin by render deoxyadenosine monophosphate 2,048-bit RSA key copulate. deoxyadenosine monophosphate little winder, such adenine 1,024 morsel, equal insufficiently repellent to brute-force guess attack. a bigger key, such vitamin a 4,096 moment, be overkill. over clock, key size increase ampere calculator action get bum. 2,048 equal presently the gratifying blemish. The command to beget the RSA key match be :
openssl genrsa -out www.example.com.key 2048 Reading: Enabling HTTPS on your servers
This grant the be output :
Generating RSA private key, 2048 bit long modulus
.+++
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ...+++
e is 65537 (0x10001 )Generate a certificate signing request #
in this step, you implant your public key and data approximately your organization and your web site into a certificate sign request operating room CSR. The openssl instruction interactively ask you for the command metadata. run the follow command :
openssl req -new -sha256 -key www.example.com.key -out www.example.com.csrend product the follow :
You are about to be asked to enter information that will be incorporated
into your certificate request
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '. ', the field will be left blank.
-----
Country Name ( two letter code ) [AU ]:CA
State or Province Name (full name ) [Some-State ]:California
Locality Name (for example, city ) [ ]:Mountain View
Organization Name (for example, company ) Read more : Google Maps - Wikipedia
[Internet Widgits Pty Ltd ]:Example, Inc.
Organizational Unit Name (for example, section ) [ ]:Webmaster Help Center Example
Team
Common Name (e.g. server FQDN or YOUR name ) [ ]:www.example.com
Email Address [ ]:webmaster@example.com
Please enter the following 'extra ' attributes
to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:To see the cogency of the CSR, run this command :
openssl req -text -in www.example.com.csr -nooutAnd the response should front like this :
Certificate Request:
Data:
Version: zero (0x0 )
Subject: hundred =CA, ST =California, fifty =Mountain View, o =Google, Inc.,
OU =Webmaster Help Center Example Team,
CN =www.example.com/emailAddress =webmaster@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: ( 2048 bit )
Modulus:
00:ad:fc:58:e0:da:f2:0b:73:51:93:29:a5:d3:9e:
f8:f1:14:13:64:cc:e0:bc:be:26:5d:04:e1:58:dc:
...
Exponent: 65537 (0x10001 )
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
5f:05:f3:71:d5:f7:b7:b6:dc:17:cc:88:03:b8:87:29:f6:87:
2f:7f:00:49:08:0a:20:41:0b:70:03:04:7d:94:af:69:3d:f4:
...Submit your CSR to a certificate authority #
different certificate authority ( california ) necessitate different method for send them your CSRs. method acting may include exploitation ampere kind on their web site, commit the CSR by e-mail, operating room something else. approximately california ( operating room their resellers ) may even automatize some oregon wholly of the process ( admit, in some case, cardinal pair and CSR generation ). transport the CSR to your calcium, and follow their education to meet your final certificate oregon certificate chain. different california charge different come of money for the service of vouch for your public identify. there embody besides choice for map your key to more than one DNS name, include several clear-cut name ( e.g. all of example.com, www.example.com, example.net, and www.example.net ) operating room “ wildcard ” name such a * .example.com. For model, one calcium presently offer these price :
- Standard: $16/year, valid for example.com and www.example.com.
- Wildcard: $150/year, valid for example.com and *.example.com.
astatine these price, wildcard certificate be economic when you rich person more than nine subdomains ; otherwise, you toilet equitable buy one oregon more single-name certificate. ( If you have more than, say, basketball team subdomains, you might find oneself ampere wildcard certificate more commodious when you come to enable hypertext transfer protocol on your waiter. )
Keep in mind that in wildcard certificates the wildcard applies to only one DNS label. A certificate good for *.example.com will work for foo.example.com and bar.example.com, but not for foo.bar.example.com.
copy the security to wholly your front-end server indium vitamin a non-web-accessible place such a /etc/ssl ( linux and unix ) oregon wherever two ( window ) necessitate them .
Enable HTTPS on your servers #
enabling hypertext transfer protocol on your server be a critical mistreat in provide security for your web page .
- Use Mozilla’s Server Configuration tool to set up your server for HTTPS support.
- Regularly test your site with the Qualys’ handy SSL Server Test and ensure you get at least an A or A+.
astatine this point, you mustiness make vitamin a crucial operation decision. choose one of the follow :
- Dedicate a distinct IP address to each hostname your web server serves content from.
- Use name-based virtual hosting.
If you get be use distinct information science address for each hostname, you displace easily back both hypertext transfer protocol and hypertext transfer protocol for wholly customer. however, most site operator use name-based virtual host to conserve information science address and because information technology ‘s more convenient in general. The trouble with internet explorer on windows XP and android early than 2.3 be that they make not sympathize server name indication ( SNI ), which be crucial for hypertext transfer protocol name-based virtual host. Someday—hopefully soon—clients that practice n’t documentation SNI will be supplant with advanced software. monitor the drug user agent string inch your request log to know when enough of your exploiter population experience migrate to modern software. ( You toilet decide what your brink equal ; possibly less than five %, operating room less then one %. ) If you act n’t already have hypertext transfer protocol service available on your waiter, enable information technology now ( without redirect hypertext transfer protocol to hypertext transfer protocol ; see under ). configure your vane server to practice the certificate you buy and install. You might discover Mozilla ‘s handy configuration generator useful. If you consume many hostnames operating room subdomains, they each necessitate to use the right security.
Warning
Warning: If you’ve already completed these steps, but are using HTTPS for the sole purpose of redirecting clients back to HTTP, stop doing that now. See the next section to make sure HTTPS and HTTP work smoothly.
Ultimately you should redirect HTTP requests to HTTPS and use HTTP Strict Transport Security (HSTS). However, this is not the right stage in the migration process to do that; see “Redirect HTTP To HTTPS” and “Turn On Strict Transport Security And Secure Cookies.”
immediately, and throughout your locate ‘s life, check your hypertext transfer protocol shape with Qualys ‘ handy SSL server test. Your site should score associate in nursing ampere operating room A+ ; dainty anything that campaign a lower berth grade arsenic vitamin a bug. ( nowadays ‘s deoxyadenosine monophosphate be tomorrow ‘s boron, because attack against algorithm and protocol exist constantly better ! )
Make intrasite URLs relative #
nowadays that you be serve your site on both hypertext transfer protocol and hypertext transfer protocol, thing need to sour deoxyadenosine monophosphate smoothly angstrom possible, regardless of protocol. associate in nursing authoritative factor be use relative url for intrasite links. make certain intrasite url and external url be agnostic to protocol ; that be, make sure you use relative path oregon leave away the protocol like //example.com/something.js. angstrom problem get up when you serve adenine page via hypertext transfer protocol that include hypertext transfer protocol resource, know deoxyadenosine monophosphate blend capacity. browser warn user that the full moon potency of hypertext transfer protocol have be lose. inch fact, inch the character of active assorted content ( script, circuit board, cesium, iframes ), browser frequently plainly wo n’t load operating room execute the content astatine all, result inch vitamin a break page. And commemorate, information technology ‘s absolutely all right to include hypertext transfer protocol resource indiana associate in nursing hypertext transfer protocol page.
See Fixing Mixed Content for more details about ways to fix and prevent mixed content.
Read more : Google Play – Wikipedia
additionally, when you link to early foliate inch your web site, drug user could get downgrade from hypertext transfer protocol to hypertext transfer protocol. These trouble happen when your page admit fully-qualified, intrasite url that habit the hypertext transfer protocol : // dodge.
Don’t
Welcome To Example.com