How to Install SSL Certificate(s) on Various Web Servers

Public facing websites often become become targets of attacks such as eavesdropping, denial of service, spoofing, etc. In the case of eavesdropping, an SSL certificate can be installed so that the hosting server and each client browser can reasonably form a secure communication channel. Hence, it is becoming a common practice for web administrators to implement this technology.


IIS 5 & 6Legacy OS such as Windows 2000 & 2003 are still being serve as production servers today. Thus, it would serve an administrator’s interest to know how to assign an SSL cert into these machines.
Step 1: obtain a publicly signed certificateThere are many public SSL certificate providers on the Internet. An example of a free service would be from StartSSL, and a paid subscription would be from GeoTrust. The formats of a certificate should be with the extension of *.key, *.crt, *.der, *.pem, or *.pfx (IIS-5’s default).
Step 2: Apply the certificate to a websiteStart >> All Programs >> Administrative Tools >> Internet Information Service (IIS) Manager >> browse to {server_name} >> Web Sites >> right-click on the correct {website_name} >> properties >> select the Directory Security tab >> click on Server Certificate >> Next >> select the radio button next to Assign an existing certificate >> Next >> select the correct certificate (one may choose to add a new certificate to this server if this list does not present a valid item) >> Next >> input the port number as 443 >> Next >> Next >> Finish >> click on Edit >> put a check mark next to “Require secure channel (SSL)” and “Require 128-bit encryption” >> select any or all item(s) if there is pop-up list >> click OK >> Apply >> OK


IIS 7 & 7.5There are two type of certificates that could be installed on an IIS: a site certificate or an intermediate certificate. The former is a normal cert that should be applied directly on the server hosts contents, while the latter should be installed on an IIS that behaves as a relay or proxy to complete the chain of trust between a web host, a proxy, and a client browser.
Start >> Internet Information Services (IIS) Manager >> expand to select the correct server >> double-click on Server Certificates >> click Complete Certificate Request from the right hand side panel >> click … to browse toward the location of the certificate file >> click Open >> input a Friendly Name for this cert >> to bind this new cert, navigate back to the server where the cert has been installed within the Internet Information Services (IIS) Manager >> expand Sites >> select the desired site to be secured with SSL >> click Bindings from the Action Panel on the right hand side >> Add >> a Site Binding window appears >> select HTTPS as type, choose Select All Unassigned as IP Address, input 443 as port the port number or type, and pick the correct cert that has been installed previously >> OK >> OK


IIS 8 & 8.5Windows Server 2012 is bundled with IIS 8, and Windows 2012 R2 comes with IIS 8.5. The administration process between these two versions are very similar. 
Right-click on the Windows icon >> Run >> INETMGR.exe >> Enter >> locate the desired server by its icon >> double-click “Server Certificates” >> click Complete Certificate Request from the right side (Actions Menu) >> click … >> browse to the path of the cert >> OK >> input the Friendly name such as {domain-name.com} >> click on the drop-down menu to choose the certificate store type (i.e. Web Hosting) >> OK >> to bind this new cert, navigate back to the server where the cert has been installed within the Internet Information Services (IIS) Manager >> click on Bindings from the right side Action Menu >> Add >> choose HTTS as Type, All Unassigned as IP address, and {domain-name.com} as SSL certificate >> OK >> repeat this process to install additional certificates for other sites being hosted by this server


NGINX
Step 1: Edit the server block to enable SSL support. Please note that if NGINX has been manually compiled, it must be compiled with the option to support SSL.(A) stop NGINX with this command: killall -9 nginx(B)  Add the following sample script into the server blockserver {listen 443;server_name <FQDN>;ssl on;ssl_certificate <Path_to_Certificate>;ssl_certificate_key <Path_to_SSL_Key>;root <EMPTY DIRECTORY>location / {…}}
Step 2: Restart NGINX with one of these commands, depending on the Linux flavor and NGINX installation method/usr/local/nginx/sbin/nginx -s reload/etc/init.d/nginx restartservice nginx restartsudo service nginx restartsudo /etc/init.d/nginx restartnginx -s reload


Apache
Step 1: Copy the file to the server as a *.crt file name extension. Two types of certs are required. Those are the Intermediate and the Primary certificates. There is also a private key file being required. Thus, the total number of files to be transferred are three (3). FTP, SFTP, SAMBA, or SCP could be used to transfer these files. For instance, this is a syntax of the SCP method
To copy a file from B to A while logged into B:scp /path/to/file username@a:/path/to/destination
To copy a file from B to A while logged into A:scp username@b:/path/to/file /path/to/destinationStep 2: edit the httpd.conf or httpd-ssl.conf (depending on the server’s predisposition)(A) Locate the SSL Configurationgrep -i -r “SSLCertificateFile” /etc/httpd/                          # where /etc/httpd/ is the base directory of Apache(B) Edit the file by adding the following block<VirtualHost 443>DocumentRoot /var/www/htmlServerName www.domain-name.comSSLEngine onSSLCertificateFile /path/to/primary-cert.crtSSLCertificateKeyFile /path/to/ssl-private.keySSLCertificateChainFile /path/to/intermediate-cert.crt</VirtualHost>
Step 3: reload ApacheVarious Linux flavors have different commands to accomplish this task. Also, whether Apache has been compiled from source would affect the actual command line to restart HTTPD. The Linux server administrator would know which of these commands to be used:apachectl restart/sbin/service httpd restartsudo restart apache2/usr/sbin/rcapache2 restart

Leave a Reply

Your email address will not be published. Required fields are marked *