SSL INSTALLATION

Image via Wikipedia

Requirements:-
We need a dedicated IP for the particular domain

How to make the dedicated IP for a domain
goto whm
Main-> IP Functns -> change sites ip address Use the Free IP
How to find out the Free Ip Main >> IP Functions >> Show IP Address Usage
-----------------
First we need to create a CSR (certificate signing request) and give that to the cert provider (Geotrust, Verisign, etc.) CSR you can create from your WHM [Main >> SSL/TLS >> Generate a SSL Certificate and Signing Request]. We will get the ourdomainname.crt from Signing Authority.
In command line:-
* do not provide any password for authentication , if we provide password while generating a csr, every time the web server is restarted, you'd have to provide a password.This is a bad choice.
cd /home/tuxunited/cert
1. Generating a key
#openssl genrsa -out www.tuxunited.com.key 2048

Generating RSA private key, 2048 bit long modulus ....................................................................................+++ ....................................................+++ e is 65537 (0x10001)

2. Generating csr

# openssl req -new -key www.tuxunited.com.key -out www.tuxunited.com.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Kerala

Locality Name (eg, city) []:El TVPM

Organization Name (eg, company) [Internet Widgits Pty Ltd]:TUXUNITED PVT LTD:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:www.tuxunited.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

This .csr file send to the certificate signing authority for getting .crt and .ca-budle

CA Bundle and .key will automatically generate in our sever once we make the CSR.
Once we received this we can install ssl for our domain [Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain] paste the .csr and CA certificates (.key will automatically come once you paste the .crt) FINALLY CLICK SUBMIT

For Command Prompt
ourdomainname.crt file to /usr/share/ssl/certs/ OR /etc/ssl/certs/ directory
public key = ourdomainname.crt
private key = .key[/usr/share/ssl/private/ or /etc/ssl/private/]

private key file permission should be readable by root. [ie , drwx------ 2 root root 4096 Jul 9 23:36 private/]

Next We need to install the Inter mediate Certificate[ It is optional]
You need to install the Intermediate CA certificates for browsers to trust your certificate. The Intermediate CA certificates are in the form of SERVERNAME.ca-bundle.
In Virtual Host section for your configuration file, you need to do the following.

Copy the SERVERNAME.ca-bundle file to
files[/usr/share/ssl/certs OR /etc/ssl/certs/ ]

Add the following line to the SSL section of the httpd.conf
SSLCACertificateFile /etc/httpd/conf/SERVERNAME.ca-bundle --> if all are in the same locatin

If in different location
*SSLCertificateFile /usr/share/ssl/certs/urdomainname.com.crt
*SSLCertificateKeyFile /usr/share/ssl/private/ourdomainname.com.key
*SSLCACertificateFile /usr/share/ssl/certs/ourdomainname.com.cabundle

FINALLY RESTART APACHE

To check the SSL Certificate
http://www.digicert.com/help/
commands
openssl s_client -connect domainname:443

ERRORS
1. You'll also get an error if you try to access an URL securlely that doesn't match the hostname.
If for example you generate a cert fo https://yourdomain.com
It'll throw up an error if you go to: https://www.yourdomain.com
Because the 2nd domain has a www. in it, but the cert was generated for the hostname without the www.

2.browser showed "This Connection is Untrusted"
any idea ??? please (use the correct .crt and host name)
Ans:- Try to uninstall and reinstalled your ssl once again may this fix for you !!

12-07-2010
3. Dont have blue / green tab on url bar.
ANs:- You need to make sure all your links on the page use https:// and not http://
without this you will not get a fully secured connection