Nowdays, SSL certificate which is usually used for HTTPS connections becomes pretty important. Even Google starts to give a ranking boost to secure HTTPS/SSL sites. There are some cheap certificates that you can buy like Comodo PositiveSSL. I usually buy cheap certificates from Namecheap.com which provides SSL certificate as low as $4/year. After you buy the certificate, you need to setup your server. Here are the steps to set up SSL certificate on your server.
1. Purchase the certificate
You can buy certificate from Namecheap.com. After you buy it, you need to activate your certificate by providing your generated CSR file.
2. Generate private key and CSR file
In linux server, you can run following command on terminal to generate private key and CSR file.
$ openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.com.key -out mydoain.com.csr
When you run the command, you will be asked for Country ID, domain name, registrant email, etc. For the domain name, you have to fill it with valid domain name that will use the certificate. For the registrant email, its better if you use your domain email account e.g. yourname@yourdomain.com.
After you run the command, there will be mydomain.com.key (private key) and mydomain.com.csr (CSR) in your current directory location.
3. Activate your certificate
Go to your purchase lists and choose to activate your certificate. Copy contents of your CSR file then paste it on provided CSR box on the website. The system will generate some certificate files. You can choose to get the certificate files by email. For Comodo certificate, you will get four files including AddTrustExternalCARoot.crt (Root CA), COMODORSAAddTrustCA.crt (Intermediate CA), COMODORSADomainValidationSecureServerCA.crt (Intermediate CA), and www_mydomain_com.crt (SSL certificate).
4. Install SSL certificate
Copy all certificate files to your sever. To make your SSL certificate fully works for your domain, you need to combine CA certificate into SSL certificate. If you access your domain only from browser, it's not necessary to combine the certificates. If you want to make your SSL secured domain can be accesed by any services you have to combine the certificates. The order of combination files should be right like the following command.
$ cat www_mydomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.crt
After run the command, mydomain.com.crt will contain SSL certificate and all CA certificates. You must keep your private key and SSL certificate secure by setting up read and write permission only for root and no permission for others.
To implement the certificate into a server application, you need to set appropiate configuration for the application. For example:
Nginx
server {
listen 443;
ssl on;
ssl_certificate /path/to/ssl/mydomain/mydomain.com.crt;
ssl_certificate_key /path/to/ssl/mydomain/mydomain.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
Gitlab Community Edition
For Gitlab server, by default you should store the certificate in "/etc/gitlab/ssl/" with valid domain name for the file name. If your domain name in "/etc/hostname" is "server.mydomain.com", your private key or your SSL certificate chould be named "server.mydomain.com.<key/crt>". It's because the "#{node['fqdn']}" configuration variable will be translated into your host name.
nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
5. Additional step
Some server applications need a CA certificate bundle to perform SSL connection. You can generate CA bundle by performing last command without SSL certificate. The order of combination files should be right too.
$ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ca-bundle.crt