Skip to main content

Setting Up SSL Certificate

Nowdays, SSL certificate which is usually used for HTTPS connections becomes pretty important. Even Google starts to give a ranking boost to secure HTTPS/SSL sites. There are some cheap certificates that you can buy like Comodo PositiveSSL. I usually buy cheap certificates from Namecheap.com which provides SSL certificate as low as $4/year. After you buy the certificate, you need to setup your server. Here are the steps to set up SSL certificate on your server.

1. Purchase the certificate
You can buy certificate from Namecheap.com. After you buy it, you need to activate your certificate by providing your generated CSR file.

2. Generate private key and CSR file
In linux server, you can run following command on terminal to generate private key and CSR file.

$ openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.com.key -out mydoain.com.csr 

When you run the command, you will be asked for Country ID, domain name, registrant email, etc. For the domain name, you have to fill it with valid domain name that will use the certificate. For the registrant email, its better if you use your domain email account e.g. yourname@yourdomain.com.
After you run the command, there will be mydomain.com.key (private key) and mydomain.com.csr (CSR) in your current directory location.

3. Activate your certificate
Go to your purchase lists and choose to activate your certificate. Copy contents of your CSR file then paste it on provided CSR box on the website. The system will generate some certificate files. You can choose to get the certificate files by email. For Comodo certificate, you will get four files including AddTrustExternalCARoot.crt (Root CA), COMODORSAAddTrustCA.crt (Intermediate CA), COMODORSADomainValidationSecureServerCA.crt (Intermediate CA), and www_mydomain_com.crt (SSL certificate).

4. Install SSL certificate
Copy all certificate files to your sever. To make your SSL certificate fully works for your domain, you need to combine CA certificate into SSL certificate. If you access your domain only from browser, it's not necessary to combine the certificates. If you want to make your SSL secured domain can be accesed by any services you have to combine the certificates. The order of combination files should be right like the following command.

$ cat www_mydomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.crt

After run the command, mydomain.com.crt will contain SSL certificate and all CA certificates. You must keep your private key and SSL certificate secure by setting up read and write permission only for root and no permission for others.
To implement the certificate into a server application, you need to set appropiate configuration for the application. For example:
Nginx

server {
    listen 443;
    ssl on;
    ssl_certificate /path/to/ssl/mydomain/mydomain.com.crt;
    ssl_certificate_key /path/to/ssl/mydomain/mydomain.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ...
}

Gitlab Community Edition
For Gitlab server, by default you should store the certificate in "/etc/gitlab/ssl/" with valid domain name for the file name. If your domain name in "/etc/hostname" is "server.mydomain.com", your private key or your SSL certificate chould be named "server.mydomain.com.<key/crt>". It's because the "#{node['fqdn']}" configuration variable will be translated into your host name.

nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

5. Additional step
Some server applications need a CA certificate bundle to perform SSL connection. You can generate CA bundle by performing last command without SSL certificate. The order of combination files should be right too.

$ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ca-bundle.crt

Labels:

Comments

  1. UnknownMarch 9, 2021 at 12:28 PM

    Hey what a brilliant post I have come across and believe me I have been searching out for this similar kind of post for past a week and hardly came across this. Thank you very much and will look for more postings from you Get for more information buy certificate

    ReplyDelete

Post a Comment

Popular posts from this blog

Rangkaian Sensor Infrared dengan Photo Dioda

Keunggulan photodioda dibandingkan LDR adalah photodioda lebih tidak rentan terhadap noise karena hanya menerima sinar infrared, sedangkan LDR menerima seluruh cahaya yang ada termasuk infrared. Rangkaian yang akan kita gunakan adalah seperti gambar di bawah ini. Pada saat intensitas Infrared yang diterima Photodiode besar maka tahanan Photodiode menjadi kecil, sedangkan jika intensitas Infrared yang diterima Photodiode kecil maka tahanan yang dimiliki photodiode besar. Jika  tahanan photodiode kecil  maka tegangan  V- akan kecil . Misal tahanan photodiode mengecil menjadi 10kOhm. Maka dengan teorema pembagi tegangan: V- = Rrx/(Rrx + R2) x Vcc V- = 10 / (10+10) x Vcc V- = (1/2) x 5 Volt V- = 2.5 Volt Sedangkan jika  tahanan photodiode besar  maka tegangan  V- akan besar  (mendekati nilai Vcc). Misal tahanan photodiode menjadi 150kOhm. Maka dengan teorema pembagi tegangan: V- = Rrx/(Rrx + R2) x Vcc V- = 150 / (150+10) x Vcc V- = (150/160) x 5
2 comments
Read more

Raspberry Pi Bluetooth Connection

Raspberry Pi 3 provides built-in bluetooh module. Latest Raspbian has been bundled with tools for enabling bluetooth connection. Bluetooth icon will be showed up on top right corner of the desktop. It's a tool to discover available bluetooth devices and connect Pi with bluetooth devices. It is easy to connect any bluetooth-enabled electronic device with Pi. But, sometimes Pi will fail to make a connection especially for bluetooth device which has no standarized services. From terminal, we can use bluetoothctl tool to scan and connect with a bluetooth device. You should make sure that BlueZ protocol stack has been installed by running $ apt-get install bluez Run bluetoothctl to enter the tool command window Turn the power on by running power on (Optional) You can set AutoEnable=true in /etc/bluetooth/main.conf if you want to make the bluetooth auto power-on after reboot. Run devices to see which devices have been paired Run scan on if your desired device has not pair
1 comment
Read more

Kerusakan pada Motherboard

1. Sering terjadi hang memory tidak cocok --- ganti memory ada virus di harddisk --- scan harddisk over clock --- seting kembali clock prosesor ada bad sector di harddisk --- partisi harddisk dengan benar 2. Pembacaan data menjadi lambat memori tidak cukup --- tambah memori harddisk penuh atau ada virus --- kurangi isi harddisk, scan harddisk, atau ganti hardisk 3. CMOS failure baterai habis --- ganti baterai CMOS seting BIOS berubah --- seting kembali BIOS 4. Tidak bisa booting cache memory rusak --- disable eksternal cache memory di BIOS memori tidak cocok --- ganti memori boot sector pada harddisk rusak --- masukkan operating system baru ada bad sector pada trek awal harddisk --- partisi harddisk 5. Suara bip panjang berkali-kali memori rusak --- periksa kedudukan memori memori tidak cocok --- ganti memori memori tidak masuk slot dengan sempurna --- periksa kembali kedudukan memori 6. Suara bip bagus tetapi tidak ada tampilan / bip dua kali VGA card
Post a Comment
Read more

Itachi Uchiha

The Real Hero of Konoha
Post a Comment
Read more

How To Use Git in Netbeans

Git is a popular version control application nowadays. Recently I have created a note about its differences with SVN and how to use it in Eclipse . There are many Git client tools. But I just want to show how to use Netbeans built in Git tools. It makes development process easier because it has been integrated with the IDE. Create Remote Git Repository We need remote Git repository so everyone can store or receive any revision or updated files through the networks. We can setup our own Git server or use public Git server like Github . In this note, I use Github. 1. Create an account in Github and create an empty Git repository Create an empty public repository in Github 2. Get the remote repository link Your Github Repository URL Create a New Project in Netbeans and Create Local Git Repository After we have a remote Git repository, we can create a project which will be stored to remote repository. We also need to create local repository before we can push
1 comment
Read more

Kakashi Killed Rin

Kakashi is a scumbag. He killed Rin, let Obito died for saving his life, let Sasuke left from Konoha, but finally he became Hokage. Rubbish is not extraordinary thing. Trailer Kakashi Killed Rin
4 comments
Read more