04/13/2017 Update: StartSSL's certificate is currently distrusted by Chrome and Firefox. So avoid using it! Instead use Let's Encrypt (tutorial here to switch to them).
This is a simple log in case I forget the steps, it may or may not help you. A good thing about StartSSL is now they support up to 5 subdomains under the same root domain for free. This is very nice.
- Go to https://startssl.com and "Authenticate" using a stored certificate. If you don't have one, you need to "Sign-Up"
- After logging in, first we need to validate domain. Go to "Validations Wizard" and select "Domain Validation (for SSL certificate)." Next enter your root domain, for example,
happyz.me
. Before going to the next step, if you have set domain privacy, you need to temporarily disable that to quickly get the validation code to your real email address. Procedure afterwards is trivial: enter code for validation and then re-enable domain privacy when validation completes. - Download the zip, in my case
happyz.me.zip
. If it does not automatically download, goto "Toolbox" and then "Certificate list" to retrieve the zip. - Since my server is using Apache, unzip the "ApacheServer.zip" in the downloaded zip and you will get two files:
1_root_bundle.crt
and2_happyz.me.crt
. - Enable SSL for the website by modifying the config file in apache folder. For example:
<IfModule mod_ssl.c> <VirtualHost *:443> SSLEngine On SSLProtocol all -SSLv2 -SSLv3 Header add Strict-Transport-Security "max-age=31536000" SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA SSLCertificateFile path/to/2_happyz.me.crt SSLCertificateKeyFile path/to/your_key SSLCertificateChainFile path/to/1_root_bundle.crt ServerAdmin admin ServerName blog.happyz.me DocumentRoot path/to/directory_of_website <Directory "path/to/directory_of_website"> Options FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog path/to/error/log CustomLog path/to/access/log combined </VirtualHost> </IfModule>
You'll need to replace the red text with your stuff. SSLCipherSuite
is referred from https://wiki.mozilla.org/Security/Server_Side_TLS.
1 comment