Setting Up SSL Certificate for Website

04/13/2017 Update: StartSSL's certificate is currently distrusted by Chrome and Firefox. So avoid using it! Instead use Let's Encrypt (tutorial here to switch to them).

This is a simple log in case I forget the steps, it may or may not help you. A good thing about StartSSL is now they support up to 5 subdomains under the same root domain for free. This is very nice.

  1. Go to https://startssl.com and "Authenticate" using a stored certificate. If you don't have one, you need to "Sign-Up"
  2. After logging in, first we need to validate domain. Go to "Validations Wizard" and select "Domain Validation (for SSL certificate)." Next enter your root domain, for example, happyz.me. Before going to the next step, if you have set domain privacy, you need to temporarily disable that to quickly get the validation code to your real email address. Procedure afterwards is trivial: enter code for validation and then re-enable domain privacy when validation completes.
  3. Download the zip, in my case happyz.me.zip. If it does not automatically download, goto "Toolbox" and then "Certificate list" to retrieve the zip.
  4. Since my server is using Apache, unzip the "ApacheServer.zip" in the downloaded zip and you will get two files: 1_root_bundle.crt and 2_happyz.me.crt.
  5. Enable SSL for the website by modifying the config file in apache folder. For example:

<IfModule mod_ssl.c>
<VirtualHost *:443> 
SSLEngine On 
SSLProtocol all -SSLv2 -SSLv3 
Header add Strict-Transport-Security "max-age=31536000"
SSLHonorCipherOrder On 
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA SSLCertificateFile path/to/2_happyz.me.crt 
SSLCertificateKeyFile path/to/your_key 
SSLCertificateChainFile path/to/1_root_bundle.crt 
ServerAdmin admin
ServerName blog.happyz.me 
DocumentRoot path/to/directory_of_website 
<Directory "path/to/directory_of_website"> 
  Options FollowSymLinks 
  AllowOverride All 
  Require all granted 
</Directory> 
ErrorLog path/to/error/log
CustomLog path/to/access/log combined 
</VirtualHost>
</IfModule>

You'll need to replace the red text with your stuff. SSLCipherSuite is referred from https://wiki.mozilla.org/Security/Server_Side_TLS.

1 comment

  1. Pingback: Switch From StartSSL/StartCom To Let’s Encrypt (Enable HTTPS For Websites) – HappyZ's Personal Blog

Leave a comment

Your email address will not be published. Required fields are marked *