HTTPS: What is it?
HTTPS is the protocol that allows you to interact with a website
securely, such as for doing your banking or purchasing items
To put it simply, HTTPS is merely "encrypted HTTP."
The protocol is effectively identical to HTTP except that it uses
SSL (Secure Socket Layer) to authenticate the site and encrypt
the session, thus providing two critical advantages:
you can rest assured that the site you are connecting to is indeed
the "real" site and not an impostor posing as that site; and
everything you enter and everything you see is being encrypted, so
it is not possible for onlookers to capture and examine the packets
that make up your session.
In other words, your session is secure.
How Does It Work?
The https protocol uses the same technology for authenticating
and encrypting sessions as SSH (Secure Shell), which means it uses
private and public keys. If you are unfamiliar with this general
mechanism, please refer to [** THIS TUTORIAL ON SSH (LINK HERE) **]
for an overview.
When your Web browser is pointed to a link that starts with
"https://" (port 443 instead of 80), it looks for a file on the
server called a digital certificate which contains various pieces of
information about this site, including the public key that can be
used to encrypt the session. We will see later how you would set
this up as the system administrator.
Among other things, this "certificate" includes information about
an independent, trusted,
third-party organization called a "Certificate Authority," commonly
referred to as a "CA," which is prepared to vouch that you are
indeed who you claim to be.
The reason these fine folks are
willing to do this for you is that you purchased the certificate
They will continue to vouch for you until your certificate expires,
at which point you can send them another cheque if your want your
certificate to remain valid.
Can I Fake It?
You might think that you could generate your own certificate and
have it point to yourself as the Certificate Authority, vouching
for yourself and circumventing the whole third-party validation...
but that wouldn't work.
The reason is that only a limited number
of CAs are recognized as "trusted" and those are actually listed in
your Web browser.
That's right, their names are hard-coded in the Web browsing
software. Periodically, new CAs become recognized as trustworthy
and their names are integrated into the next release of the
Can I Obtain a Certificate for Free?
Yes, you can obtain a free certificate from some providers.
If you do a Web search for "free certificate authority," you will
find a number of companies willing to provide this service for
free, including cacert.org and startcom.org.
Why should you pay for a certificate when you can get one for free?
Honestly, I don't know. I see no particular reason to pay for
something that's available for free. You just want to make sure
that the company you are getting this certificate from is actually
listed with the major Web browsers. If it isn't, the user will get
a security warning which may deter them from accessing your site,
so that might be a reason to pay money to obtain a certificate from
a well-known Certificate Authority.
Let's Set Up an HTTPS Site
Enough theory; now, let's set up a site with https. There are only
two steps required:
- obtain a certificate; and
- edit your Apache configuration file.
Obtaining a Certificate
To obtain a digital certificate from a CA (Certificate Authority),
you need to submit a certificate signing request, or CSR, to
a trusted Certificate Authority.
This CSR will include some information about you or your organization,
including the full domain name of your website and the public key that
you wish to use for authenticating and encryption your users' sessions.
The CA will verify the information you have included
in your request and may also contact you to satisfy themselves that you
are indeed who you say you are.
When they are satisfied, they will generate a digital certificate
and "sign" it with their own private key before sending it to you.
Creating a Private Key
Before you can create a CSR, you need to generate a pair of
authentication keys (one private and one public) that you intend to
use for your https website.
To create this pair of keys, make sure the OpenSSL package is installed
on your system, then issue the following command:
openssl genrsa -des3 -out mykey.pem 2048
This particular example creates an RSA key (you can also create a DSA
key using slightly different syntax) in the file mykey.pem.
Note that this .pem file contains the private
key and sufficient information to derive the public key from it. You can
think of it as a container for both keys. If you wanted to obtain the
public key from this container, you could use the following command:
openssl rsa -in mykey.pem -pubout -out public.pem
This would create the new file public.pem containing only
the public key. However, for our purposes, we will not need this; the
original file we created (mykey.pem) is all we need.
NOTE: The option "-des3" tells openssl that you want to protect
the private key with a passphrase, and you will therefore be prompted
to enter it. This makes your site more secure because if your key
is copied by an impostor, this impostor will not be able to use it unless
he also knows the passphrase. However, this means you will be prompted to
enter this key every time you start your Apache server, including at
boot-time. This may be impractical, especially if the server is
rebooted unexpectedly (such as after a power outage).
If you wish to leave the private key unprotected for greater convenience,
simply omit the "-des3" option in the command above, but be
sure to take proper
precautions to ensure that your private key does not get copied by
Creating the CSR
Now that we have generated an RSA key, we can use openssl again
to create a CSR (Certificate Signing Request). The following command
will take care of this:
openssl req -new -key mykey.pem -out mycert.csr
This will create the new file mycert.csr which you will
send to the CA to have them generate a signed digital certificate.
The above command will prompt you for additional information; here is
a sample session:
$ openssl req -new -key mykey.pem -out mycert.csr
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Nova Scotia
Locality Name (eg, city) :Halifax
Organization Name (eg, company) :CottageDATA Inc.
Organizational Unit Name (eg, section) :.
Common Name (eg, YOUR name) :www.example.com
Email Address :email@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :••••••••••
An optional company name :CottageDATA Inc.
IMPORTANT: When prompted for "Common Name," enter the name of the website.
If the Common Name does not match exactly the name of the website
that the certificate is installed on, users will get a security warning.
Creating a Self-Signed Certificate
It is possible to sign your own certificate instead of using
a trusted Certificate Authority. Of course, since you are not a
trusted CA yourself, users will be given a security warning and will
be asked whether they want to accept this certificate. If they accept
it, the browser will function normally as if the certificate had been
issued by a trusted CA.
This strategy may be suitable for testing purposes or for a private
website where users understand the situation and will accept the
certificate. However, if your site is meant for the public at large,
this strategy is inadvisable since most users will be reluctant (with
good reason) to accept the untrusted certificate.
To create your own certificate, use the same command as we used
earlier to create a CSR (Certificate Signing Request) but add the
option "-x509" which will tell openssl to actually generate
a certificate instead of just a request for one, and "-days 365" to
indicate that the certificate should expire in one year.
Here is a sample command to generate a self-signed certificate
named "server.crt" from the private key we generated earlier (mykey.pem):
openssl req -new -x509 -days 365 -key mykey.pem -out server.crt
Submitting the Request
[** To Be Completed **]
There are a few distinct steps in configuring your Apache server
First, enable SSL in Apache using the command a2enmod ssl
("a2enmod" stands for "Apache2 Enable Module").
This actually creates the appropriate symbolic link in
/etc/apache2/mods-enabled, so you do not
need to re-issue this
command across system reboots.
Second, copy your private key (mykey.pem in our example) and server
certificate (server.crt in our example) to the Apache "ssl" directory
on your server (typically, /etc/apache2/ssl). If the ssl directory
does not already exist, create it.
Be sure that your private key is not readable or writable by any users
except root, and that the certificate is also owned by root but readable
Third, edit the appropriate file(s) in /etc/apache2/sites-available
to specify port 443 (https) instead of 80 (http) and add
the following 3 lines to enable SSL and indicate where the
private key and server certificate are located:
(Rest of the file remains unchanged)
Finally, restart your Apache server
when those two files have been copied and their permissions secured,
using this command:
service apache2 reload