If you are hosting your own website and notice a "Not secure" keyword is displayed next to your URL:
... this means that you are still using non-secure "http" protocol or "https" without SSL certificate. A secured website will have a lock icon displayed next to your URL:
For non-e-commerce websites, it is fairly fine to keep it as non-secured. However, Google - the top search engine in the world, may lower your Google rank due to the fact that your site is not "secured". Basically, there are two tasks you need to perform in order to have Internet browsers such as Chrome showing the lockpad icon next to your URL:
- Start using https for your URL.
- Install an SSL certificate into your server.
There are many SSL resellers on the Internet and since year 2017, we have been using SSL Dragon in one of our websites:
Since we are not selling stuff in our website, we opted for the cheapest "Sectigo (formerly Comodo) PositiveSSL" with maximum of 3 years at the price of US$20.99 (as of May 2020). There are cheaper options out there but we do not want to bear the risk of having poor customer support (Tips: always check customer reviews online first). Payment is easy and one can pay by credit card or Paypal.
Pre-Requisite
Apache 2 with SSL module
- Login to your web server (e.g. Ubuntu) with root access.
- Install SSL module for Apache2:
a2enmod ssl - Restart Apache2:
service apache2 restart
Generate Public/Private Keys
Refer to Google article here:
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/enable-https
Alternatively, below are manual steps:
- Login to your web server (e.g. Ubuntu) with root access.
- Issue the following command to generate RSA key pair:
openssl genrsa -out www.<domain>.com.key 2048 - Enter the following command to generate Certificate Signing Request:
openssl req -new -sha256 -key www.<domain>.com.key -out www.<domain>.com.csr - Enter required information:
Country Name (2 letter code) [AU]:<country>
State or Province Name (full name) [Some-State]:<state>
Locality Name (for example, city) []:<town>
Organization Name (for example, company) [Internet Widgits Pty Ltd]:<company>
Organizational Unit Name (for example, section) []:<contact>
Common Name (e.g. server FQDN or YOUR name) []:www.<domain>.com
Email Address []:<email> - Skip (hit Enter) for both optional parameters:
A challenge password []:
An optional company name []: - Go to your account inside SSL Dragon.
- Select SSL you just purchased.
- Click on "Configure Now".
- Order Type: New order
Web Server Type: Any Other - Copy-and-paste the content of www.<domain>.com.csr to local machine
- Enter your contact information.
- Click "Click to Continue".
- Select "HTTP" method:
- Click "Click to Continue".
- Return to your SSL detail page.
- You will notice two rows - "Hash Link" and "Txt File Content". You need to create a txt file in the directory as mentioned in "Hash Link" with the content defined in "Txt File Content":
- After creating the txt file, from SSL Dragon's SSL detail page, click on "Revalidate" button.
- Wait for a while, you should receive an email from Comodo.
- Download the zip file in the email.
- Extract the content to /etc/apache2/ssl.
- Copy www.<domain>.com.key you obtained after step 5 to /etc/apache2/ssl/private.This is your private key.
- Back to /etc/apache2/ssl.
- Your Zip file from email should contain 4 files:
- Root CA Certificate - AAACertificateServices.crt
- Intermediate CA Certificate - USERTrustRSAAAACA.crt
- Intermediate CA Certificate - SectigoRSADomainValidationSecu
reServerCA.crt - Your PositiveSSL Certificate - www_<domain>_com.crt
- You need to merge file 1, 2 and 3 into a single file such as COMODO-bundle.crt.
cat AAACertificateServices.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt >> COMODO-<domain>.crt -
You can then remove file 1, 2 and 3:
rm AAACertificateServices.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt - Go to /etc/apache2/
- Edit apache2.conf:
vi apache2.conf - Search for “VirtualHost” keyword with your domain name in it.
- Add in lines in bold below:
<VirtualHost *:80>
ServerName www.littlecpu.com
ServerAlias littlecpu.com
DocumentRoot "/var/www/html/<domain>"
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www_<domain>_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/www.<domain>.com.key
SSLCertificateChainFile /etc/apache2/ssl/COMODO-<domain>.crt
<Directory "/var/www/html/littlecpu">
Options -Indexes
</Directory>
</VirtualHost> - Restart Apache2 service:
apachectl stop
apachectl start
CloudFlare Configuration
These steps are only applicable if you are using ClourFlare.
- Go to CloudFlare > your domain.
- Go to SSL/TLS > Edge Certificates.Set "Always Use HTTPS" to On.
- Under SSL/TLS > Overview, set to "Flexible":
Test Your SSL
- Reload your website.
- Make sure the lockpad is now shown:
- Go to https://www.ssllabs.com/ssltest/
- Enter your URL in textbox provided.
- Make sure the grade is at least B:
Grading
- A+ - exceptional configuration
- A - strong commercial security
- B - adequate security with modern clients, with older and potentially obsolete crypto used with older clients; potentially smaller configuration problems
- C - obsolete configuration, uses obsolete crypto with modern clients; potentially bigger configuration problems
- D - configuration with security issues that are typically difficult or unlikely to be exploited, but can and should be addressed
- E - unused
- F - exploitable and/or patchable problems, misconfigured server, insecure protocols, etc.
Conclusion
As you can see, enabling SSL is not too difficult if you are already a webmaster with full access to your web server. Personally, we have not try other SSL resellers as so far our experience with SSL Dragon is positive with fast customer support. Last but not least, content is still the king so make sure you update your website content frequently.
Note: We are not affiliate of SSL Dragon. This article is just purely own experience in using their service.
