Following step are tested with Ubuntu 14.04.2 LTS with apache 2.4.7, but it should be same in other distro.
1. Getting free certificate
Go to https://www.startssl.com/, register and get a free cert easy with simple steps. Please note that you should requests SHA256 for certificate. After download key and cert from startssl, you should download immediate cert from https://www.startssl.com/certs/sub.class1.server.ca.pem and use as chain key.
2. Enable SSL configuration as follow
Let’s open ssh and login to your server, please make sure that your server has apache, openssl with security patch up to date and enable ssl configuration at port 443.
# Disable support for SSLv2 and SSLv3 and allow only TLS SSLProtocol all -SSLv2 -SSLv3 # Enable cipher suite below. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # Explicitly allow/disallow specific ciphers in the given order SSLHonorCipherOrder on
3. Deploying Diffie-Hellman for TLS
Install new dhparam (2048+), it requires ~ 10 minutes to generate new dhparam file. After complete, open dhparames.pem, copy the content and paste to the end of your certificate file.
$ openssl dhparam -out dhparams.pem 2048
Please note that if your apache is 2.4.8 or newer, you can specify your DHparams file in ssl.conf as follows:
SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
4. Enable SSL and config your virtual host as follows:
<VirtualHost *:443> # Your setting here # .... # Enable/Disable SSL for this virtual host. SSLEngine on # Add path to Cert / Key / Chain File # RSA 2048 bits SSL certificate # signature algorithm SHA256withRSA SSLCertificateFile /home/ubuntu/certest/yourcertificate.crt SSLCertificateKeyFile /home/ubuntu/certest/yourkey.key SSLCertificateChainFile /home/ubuntu/certest/sub.class1.server.ca.pem # Strict transport security with long duration # Guarantee HTTPS for 6 months including sub domains Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" </VirtualHost>
5. Restart Apache2 to apply your changes
$ sudo service apache2 restart
6. Time for testing
Check certificate result from: https://www.sslshopper.com/ssl-checker.html
Getting result on https://www.ssllabs.com/ssltest/index.html
