Best methods to install SSL on PHP website.

[theITvideos]

Hi there,

 

I am working on a PHP ecommerce website. I am going to install SSL on few of the pages.

 

I need to install it on Apache web server coz thats the server our PHP website is running on.

 

How we do go about installing SSL on PHP website.

 

Can anybody please guide me in the right direction.

 

All comments and feedback are always welcomed. 

 

Thank you!

[BlueSkyIS]

same way you install on a non-php apache site. just search for apache ssl installation

[petroz]

It really depends on how your server is configured... But most SSL providers will give you a near step by step guide for your server... and..... this really isnt a php question.

[theITvideos]

It really depends on how your server is configured... But most SSL providers will give you a near step by step guide for your server... and..... this really isnt a php question.

 

Our server has a simple PHP Apache configuration. Can you recommend any good SSL providers.

 

I understand that there are two types:

 

• Self-signed SSL Certificate (I think this is the one we can create on our own)
  
• Trusted SSL Certificate (This I suppose is the paid version)
   
  

 

I am just a newbie on this.

 

So do I contact some good company and they'll provide me with the instructions?

 

Well before that I want to create a self-signed SSL on my WAMP just to get the taste of how it looks on my localhost.

 

What do you suggest on this?

 

Thank you!

[petroz]

If your doing an e-commerce site, use a Trusted certificate... Godaddy has them for pretty cheap.

 

As for seeing it on your localhost... your not gonna see any difference.

 

[roopurt18]

In order to use SSL you need to do two things:

1) Obtain a certificate for your domain

2) Configure Apache to load the certificate

 

For testing purposes you can generate a self-signed certificate in order to become familiar with how to install it on the web server.  However, since you are probably not a Certificate Authority, any visitors seeing a self-signed certificate on your production box will be prompted with a "Do you trust this certificate?" prompt.

 

In order to generate a self-signed cert for testing, here is a simple bash script you could use:

#!/bin/bash
hostname=$1
country=US
state=California
location=Los Angeles

rm -f "$hostname.pem"
cmd="openssl req -new -x509 -nodes -days 3650 -subj '/C=$country/ST=$state/L=$location/CN=$hostname' -newkey rsa:2048 -keyout $hostname.pem -out $hostname.pem"
eval cmd
chmod u=rw,go=r "$hostname.pem"
exit 0

You can read the man page for openssl to learn more about each of those options or find some tutorials on the web.

 

Let's say that script is called make-cert.sh and you want to create a testing site called devsite, you would enter the following at a command prompt:

$ ./make-cert.sh devsite

And the script would make a file devsite.pem

 

The next step is to configure Apache.  This will depend on your Apache version, but for example let's say you have Apache 2.

1) You need to locate the ssl.conf files included with your Apache distribution and load them into the configuration.

2) Configure your vhost to use the certificate

<VirtualHost devsite:80>
  ServerAdmin [email protected]
  RewriteEngine on
  RewriteCond %{HTTPS} !on
  RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
</VirtualHost>

<VirtualHost devsite:443>
  ServerAdmin [email protected]
  ServerName devsite
  SSLEngine on
  SSLProtocol TLSv1
  SSLCipherSuite HIGH
  ; assuming certs are in $APACHE_HOME/certs
  SSLCertificate certs/devsite.pem
  DocumentRoot /var/www/devsite
  <Directory /var/www/devsite>
    SSLRequireSSL
    Order Allow,Deny
    Allow from 192.168 127
  </Directory>
</VirtualHost>

 

Restart apache service and check the error logs for problems.

 

That vhost configuration will send all non-ssl requests to SSL, therefore making the entire site SSL.  You could add additional RewriteCond directives to redirect only for certain pages if you wanted.

 

When it comes time to make a certificate for your production box you perform essentially the same steps.  However instead of a self-signed certificate you need to generate a CSR (certificate signing request).  You send this CSR to a true CA (certificate authority).  The CA will verify all of the details contained in the CSR and within a few business days will send you back your certificate.  They typically provide two files, a domain.key and a domain.crt; you can concatenate these two files into domain.pem for your Apache installation if you desire.

 

This page contains useful SSL information:

http://www.madboa.com/geek/openssl/

[roopurt18]

Also be warned that the domain name and ServerName (in vhost file) must match the CN (common name) provided in the certificate!

[theITvideos]

In order to use SSL you need to do two things:

1) Obtain a certificate for your domain

2) Configure Apache to load the certificate

 

For testing purposes you can generate a self-signed certificate in order to become familiar with how to install it on the web server.  However, since you are probably not a Certificate Authority, any visitors seeing a self-signed certificate on your production box will be prompted with a "Do you trust this certificate?" prompt.

 

In order to generate a self-signed cert for testing, here is a simple bash script you could use:

#!/bin/bash
hostname=$1
country=US
state=California
location=Los Angeles

rm -f "$hostname.pem"
cmd="openssl req -new -x509 -nodes -days 3650 -subj '/C=$country/ST=$state/L=$location/CN=$hostname' -newkey rsa:2048 -keyout $hostname.pem -out $hostname.pem"
eval cmd
chmod u=rw,go=r "$hostname.pem"
exit 0

You can read the man page for openssl to learn more about each of those options or find some tutorials on the web.

 

Let's say that script is called make-cert.sh and you want to create a testing site called devsite, you would enter the following at a command prompt:

$ ./make-cert.sh devsite

And the script would make a file devsite.pem

 

The next step is to configure Apache.  This will depend on your Apache version, but for example let's say you have Apache 2.

1) You need to locate the ssl.conf files included with your Apache distribution and load them into the configuration.

2) Configure your vhost to use the certificate

<VirtualHost devsite:80>
  ServerAdmin [email protected]
  RewriteEngine on
  RewriteCond %{HTTPS} !on
  RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
</VirtualHost>

<VirtualHost devsite:443>
  ServerAdmin [email protected]
  ServerName devsite
  SSLEngine on
  SSLProtocol TLSv1
  SSLCipherSuite HIGH
  ; assuming certs are in $APACHE_HOME/certs
  SSLCertificate certs/devsite.pem
  DocumentRoot /var/www/devsite
  <Directory /var/www/devsite>
    SSLRequireSSL
    Order Allow,Deny
    Allow from 192.168 127
  </Directory>
</VirtualHost>

 

Restart apache service and check the error logs for problems.

 

That vhost configuration will send all non-ssl requests to SSL, therefore making the entire site SSL.  You could add additional RewriteCond directives to redirect only for certain pages if you wanted.

 

When it comes time to make a certificate for your production box you perform essentially the same steps.  However instead of a self-signed certificate you need to generate a CSR (certificate signing request).  You send this CSR to a true CA (certificate authority).  The CA will verify all of the details contained in the CSR and within a few business days will send you back your certificate.  They typically provide two files, a domain.key and a domain.crt; you can concatenate these two files into domain.pem for your Apache installation if you desire.

 

This page contains useful SSL information:

http://www.madboa.com/geek/openssl/

 

Thank you very much for the reply. I am a total newbie.

 

I have created a file called make-cert.sh and pasted the bash script into it. And saved the file in my C directory.

 

Now in my Windows command prompt I am trying to run this file by using the command as:

 

C:\> $ ./make-cert.sh devsite

 

I get '$' unrecognized error.

 

Do we run the make-cert.sh file in windows command prompt? how do we create a devsite.pem out of this file or do we need to call this from inside php code.

 

Sorry I am new to this. Please reply

 

Thank you!

[roopurt18]

The script I provided is a Linux script; you can recognize it as such from the first line: #!/bin/bash

 

Here is a DOS script:

@echo off
set hostname=%1%
set country=US
set state=California
set location=Los Angeles
set openssl=C:\Program Files\NuSphere\TechPlat\apache\bin\
set subject="/C=%country%/ST=%state%/L=%location%/CN=%hostname%"
set mycmd="%openssl%openssl.exe" req -new -x509 -nodes -days 3650
set mycmd=%cmd% -subj %subject% -newkey rsa:2048 -keyout %hostname%.pem -out %hostname%.pem -config "%openssl%openssl.cnf"

%mycmd%

Name it make-cert.bat and execute as:

make-cert.bat devsite

 

You need to change the C:\Program Files\NuSphere\TechPlat\apache\bin\ to the path on your system where openssl.exe is located.

 

You run this from a DOS command prompt.

[theITvideos]

The script I provided is a Linux script; you can recognize it as such from the first line: #!/bin/bash

 

Here is a DOS script:

@echo off
set hostname=%1%
set country=US
set state=California
set location=Los Angeles
set openssl=C:\Program Files\NuSphere\TechPlat\apache\bin\
set subject="/C=%country%/ST=%state%/L=%location%/CN=%hostname%"
set mycmd="%openssl%openssl.exe" req -new -x509 -nodes -days 3650
set mycmd=%cmd% -subj %subject% -newkey rsa:2048 -keyout %hostname%.pem -out %hostname%.pem -config "%openssl%openssl.cnf"

%mycmd%

Name it make-cert.bat and execute as:

make-cert.bat devsite

 

You need to change the C:\Program Files\NuSphere\TechPlat\apache\bin\ to the path on your system where openssl.exe is located.

 

You run this from a DOS command prompt.

 

Thanks for your reply.

 

I created a .bat in Windows and set the correct path as you described.

 

Now when I try to run it in Command Prompt using the command as:

 

make-cert.bat devsite

 

I get this error:

 

'-subj' is not recognized as an internal or external command,
operable program or batch file.

 

Do I need to make any changes somewhere in the subject line etc.

 

Please see the 2 Screenshots I have taken as to see exactly what I getting.

 

Thank you!

 

[attachment deleted by admin]

[roopurt18]

On a typical Apache installation there will be a file openssl.cnf one directory above the openssl.exe.

 

Copy openssl.cnf into the same directory as openssl.exe or change this part of the bat:

-config "%openssl%openssl.cnf"

to

-config "%openssl%\..\openssl.cnf"

 

The fact that it can't find the config file could be screwing it up, although I doubt that.

 

You could try these two commands at the command prompt without the bat file:

cd \wamp\bin\apache\apache2.2.11
bin\openssl.exe req -new -x509 -nodes -days 3650 -subj "/CN=devsite" -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf

 

And failing that take out the -subj part:

cd \wamp\bin\apache\apache2.2.11
bin\openssl.exe req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf

[theITvideos]

On a typical Apache installation there will be a file openssl.cnf one directory above the openssl.exe.

 

Copy openssl.cnf into the same directory as openssl.exe or change this part of the bat:

-config "%openssl%openssl.cnf"

to

-config "%openssl%\..\openssl.cnf"

 

The fact that it can't find the config file could be screwing it up, although I doubt that.

 

You could try these two commands at the command prompt without the bat file:

cd \wamp\bin\apache\apache2.2.11
bin\openssl.exe req -new -x509 -nodes -days 3650 -subj "/CN=devsite" -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf

 

And failing that take out the -subj part:

cd \wamp\bin\apache\apache2.2.11
bin\openssl.exe req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf

 

Thank you for your reply. I was able to generate the devsite.pem file using the command you mentioned.

 

I found the 'httpd-vhosts.conf' file inside the 'C:\wamp\bin\apache\Apache2.2.11\conf\extra' folder and pasted the <VirtualHost> commands in it and restarted my wamp server. It restarted fine.

 

I also enabled the ssl_module in Apache on my Wamp. Now where do we go from here. I am a newbie bro, whats the next step.

 

Thank you

[roopurt18]

In your Windows host file, typically in \Windows\system32\drivers\etc\, you need to add a line like:

127.0.0.1 devsite

 

That will enable you to browse to http://devsite and DNS will send it back to your machine where your local WAMP will handle the request.

 

If you set everything up correctly, then http://devsite should automatically redirect to https://devsite

 

If not...well then you got some trouble shooting to do.