I did a search and could find no such instructions in this forum, so thought I would post one. This is a step by step guide aimed at my fellow newbies.

First, make sure OpenSSL is installed on the server. Check for that in whm, under Software, Install An RPM.

Now, ssh into your server, and navigate to /usr/local/apache/conf/ssl.key (cd /usr/local/apache/conf/ssl.key )

Next, you will generate a private key. You can do it in either of two ways: encrypted or unencrypted. I create mine without a password, and have experienced no issues.

ENCRYPTED: Type the following command to generate a private key that is file encrypted: openssl genrsa -des3 -out domainname.key 1024

UNENCRYPTED: openssl genrsa -out domainname.key 1024

Note: remember to replace "domainname" with the domain of the site that will be specific to the ssl certificate.

Next, Type the following command to create a CSR with the RSA private key: openssl req -new -key domainname.key -out domainname.csr

When creating this csr you will be prompted for questions:

* Common Name. Enter the exact domain name of the site you will be securing. SSL will only certify exact domains, and not subdomains. If the domain you're certifying has the www prefix, you need enter this. IF you are certifying www.domain.com, ssl will then only certify that domain, and not domain.com.

*Organization. Enter the company name of your client.

*Organization Unit. This is the company section (eg: marketing). If you do not know this, perhaps type in something like "internet".

*City. Where your client is based.

*State or Province. Obvious

*Country. Here they are looking for the two letter abreviation of the country, eg, US if it's an American address.

Note: during this process, the following characters are not accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,& . I noticed that they list a period, but a period is required when entering a domain name, and I have experienced no problems when using a period.

Then copy the csr file to /usr/local/apache/conf/ssl.csr (cp /usr/local/apache/conf/ssl.csr)
TO see the contents of the CSR, type "cat name.csr" (for example, cat microsoft.csr). As usual, replace "name" with the domain you are setting up the certificate for.

To verify the contents of the csr, type: openssl req -noout -text -in domainname.csr

Submit the content of the csr to whatever company that is creating the ssl certificate. If your client is purchasing the certificate, then send him/her the csr. Remember, you can display the csr by typing: cat name.csr

After the client purchases the certificate from Geotrust, have them email you a copy of the key. You will need this for the next step.

In WHM, go to SSL/TLS, and click on “install an ssl certificate and setup the domain”.

Paste the contents of the key file into the middle window.

Type in domain name in the relevant text box.

Paste in the certificate key that your client sent you, into the first window

Restart Apache.

If Apache does not restart, check the virtual host settings for the relevant domain in httpd.conf (pico -w /usr/local/apache/conf/httpd.conf). Rem out references to ssl in that virtual host only. I had a problem once whereby apache would not restart, even after the server was rebooted, and remming out the ssl reference resolved the problem. You rem out a line by placing a # at the very beginning of the line.

Another thing to check is the presence of your csr and key files ( /usr/local/apache/conf/ssl.csr and /usr/local/apache/conf/ssl.key respectively) The commands you need are cd to change directory, and once in the directory, dir to display the contents of the directory. To read the files, pico filename.

And that's it!

Errmmm.you can do that within WHM, right?

Not that I know of. I have never been able to ascertain how to generate the csr and key files from within whm. If there's a way, GREAT!! Post it here, so I don't have to screw around in Apache to do this.

Unless I'm completely wrong, you can go to the SSL/TLS tab on the side menu and click generate SSL certificate request. I attached a screenshot of what I mean.

Yep. looks like you're totally correct. I just tried it and it generated the two keys required to create an ssl certificate.

So it makes me wonder why on Geotrusts website it details a long traumatic procedure in Apache, instead of just saying "here's the two keystrokes you need to set it all up in whm"!!!! Un-freakin-believable.

Huge thanks. You've saved this newby a lot of future work and frustration.

You're welcome. Geotrust just points out the "normal" use. Not anyone has Cpanel installed. BTW, you could order a certificate right through WHM...it's by InstantSSL though.

Ok, went through the whole GEOTrust Certificate thing and I have it working correctly. However, what I want to do is set it up some how that if someone enters my domain as:

http://www.mydomain.com

it will automatically direct to:

https://www.mydomain.com


Essentially if possible, that any address that is types in will go to the https://

Login to ssh and open the httpd.conf and find the Virtualhost entry for this domain and add an entry as follows

Redirect / https://domain.com/

Restart apache. Thats it...

Hello,

I am newbie with ssl-thinks and I am confused. One of my customers want's to use ssl. Does it need to bought a certificate to use it? What need to do to get ssl connection available for the customer?
mod_ssl 2.8.18 and OpenSSL 0.9.7a is installed on the server.

- Cheers, Kasper

orca,

you said that like there is an advantage elsewhere. any drawbacks to InstantSSL?

cert recommendations?

need high browser compatibility, multi domain license, tight security, and low budget.
(sounds like a dream right?) I'm just looking for a pointer. thanks.

Lizard

I am also confused about this... should the customer domain have dedicated IP? Could someone please post some steps about how to set it up and what is needed?

Thank you.

Yes, it's necessary to have a Dedicated IP for SSL. If your hosting provider allows you to have a shared SSL then you can go for the shared SSL from your hosting provider, else you need to have a dedicated IP for your SSL.

Normally , we generate an SSL in the following way:

1. We log into the unix server of choice, go into our apache directory(/usr/local/apache/conf/), make a subdirectory for your username(conf/username/), and run the command:
openssl genrsa -out server.key 1024

This generates a 1024 RSA private key

2. Next we generate the 'Certificate Signing Request' using the following command:
openssl req -new -key server.key -out server.csr

We put in your info(city, state, country, business name, etc), and submit it.

3. This generates the server.csr. We take the contents of that file and paste it into our GeoTrust order website, and fill in the contact information.
4. Once the order is placed, an email comes to the confirmation email address, and those instructions are followed. Once the order is confirmed, an email with the certificate itself is emailed to the confirmation address, as well as the administrative contact.

5. We copy the certificate information, and save it on the server as the file 'server.crt'. We then change the config entry for your domain name, restart the webserver software, and voila - SSL certificate.




An example SSL certificate config entry is as follows:

#BEGIN SSL: domain.com

ServerAdmin webmaster@domain.com
DocumentRoot /home/username/public_html
#BytesLog domlogs/domain.com-bytes_log
ServerName domain.com
ServerAlias www.domain.com
#CustomLog domlogs/domain.com-ssl_log "%t %{version}c %{cipher}c %{clientcert}c"
SSLVerifyClient none
SSLEnable
User username
Group username
SSLCertificateFile /usr/local/apache/conf/certs/username/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/certs/username/server.key
#SSLLogFile domlogs/domain.com

# END SSL: domain.com


ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /home/username/public_html
#BytesLog domlogs/domain.com-bytes_log
ServerName www.domain.com
User username
Group username
#CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/

So it doesn't work with Name-based domains?

ehhhh ... because I just don't get it... I did everything for the starterSSL via Ensim and from what I can see, all is a go, but then when accessing ...
Well, see for yourself:
https://atopqualitysite.com/

I know, I forgot something ... Any help would be greatly appreciated.
Thanks in advance!