1 Steps to launch SSL / TLS service on web server
1-1 Selection of an international certification center and its representative / representative in Iran
You need a security certificate to launch the HTTPS service, which should have been issued by one of the CA’s (CA) or Certfiicate Authrotity (CA). Of course, you can create this certificate yourself, but then you will have a Self-Signed certificate that the browser encounters when it encounters it. Because self-evident statements by attackers can be created and exploited, it’s better to get a certificate from a valid licensing center for higher security. To do this, first find one of the representatives of these companies in Iran and get information about its technical details and costs.
If your site has a domain with the extension com / .net / .org. Or other domains other than . Most certification centers do not have a problem issuing certificates for your domain; but for the ir. Only a small number of international centers issue certificates. To purchase a digital certificate from these international centers, you must purchase a certificate from the Vaasset companies operating in Iran for this purpose. Some of the international certification centers that are domain. The table below provides:
* The Let’s Encrypt certification center issues a certificate free of charge, but it is not recommended for use in government offices in any way due to the architecture used in it .
1-2 Select the type of certificate you want
At this stage, choose the type of security certificate you need, considering the organization’s requirements and requirements. There are several types of SSL certificates based on the number of domain and subdomains covered:
- Single – Only one domain or subdomain.
- Wildcard – Includes an unlimited number of subdomains.
- Multi-Domain – Cover multiple domains.
· If you want to have only one specific subdomain equipped with the SSL service , use Singlecertificates that costs less.
· If your organization has multiple sub-service you want SSL to be enabled for all of them, you can use a certificate Wildcard use. In this case, the same cryptographic keys will be used on all your servers
The level of validity of certificates is also different and includes:
- Domain Validation (DV) a – This level has minimal cost and covers basic validation. In this case, the certificate is issued on the basis that the certificate authority assures that the public key in the certificate is made by the domain owner (and therefore the private key is only available to the domain owner and not another person). It can take a few minutes to take a few hours to get this certificate.
- Organization Validation (OV) a . In addition to validation of domain ownership, particular details of the owner (such as name and address) are authenticated. It can take several hours to take a few days to get this certificate.
- Extended Validation (EV) a – This item provides the highest level of security since it has been completed and approved before issuing this certificate. It usually takes between several days to several weeks to get this certificate.
1-3 Generating Cryptographic Keys and Certificate Signing Request (CSR) a
First, you need to create a private and public key for your server, based on the Certificate Center documentation that you selected in Step 1. The private key should remain with you confidentially and should not even be sent to the certification center . A public key is sent in the form of a CSR for the certification center, which will sign the certification center after conducting the necessary inspections. In fact, your CSR will only provide the public key and domain / domains and your organization’s profile for the certification center. Depending on the type of certificate, the certification center may also ask you for additional documents.
- Creating cryptographic keys and CSRs can be done on any system, and you do not have to be on the server that you want to enable SSL on. For example, if you have a Windows / IIS server, you can create a CSR using a Linux system.
- Your SSL security is completely dependent on the private key created at this point. Put this private key in a protected area.
- In the production of CSR for wildcard domains such as domain.ir. Note that it is best to have the SAN field or the SubjectAlternateName filled in and put the domain without its prefix (ie, ir). This will cause the certificate issued for the domain name to be valid without any prefix (for domain.ir itself). In this case, after installing and activating SSL, you will not receive a certificate error by entering the following URL in the Firefox browser:
Generate sample CSR using the OpenSSL tool
Here is an example of a CSR production method for domain.ir domains. * You can see the openssl tool below. In our CSR domain.ir domains (without prefix) are also in the SubjectAltName section.
openssl req -nodes -newkey rsa: 2048 -keyout public_private.key -out domian.ir.csr -subj
‘/C=IR/ST=Tehran/L=Tehran/O=Organization/OU=IT/CN=*.domain .ir / subjectAltName =
DNS.1 = * .domain.ir, DNS.2 = domain.ir ‘
By executing the above command, two files are created, one containing cryptographic keys and the other containing CSR. Only the CSR file should be sent to the certification center and the key files remain confidential to you later to install on your server.
1-4 Review your application by the certificate issuing and certification center
CA At this point, your CSR will check your submission and provide you with a security certificate that is one or more files. Often, this certificate contains a file with a cert extension for your domain. Of course, some certification centers will send one or more hope files containing CA certificate mid-level and ultimately one of the original CAs.
1-5 Install certificates and cryptographic keys on the server
Depending on which type of service you use, you can easily install the certificate and cryptographic keys on the server. The technical documentation of this work is available both through certification centers and through Internet resources. This report describes the steps in two configuration protocols for the most-used IIS and Apache servers.
1-5-1 Install the security certificate and encryption keys in APACHE
Follow the steps below:
- File copy of the certificate of a server
Download central certificates (CA.crt) and original (Your_domain_name.crt) and then copy them to your server and on the path you want. This directory should only be accessible by the root manager.
- Find the configuration file for Apache
The location and name of the configuration files on different servers may vary, especially if you use a specific interface to manage the server configuration.
The file name is the configuration of the Apache httpd.conf server or apache2.conf. The file’s storage location may be / etc / httpd / or / etc / apache2 /. For a comprehensive list of Apache installation defaults on Linux operating systems and distributions, see the following link:
Configuring the SSL certificate is often confined in the block and in the configuration file. The configuration files may be in the following paths or in the file named ssl.conf:
/ etc / httpd / sites /
One of the ways to find the proper configuration file in Linux distributions is to look at the grep using the following example:
grep -i -r “SSLCertificateFile” / etc / httpd /
“/ Etc / httpd /” is the base path for installing your Apache.
- Identify Block < VirtualHost > to configure
If you need to have your site secured by both secure (https) and unsafe (http) protocols, you need a virtual host for any kind of communication. First, make a copy of the unsafe virtual host that is available, and then configure it for SSL as described in step four.
- Configure Block < VirtualHost > to enable SSL
Below is a simple example of how to configure a virtual host for SSL. The bold sections contain the parts that must be added to the SSL configuration.
DocumentRoot / var / www / html2
Match the file names to match your certificate files:
- The SSLCertificateFile must receive the certificate file from the certification center.
- SSLCertificateKeyFile must be the key file generated at the time of making the CSR.
- The SSLCertificateChainFile must be the certificate of the middle certification center.
If the SSLCertificateChainFile file does not work, try using the SSLCACertificateFile file instead.
- Configuring Apache before the restart test
It’s always better to check the Apache configuration files for each error before restarting, because if the Apache configuration file has an error, Apache can not be restarted. Run the following command: (on some systems, apache2ctl)
- The restart Apache
You can use the apachectl command to start and stop Apache with SSL support.
2-5-2 Installing the Security Certificate and Cryptographic Keys in IIS
After receiving a security certificate from a valid CA, the public private key must be converted to a pfx format using the openssl command below. (private.key The name of the file contains the private key, Certificate.crt The name of the certificate sent by CA and the Intermediate_CA.crt file containing the public key CA)
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in Certificate.crt -certfile Intermediate_CA.crt
After entering this command, a password is received from the user.
Then the output file (certificate.pfx) must be added to the web server. The following steps should be taken to do this:
- You must click on the Home window after opening the IIS Manager on the Server Certificate.
Figure 1: View the IIS Manager and select Server Certificate
- Then select the Import option from the Action menu.
- Then you need to enter the key file generated in the previous step in the Certificate file section and enter the password in the password section.
Figure 2: View the key added to the server
- In the next step, you need to click the sites section on the site’s name and then select the Binding option from the Action menu.
- Then click the add option from the open window.
- In the opened window, the type should be changed to https. Then, from the SSL Certificate menu, I chose the name of the certificate added in the previous steps.
Figure 3: A view of adding the key to the server
- Finally, by clicking OK, the pairs of keys are active on the server.
Figure 4: View the final result of the key settings
After activating the SSL service on your site, you need to upgrade its security. The implementation and safe use of SSL / TLS has a number of technical details that should be duly respected. Failure to observe the security considerations and implications of implementing this protocol will endanger the confidentiality and integrity of the exchanged data.
You must first evaluate your server to identify potential problems. To do this, you can use online tools for this purpose:
SSLCheck Skill Center: