After months of being too busy to sort this out I have finally moved the Pyslet website to SSL. This is a quick post to explain how I've done this.
Firstly, I've wanted to do this for a while because I want to use the above website to host a web version of the QTI migration tool but encouraging users to upload their precious assessment materials to a plain old HTTP URL should (hopefully would) have proved a challenge. I saw an advert for free SSL certificates for open source projects from GlobalSign so in a rush of enthusiasm I applied and got my certificate. There's a checklist of rules that the site must comply with to be eligible (see previous link) which I'll summarise here:
- OSI license: Pyslet uses the BSD 3-Clause License: check!
- Actively maintained: well, Pyslet is a spare-time activity but I'm going to give myself a qualified tick here.
- Not used for commercial purposes: the Pyslet website is just a way of hosting demos of Pyslet in action, no adverts, no 'monetization' of any kind: check!
- Must get an A rating with GlobalSign's SSL Checker...
That last one is not quite as easy as you might think. Here's what I did to make it happen, I'll assume you have already dome some openssl magic, applied for and received your crt file.
- Download the intermediate certificate chain file from GlobalSign here, the default one for SHA-256 Orders was the correct one for me.
Put the following files into /var/www/ssl (your location may vary):
www.pyslet.org.key www.pyslet.org.crt globalsign-intermediate.crt
The first one is the key I originally created with:
openssl genrsa -des3 -out www.pyslet.org.key.encrypted 2048 openssl req -new -key www.pyslet.org.key.encrypted -out www.pyslet.org.csr openssl rsa -in www.pyslet.org.key.encrypted -out www.pyslet.org.key
The second file is the certificate I got from GlobalSign themselves. The third one is the intermediate certificate I downloaded above.
- Set permissions (as root):
chown -R root:root /var/www/ssl/*.key chmod 700 /var/www/ssl/*.key
- Add a virtual host to Apache's httpd.conf (suitable for Apache/2.2.31):
Listen 443 <VirtualHost *:443> ServerName www.pyslet.org SSLEngine on SSLCertificateFile /var/www/ssl/www.pyslet.org.crt SSLCertificateKeyFile /var/www/ssl/www.pyslet.org.key SSLCertificateChainFile /var/www/ssl/globalsign-intermediate.crt SSLCompression off SSLProtocol all -SSLv3 -SSLv2 SSLCipherSuite AES128+EECDH:AES128+EDH SSLHonorCipherOrder on # Rest of configuration goes here.... </VirtualHost>
This is a relatively simple configuration designed to get an A rating while not worrying too much about compatibility with really old browsers.
No comments:
Post a Comment