I’ve heard the slogan a bunch of times and just never really got around to it. I saw Reset The Net and others but after watching a Google IO video that covered it really well I decided to SSL up my sites. Here’s the super quick rundown… it really wasn’t as hard as I’d feared.
- Get certificates
- Follow instructions from the Mozilla Foundation
- Test
Get Certificates
I used StartSSL simply because they’re free and these are hobby sites for me. If I was running a business and wanted to reassure my customers, I’d spend money but not here. The process was pretty simple, self-explanatory and didn’t require me to run lots of horrible openssl commands to generate my certificates (I think there’s one to decrypt the cert but they tell you exactly what to run). You’ll need to be able to receive mails at one of your domains *master accounts (postmaster/webmaster/etc).
Follow instructions from the Mozilla Foundation
The instructions are here and contain recommended server configs. I used the non-backwards compatible cipher-suite and other configs since again, these are hobby sites and not commercial. Up to you what you use. There were only two small elements I found from other places to fill in the gaps, and they were:
- How to generate the DHParams. This was done with the following command:
openssl dhparam -out dh2048.pem 2048 - How to generate the root_CA_cert_plus_intermediates. This was done by concatenating the ssl.crt and sub.class1.server.ca.pem from StartSSL (ssl.crt first in the file)
Once the various files were in place and the directives added to my server config, I also made sure that the old server configs listening on port 80 did permanent rewrites to the HTTPS version of the site. This being WordPress, I added the WordPress HTTPS plugin and changed the two URLs on the main settings page to have https:// on the front of them. Done…
Test
As recommended by the Google guys, go to Qualys SSL Test and check your site. That link points to the test for this site.
(Image credit: stockarch / stockarch.com / CC BY 3.0)