How to check if ssl is installed correctly

To check ssl is installed correctly, run in command line

openssl s_client -debug -connect yourwebsite.comhistory:443


If you are getting any errors, ssl installation is wrong.

Normally you would get the crt from the intermediate CA. convert it to pem

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

remember to nginx -t before restarting.

ssl installation in whm/cpanel

To create new ssl for a domain,

login to whm, then goto ssl/tls -> generate ssl certificate and signing request. For wildcard domains, use * You should get a private key and a sign request. Then go to the ssl provider and give them the signing request. They should give you a CA cert.

now go to ssl/tls -> install an ssl cert on a domain, browser the cert and paste in the key. If there are api or permission errors, go to /home/user/ssl and chown user:user -R *.

now go to https://www.yoursite.xx or https://yoursite.xx and it should work.

to install ssl for the whole cpanel or whm or other services, login to whm -> service configuration -> service manager -> manage service ssl certificates. browse a cert and install.

Implementing SSL Certificates in Apache

Creating a Private Key

To create a private key without triple des encryption, use the following command:

openssl genrsa -out ssl.key 1024

Creating a Certificate Signing Request

To obtain a certificate signed by a certificate authority, you will need to create a Certificate Signing Request (CSR). The purpose is to send the certificate authority enough information to create the certificate without sending the entire private key or compromising any sensitive information. The CSR also contains the information that will be included in the certificate, such as, domain name, locality information, etc.

Locate the private key that you would like to create a CSR from. Enter the following command:

openssl req -new -key filename.key -out filename.csr

You will be prompted for Locality information, common name (domain name), organizational information, etc. Check with the CA that you are applying to for information on required fields and invalid entries. Send the CSR to the CA per their instructions.

Wait for your new certificate and/or create a self-signed certificate. A self-signed certificate can be used until you receive your certificate from the certificate authority.

It is not necessary to create a self-signed certificate if you are obtaining a CA-signed certificate. However, creating a self-signed certificate is very simple. All you need is a private key and the name of the server (fully qualified domain name) that you want to secure. You will be prompted for information such as locality information, common name (domain name), organizational information, etc. The only required field for the certificate to function correctly is the common name (domain name) field. If this is not present or incorrect, you will receive a Certificate Name Check warning from your browser.

To create a self-signed certificate

openssl req -new -key filename.key -x509 -out filename.crt

Configuring your Apache Server

An example of a secure virtual host:

   <VirtualHost 123.456.789.42:443>
   DocumentRoot /etc/httpd/htdocs
   ErrorLog /etc/httpd/logs/error_log
   TransferLog /etc/httpd/logs/access_log
   SSLEngine on
   SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
   SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
   <Files ~ "\.(cgi|shtml)$">
         SSLOptions +StdEnvVars
   <Directory "/etc/httpd/cgi-bin">
         SSLOptions +StdEnvVars
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /etc/httpd/logs/ssl_request_log \
             "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

The directives that are the most important for SSL are the SSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, and in many cases SSLCACertificateFile directives.