Dreamhost supports SNI to enable SSH/TLS on their shared hosting offerings. While I wanted to enable SSL/TLS on my site, I thought I would have to buy a certificate from one of the major Root Certificate Authorities. I was happily surprised when I found StartSSL.com which offers free SSL Certificates. StartSSL.com is a trusted root CA on MacOS, Windows, and Mozilla; so compatibility is not a major concern. StartSSL.com is located in Israel, so I feel more comfortable with this free offering than say a Russian company.
Generating a CSR
The first step is to generate a Certificate Signing Request (CSR). You need a computer with OpenSSL to follow these steps. All files below should be located in the same folder and all commands should be run from within this folder.
- DigiCert has a very nice CSR Creation Tool. Fill in the required fields, click ‘Generate’, and copy the generated command. StartSSL only supports RSA keys.
- (optional) Gather additional entropy.
- Go to a number of entropy providing sites or password generating sites. Copy the output into text files in the folder you will be generating your CSR in. The exact format of the text isn’t important, as OpenSSL will just add the data to the entropy pool. For the examples later, I’ll assume you’ve named your file(s)
entropy1.txt
,entropy2.txt
, etc./li> - Some sites to gather entropy from are:
- Steve Gibson’s Ultra High Entropy PRNG
- PC Tools by Symantec Secure Passord Generator, or use this link to generate a password with all options enabled (except avoiding similar characters).
- Random.org Password Generator
- Add
-rand entropy1.txt:entropy2.txt:entropy3.txt
to the command from Step 1.
- Go to a number of entropy providing sites or password generating sites. Copy the output into text files in the folder you will be generating your CSR in. The exact format of the text isn’t important, as OpenSSL will just add the data to the entropy pool. For the examples later, I’ll assume you’ve named your file(s)
- (optional) Use a stronger hash algorithm
- If you’re using RSA add
-sha256
to the command from Step 1. You can use-sha512
; however, sha512 is not commonly used with certificates and might not be supported by all servers and clients. sha256 might not be supported by older clients. Currently OpenSSL only supports SHA-1 with DSA and ECDSA certificates.
- If you’re using RSA add
- Run the command from Step 1 with any optional adjustments, for example:
openssl req -new -newkey rsa:2048 -nodes -out www_tidgubi_com.csr -keyout www_tidgubi_com.key -sha256 -rand entropy1.txt:entropy2.txt -subj "/C=US/ST=California/L=San Luis Obispo/O=Kenji Yoshino/CN=www.tidgubi.com"
- The
.key
and.csr
files will be used later.
Get your CSR Signed
Begin by registering with StartSSL.com. Make sure you do this from a private computer, because StartSSL.com will generate an identification certificate and install it in your browser. This certificate will be used to identify you on subsequent visits to StartSSL.com.
- Click ‘Validations Wizard’
- Select ‘Domain Name Validation’
- Enter your domain without any prefixes (e.g. www)
- You will need to specify an email address associated with your domain to verify domain ownership. Another verification code will be sent to this email address.
- Enter the verification code in StartSSL.
- Click ‘Certificates Wizard’
- Select ‘Web Server SSL/TLS Certificate’
- Skip having StartSSL generate a CSR for you.
- Copy and paste the entire CSR including the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
- Select your domain and click ‘Next’
- Add the “www” subdomain (Startssl requires you to add one) and click ‘Continue’
- Copy the entire certificate text including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Save the text to a
.crt
file. - Download the intermediate CA file and optionally the root CA file.
- If you downloaded the root CA, combine the two files by running
cat sub.class1.server.ca.pem ca.pem > chain.pem
. The root CA provides browsers with the full certificate chain. Most browsers do not need the root CA to be included to trust the intermediate CA, so it is up to you if you want to include the root CA.
Configure SSL on Dreamhost
- Login ot your panel at panel.dreamhost.com
- Click ‘Manage Domains’
- Click ‘Add’ or ‘Certificates’ in the Secure Hosting column. If adding, leave unique IP as none and click ‘Add Now’, and then ‘Edit’.
- Select ‘Manual Configuration’
- Delete or replace the CSR text (it is just informational)
- Copy the text from your certificate including “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
- Copy our your private key including “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“
- Copy the certificate chain, either the intermediate CA certificate or the intermediate and root CA certificate concatenated together.
- Click ‘Save Changes Now!’
- It too about 4 minutes for changes on tidgubi.com to take effect.
Now your Dreamhost site allows SSL. Dreamhost only uses the TLS_RSA_WITH_RC4_128_SHA cipher suite with TLSv1.0 or SSLv3.0, so while it doesn’t provide great security, it’s better than nothing. I’m now tunneling my administrative traffic through TLS and SSH. From Securing Administration of Shared Hosting, I just changed 80:www.tidgubi.com:80
to 443:www.tidgubi.com:443
to specify the HTTPS port (443) instead of the standard HTTP port (80).