This site requires JavaScript to be enabled
72 views

How to get your website to run SSL and optionally user certificate authentication

Web server administrators and web authors

This page is intended primarily for web authors. Information for server administrators is available separately for IIS and Apache.

Why do you want to implement SSL?

There are several ways in which SSL can make your site more secure.

See also Restricting Access to Web Pages.

Find out about the web server that hosts your site

Many web authors are not server administrators. They are not familiar with the configuration of the hosting server and in fact do not even know if it runs Apache or IIS. The web author and the server administrator need to work together in order to implement SSL (and user certificate authentication, if desired).

To find out if the server is configured for SSL, go to the URL in question, and replace http with https. If that works, then SSL is set up. If not, your server administrator will either need to set it up or ask you to move your site to a different server.

To contact the server administrator, create a Service Desk request stating that you wish to have SSL (and optionally client authentication via certificates) set up on your site. Here are some guidelines for the ticket description:

Determine your web site's audience

If you want user certificate authentication enabled, figure out who should have access to your site, and how to distinguish this group from all other users. Some examples of groupings:

Identify authorized users by Distinguished Name (DN)

Using CA's DN

If you select authorized individuals based on the CA that issued their certificates (e.g., anyone with an OSG PKI certificate), you'll need to know the Distinguished Name (DN) of the CA. This is available on any certificate issued by the CA (as the Issuer field):

For OSG PKI, the DN is:

 

/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon OSG CA 1

 

For CILogon, the DN is:

/DC=prg/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1

Using Individual's DN

If you select authorized individuals based on their personal certificates, you'll need to know their DNs (the subject DN of their certificate) and the issuing CAs. The subject DN is of the form (shown for OSG PKI): /DC=org/DC=opensciencegrid/O=Open Science Grid/OU=People/CN=Neha Sharma 225

The OSG PKI site has a search function (select the Others tab to search DNs) where you can find this information.

The CILogon personal certificate subject DN looks like:

/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Joe Myname/CN=UID:myname
                                                                                                                                            -----cn-----                    --uid--

Add the authorized users

If your server is IIS, give this information to the server administrator and have him/her set it up. It is best to request this using the same Service Desk request that you created earlier to get the initial information about the server.

If your server is Apache, you can edit the .htaccess file. You'll need to add an " sslrequire" command. This is described in detail towards the end of the page Setting up an SSL server with the Fermilab apache product.

Authored by Fang Wang
Last modified 4 months ago