How to get your website to run SSL and optionally user certificate authentication
Web server administrators and web authors
Why do you want to implement SSL?
There are several ways in which SSL can make your site more secure.
- If you have sensitive data on your site, or the site is intended for a limited audience, you may want to implement user certificate authorization, which requires SSL.
- You may want to use password authentication, but you don't want the passwords going over the network in the clear text form; use SSL to encrypt them. Similarly, use SSL if you want to upload or download any sensitive data .
- You can use SSL to hide the identity of individuals looking at particular pages.
See also Restricting Access to Web Pages.
Find out about the web server that hosts your site
Many web authors are not server administrators. They are not familiar with the configuration of the hosting server and in fact do not even know if it runs Apache or IIS. The web author and the server administrator need to work together in order to implement SSL (and user certificate authentication, if desired).
To find out if the server is configured for SSL, go to the URL in question, and replace http with https. If that works, then SSL is set up. If not, your server administrator will either need to set it up or ask you to move your site to a different server.
To contact the server administrator, create a Service Desk request stating that you wish to have SSL (and optionally client authentication via certificates) set up on your site. Here are some guidelines for the ticket description:
- Provide your site address (URL and path)
- Is the server Apache or IIS?
- If the server is not SSL-enabled, can the server administrator set it up? (Note that this is more likely to get a positive response if you're asking about a "fnal.gov" server as opposed to a ".org" server, for reasons of cost and convenience; ".org" sites require purchasing a certificate from a commercial CA.)
- If so, which CA(s) are trusted, CILogon, OSG PKI, or another CA?
- List the CA(s) you require, if already determined.
- If you want to implement user certificate authorization:
- Has the server been configured for inbound access by individuals via client certificates?
- If not, request that it be configured for this, if needed.
Determine your web site's audience
If you want user certificate authentication enabled, figure out who should have access to your site, and how to distinguish this group from all other users. Some examples of groupings:
- Fermilab people eligible for CILogon certificates)
- OSG-affiliated and Fermilab people (i.e. anyone who has an OSG PKI certificate)
- Specific individuals with certificates from a known set of CAs
- Anyone with a certificate issued by a particular CA and connecting from a particular domain (e.g. fnal.gov)
- Some combination of the above
Identify authorized users by Distinguished Name (DN)
Using CA's DN
If you select authorized individuals based on the CA that issued their certificates (e.g., anyone with an OSG PKI certificate), you'll need to know the Distinguished Name (DN) of the CA. This is available on any certificate issued by the CA (as the Issuer field):
For OSG PKI, the DN is:
/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon OSG CA 1
For CILogon, the DN is:
/DC=prg/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1
Using Individual's DN
If you select authorized individuals based on their personal certificates, you'll need to know their DNs (the subject DN of their certificate) and the issuing CAs. The subject DN is of the form (shown for OSG PKI): /DC=org/DC=opensciencegrid/O=Open Science Grid/OU=People/CN=Neha Sharma 225
The OSG PKI site has a search function (select the Others tab to search DNs) where you can find this information.
The CILogon personal certificate subject DN looks like:
/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Joe Myname/CN=UID:myname
Add the authorized users
If your server is IIS, give this information to the server administrator and have him/her set it up. It is best to request this using the same Service Desk request that you created earlier to get the initial information about the server.
If your server is Apache, you can edit the .htaccess file. You'll need to add an " sslrequire" command. This is described in detail towards the end of the page Setting up an SSL server with the Fermilab apache product.