Securing Your CP Server with SSL

This document gives a step-by-step instruction on how to secure your CP apache server with a regular SSL certificate.

Note: You can secure your control panel with a wildcard certificate if you install it on the same domain name. For example, if your cp domain name is cp.example.com, you can secure it by installing wildcard certificate to example.com.

We recommend that you configure your system to be accessible both by http and https, because Parallels SiteStudio does not fully support https protocol.

To secure your CP with regular SSL:

Create or choose a directory to store SSL-related files. E.g.:
#mkdir cert

Make this directory available only for root:

#chmod 700 cert

Go to this directory:

#cd cert
Generate an SSL private key with the OpenSSL utility:
#openssl genrsa -des3 -out server.key 1024

When prompted for a pem phrase, enter any combination of 4 characters, e.g. 1234. A unique private key will be generated into the server.key file.
For more, read modssl documentation (http://www.modssl.org/source/mod_ssl-2.8.16-1.3.29.tar.gz).
Copy this file to a secure location. You will need it later.
Make the newly generated file readable only by root:
#chmod 600 server.key
To view the content of the private key file, use the command:
#openssl rsa -noout -text -in server.key
Remove pass phrase from the private key:
#openssl rsa -in server.key -out server.key.unsecure
Now you don't need the private key with the pass phrase any more. Overwrite it with the private key without the pass phrase:
#cp server.key.unsecure server.key
Generate an SSL certificate signing request based on the private key:
#openssl req -new -key server.key -out server.csr

You will have to answer many questions related to your company. Your answers are required to be included in the certificate.

Note: Common name is the URL at which you want your control panel to be available, e.g. cp.yourdomain.com (not yourdomain.com).
Check the content of the certificate request file:
#openssl req -noout -text -in server.csr

If you find a mistake in the data you have submitted, you can re-generate the request anew.
Make sure to back up your SSL files:
# mkdir backup
# chmod 700 backup
# cp ./*.* backup/
Send the generated CSR file to a trusted Certificate Authority for signing. They will send you back the certificate. Save it as server.crt.
To view the content of the certificate, run:
# openssl x509 -noout -text -in server.crt
Save the private key and the certificate:
# cp -f ./server.key /hsphere/local/home/cpanel/apache/etc/ssl.key/

# cp -f ./server.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
Important: Make sure to back up the ssl.key and ssl.crt files to a safe location. You may need them in the future.
If your certificate was signed by a non-trusted certificate authority, run the following command:
# cp -f ./ca-bundle.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
If your certificate doesn't require chain certificate, skip this item. Otherwise, do the following:
1. Store chain certificate in file:
  /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt
2. Create custom CP apache config template if you do not have any (see Appendix C of Parallels H-SPhere Installation Guide)
3. Add line (according to Step 2 "Edit template" in the above mentioned document):
  SSLCertificateChainFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt
  
  to file:
  
  /hsphere/local/home/cpanel/apache/etc/httpd.conf.tmpl.custom
Open the file hsphere.properties:
# vi /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties

and change lines:

CP_PORT = 8080
CP_PROTOCOL=http://

to:

CP_PORT = 8443
CP_PROTOCOL=https://
Restart Parallels H-Sphere.
Check the log file:
# vi /hsphere/local/home/cpanel/apache/logs/ssl_engine_log

Now your control panel must be available at both http://cp.yourdomain.com:8080 and https://cp.yourdomain.com:8443

In this section:

Disabling HTTP Access

Switching Between IP and Domain Name