In this article, you will learn how to enable and configure SSL in your environment on our Virtuozzo PaaS service. You can either use the Bult-In SSL Virtuozzo provides or upload a custom SSL. 

Note: If you are new to our PaaS service and you need help with creating your environment you can consult our KB article - PaaS - How to create an environment on Virtuozzo.

Built-In SSL Certificates

Built-in wildcard SSL by Virtuozzo PaaS is an excellent solution due to its fast configuration, usage, and of course reliability for a secure website.

The built-in SSL certificate offers:

• Convenient Management - configured and working SSL with a single click in the topology wizard
• Fast Validation - domain-level verification, including your site check and security seal issuing, is performed in a matter of minutes
• Enterprise-Level Data Encryption - the strength provided by built-in SSL certificates makes your customers feel comfortable with their security

In order to get the built-in SSL certificate, perform the following steps:

Log into your Virtuozzo dashboard and open the topology wizard by clicking the New Environment button at the top-left corner or by selecting the Change Environment Topology icon next to the existing environment.

In the opened topology wizard, set up your environment up to your needs, then switch to the SSL section at the top-left part of the frame and enable the built-in SSL with the appropriate switcher.

Note: Built-in SSL is not compatible with a public IP address attached to your servers and is applied to the specified environment name domain only (e.g. my-environment.mg01.paas.massivegrid.net for the image above).

To initiate your environment installation, click the Create button or Apply to adjust the existing one.

Now, upon clicking the Open in Browser button for this environment, you’ll see that communication with it is performed over the HTTPS protocol.

Custom SSL Certificates

In addition to the Built-In SSL and Let’s Encrypt SSL, Virtuozzo PaaS provides the ability to upload and use custom SSL certificates for your environments. Virtuozzo supports the following certificate types:

• Self-signed
• Wildcard
• Multi-Domain
• Extended validation single domain
• Extended validation multi-domain
• Low assurance/domain-validated certificate

In this instruction, we’ll show you how to get a single-domain Custom SSL certificate enabled in your environment.

Generate a Custom SSL Certificate

In order to add the Custom SSL certificate to your Virtuozzo environment, you need to have:

• pre-purchased custom domain name
• server key
• intermediate certificate or certificates chain (CA)
• domain certificate

Follow these next steps in order to fulfill the above requirements:

1) Buy a Domain Name (e.g. mywebsite.com) using any domain registrar.

2) Generate your server key for the purchased domain name and create a Certificate Request on its basis with the help of any preferred tool.

We’ll use OpenSSL as an example. Depending on the operating system you are using, perform the following steps:

For Windows

Download the latest OpenSSL tool version. Extract the received archive and run the tool by double-clicking the openssl.exe file in the bin folder. Subsequently, the files created with OpenSSL will appear in the same bin directory by default.

First, you need to generate an SSH private server key with the following command:

genrsa -out {filename} {length} 

On the above command exchange the related fields as follows:

{filename} - the name of the output key file with the .key extension (e.g. server.key)

{length} - private key length in bits (should be at least 2048 to be considered secure, e.g. 4096).

Note: DO NOT protect your key with a passphrase; otherwise, you’ll get an error during its addition to the Virtuozzo dashboard.

Then you should generate a certificate request based on the prepared key. Create it as follows:

req -config {config_path} -new -key {keyname} -out {filename}

On the above command exchange the related fields as follows:

{config_path} - path to the openssl.cnf configuration file, located in the directory with extracted OpenSSL files (specified according to the C:\path\to\openssl.cnf format)

{keyname} - your server key name (the one you’ve generated in the previous step, server.key in our case)

{filename} - desired name of the output request file with .csr extension (e.g. server.csr)

Next, you’ll see a set of questions appear. Answer them to complete the certificate information with your data.

Note: The Common Name parameter value has to be equal to your purchased domain name; otherwise, your certificate won’t be validated.

For Linux/MacOS/FreeBSD

In case you don’t have the OpenSSL tool installed yet, get it with the appropriate command (according to your OS package manager) executed within your terminal. E.g. for Ubuntu/Debian Linux distribution use the following one:

sudo apt-get install openssl 

When the installation process is completed, proceed to the generation of the required files. All newly created OpenSSL files will appear in the home directory of your local machine user by default.

openssl genrsa -out {filename} {length}

On the above command exchange the related fields as follows:

{filename} - name of the output key file with .key extension (e.g. server.key)

{length} - private key length in bits (should be at least 2048 to be considered secure, e.g. 4096)

Note: DO NOT protect your key with a passphrase; otherwise, you’ll get an error during its addition to the Virtuozzo dashboard.

Then you should generate a certificate request based on the prepared key. Create it as follows:

openssl req -new -key {keyname} -out {filename}

On the above command exchange the related fields as follows:

{keyname} - your server key name (the one you’ve generated in the previous step, server.key in our case)

{filename} - desired name of the output request file with .csr extension (e.g. server.csr).

Note: The Common Name parameter value has to be equal to your purchased domain name; otherwise, your certificate won’t be validated.

3) Send the Certificate Request you’ve received to your preferred Certificate Authority (CA) company for signing.

4) The chosen CA checks the identity of the domain owner and (if everything is ok) sends the Intermediate certificate and Domain certificate back to you.

Once you’ve received all the required files, you can proceed to configure your environment.

Adjust Environment Topology

In order to be secured with a Custom SSL certificate, your environment should have a custom domain and Public IP address attached to your application server.

Note: Environments based on the .NET, Go, Node.js servers or custom Docker containers should include the certified load balancer to support custom SSL. In these cases, the external IP address should be attached to the balancer instead of an application server as it becomes the entry point of your environment.

1) Log in to the Virtuozzo dashboard and create a New Environment or click the Change Environment Topology button for an existing one.

2) In the opened Environment Topology dialog, click on the SSL section switcher above the server blocks and check if all the Custom SSL requirements are fulfilled (i.e. if all the options in the requirements list are marked with a green tick).

If they are not, Virtuozzo can help you to Enable these requirements for your environment in one click. Select the appropriate button next to the list of requirements and your environment topology will be instantly tuned according to them.

To complete the adjustment, click Create for a new environment or click on Apply in case you’ve edited the existing one.

Domain Name and A Record Settings

Now you need to set an A Record in order to point your custom domain name to the public IP address of your application.

1) Expand the entry-point node for your environment (load balancer or application server) to see the list of IPs. Click Copy to Clipboard next to your public IP address.

2) Then, navigate to DNS Manager of the chosen domain registrar system (the one you’ve used for your custom domain name purchase) and set an A Record within it.

Upload Certificate to the Environment

The last step that you need to perform is to upload the certificate files to your Virtuozzo environment.

1) Click Settings for the configured environment.

2) In the opened tab, choose the Custom SSL option within the left-hand list. Upload Server Key, Intermediate Certificate (CA), and Domain Certificate into the appropriate fields and click Save.

When the servers in your environment are automatically restarted, let’s ensure everything works properly. For that, enter the bound custom domain name (or the attached external IP address) into your browser’s address bar with https:// connection protocol specified instead of the default http:// one. Your application should be opened without any problems.