How to Install an SSL Certificate on Apache
This post tells you how to install SSL certificates on an Apache v-hosts running on Ubuntu 12.04 or higher. It assumes you’re logged in as root. Before we begin, let’s grab an SSL certificate for $9.00 from NameCheap.
After You Complete This Tutorial
To get the maximum benefit from your new cert, be sure to read our post on Securing SSL Against Common Exploits after completing this tutorial.
1. Generate an Encryption Key
First, navigate to Apache’s SSL folder:
$ cd /etc/ssl/private
Then generate the keys for the Certificate Signing Request (CSR) by running the following command:
$ openssl genrsa -out server.key 2048
What Did We Just Do? Here’s the Explanation:
The above command uses OpenSSL to generate a 2048 bit encryption key and stores it in a file called
server.key. The associated key has a Secure Hashing Algorithm (SHA) certificate signature that is 256 bits long. Hence, we have created a SHA-256 certificate signature. In the security world, this “signature” is also referred to as a “hash value” or a “digest”.
2. Create a Certificate Signing Request (CSR)
The CSR is used to generate the SSL certificate based on information you provide during in its questionnaire. It is a hash of certificate parameters sent to the company that issues the certificate. The company that issues (and digitally signs) a certificate is called a Certificate Authority (CA).
To create the CSR, run the following command:
$ openssl req -new -key server.key -out server.csr
You will be prompted to enter Company Name, Site Name, Email Id, etc. For Extended Validation (EV) certs all fields are required except email address. For non-EV certs you’ll need specify the common name at the minimum.
What’s a Common Name?
For our purposes, the is common name just a fancy term for the actual web address (e.g., mysite.com) you want to protect and run SSL on. If you want to run SSL on both
mysite.com (i.e., without the ‘www’), preface your domain name with www. If you don’t care for the www prefix, just enter
WWW vs No WWW Prefix
NOTE: If you create a CSR with the www prefix (e.g., www.mydomain.com), non-www versions of your site will also function with SSL. However, visits to this non-www URL will produce an RSA warning in your log files. For the sake of ‘cleanliness’, we prefer to leave off the www prefix.
Here’s what the CSR generation process looks like:
Generating a 2048 bit RSA private key ......................................................++++++ ....++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Delaware Locality Name (eg, city) :Wilmington Organization Name (eg, company) [Internet Widgits Pty Ltd]: Living Wholesome LLC Organizational Unit Name (eg, section) : Code Sport IO Common Name (eg, YOUR name) :codesport.io Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
NOTE: Once you fill out the main questionnaire, ignore the ‘extra’ attribute questions. That is, do not enter email address, challenge password or optional company name when generating the CSR. Just press enter to skip these questions.
Your CSR will now be generated and stored in the server.csr file.
3. Submit CSR to the Certificate Authority (CA)
In this example, the CA is the site where we purchased our certificate. In this case we’re using Namecheap which is acting as reseller. Paste the contents of your CSR file into your CA’s form for processing. The CA will use this CSR file and issue the certificate.
TODO – Housekeeping Items: Rename Your
Rename your key file to the common name you chose in the CSR generation process in Step 2. So, if you chose your common name as www.mydomain.com, at the command line you would type
mv server.key www.mydomain.com.key to rename the file.
4. Upload the Certificate to Your Server
Place the .crt file (provided by the CA) in
/etc/ssl/certs/ directory. Make sure the .key file is in
To ensure that the .crt and .key files don’t have other readable permissions, as it can lead to an exploit, we’ll execute the following command to protect the key by removing readable permissions from all users except root:
$ chmod 400 /etc/ssl/private/mydomain.com.key
And, execute the following command to protect the signed certificate:
$ chmod 400 /etc/ssl/certs/mydomain.com.crt
Updating Certificate Chain Files
CAs will typically supply a chain certificate. It is installed to validate the full chain from the root CA down to the specific Organization Unit of the CA that issues a branded website certificate. This Super User answer gives a good explanation.
Step 1: Create the intermediate certificate chain.
Comodo certs come with a root and 2 intermediate certs in their zip file. You do not need to include the root since it is already embedded in the client’s browser. To install the intermediate certificate chain, first stack the contents of the following files into a new file using a text editor:
Do not add any newlines or spaces. The new file should have this structure:
-----BEGIN CERTIFICATE----- COMODORSADomainValidationSecureServerCA.crt hash content is here -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- COMODORSAAddTrustCA.crt hash content is here -----END CERTIFICATE-----
Steps 2 and 3: Save the file as
comodo-chain-bundle.crt and upload the file your server’s
Step 4: Make sure the file only has read permissions granted to root:
$ chmod 400 /etc/ssl/certs/comodo-chain-bundle.crt
That’s it! You’re done configuring your chain file!
5. Create and Configure the SSL Virtual Host (V-Host) File
Copy the site’s original v-host file (e.g. myDomain.com.conf to ssl-myDomain.com.conf) and then edit it using nano:
$ cd /etc/apache2/sites-available/ $ cp myDomain.com.conf ssl-myDomain.com.conf $ nano ssl-myDomain.com.conf
Next, edit the following lines so it operates properly with SSL:
- In the first line,
<VirtualHost *:80>, change :80 to :443 so it will look like:
- Now, at the bottom of the file, just above the
</VirtualHost>line, add the following:
#SSL Directives SSLEngine on SSLCertificateFile /etc/ssl/certs/<mydomain.com>.crt SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key SSLCertificateChainFile /etc/ssl/certs/<comodo-chain-bundle>.crt
6. Enable Your New HTTPS Site
After you’ve done this you’ll need to enable your site. Invoke the following commands to enable mod_ssl, the new VirtualHost you created, and restart Apache.
$ sudo a2enmod ssl $ sudo a2ensite ssl-myDomain.com.conf $ sudo service apache2 restart
Now when you navigate to the site via https:// you should be able to successfully connect!