Adding an SSL Certificate in Apache

Geoff Stratton Security, Systems Administration

Update April 2018: I’d suggest using Let’s Encrypt for this instead.

I do this just infrequently enough to forget the details. So here’s the process for purchasing and installing a SSL certificate for https on your Linux/Apache web server (using Ubuntu 12.04 and Apache 2.2 here):

Generate Local Key/CSR, Purchase SSL Certificate

  1. Generate your key and CSR on your server.
    $ openssl req -nodes -newkey rsa:2048 -keyout mysite.com.key -out mysite.com.csr -subj "/C=country/ST=state/L=city/O=company/OU=my department/CN=mysite.com"
  2. Move the .key file to your .keys directory, readable only by root. e.g., /etc/ssl/keys.
    $ mv mysite.com.key /etc/ssl/keys/.
$ chmod 400 mysite.com.key
  3. Purchase a certificate from InCommon, GeoTrust, etc. You’ll need to send them the contents of the .csr file generated in step 1. Most likely you’re purchasing an Apache/ModSSL or Apache/OpenSSL certificate.
  4. The certificate authority will prompt you to download the certificate (a .cer or .crt file). Download it as ‘X509 certificate only’.

Install Your SSL Certificate

  1. Put the file in your certificates directory on your web server (e.g., /etc/ssl/certs), and chown/chmod to root:root 644.
  2. If your certificate is an intermediate certificate (likely), your issuer will also give you a file like mysite_com.ca-bundle that “chains” your certificate to a trusted root certificate. Put this bundle file somewhere like /etc/ssl/bundle/ and chown/chmod to root:root 644.
  3. Set up the mysite-ssl virtualhost in your Apache configuration with links to your .key and .cer/.crt files:
    <VirtualHost *:443>
        ServerAdmin me@mysite.com
        ServerName mysite.com

        DocumentRoot /path/to/mysite.com

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/mysite.com.cer
        SSLCertificateKeyFile /etc/ssl/keys/mysite.com.key
        # If you have a chained certificate, add this as well
        SSLCACertificateFile  /etc/ssl/bundle/mysite_com.ca-bundle
</VirtualHost>
  4. Restart Apache:
    $ /etc/init.d/apache2 restart
  5. Test your site to make sure it works with SSL: https://mysite.com/
  6. If you want to force SSL on your site or certain pages, you could use mod_rewrite:
    <Location /login.php>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>/Location>

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *