#TECH

Install SSL certificate on Apache server

Install SSL certificate on Apache server

Overview :

In simple terms, SSL certificate is like digital passport given to a website, by a certified authority, that is used to establish an encrypted connection to transfer data between the browser and the website.

Now comes the question – what problem does this solve ?

It provides safe and secured environment to the customers of the site by 2 ways – Encryption and Identification. First by establishing encrypted connection, only intended recipient can understand the information sent.

SSL certificate contains the detailsSecondly, SSL certificate contains the details of the site which proves that site is who they say they are and can help in gaining customer trust.

 

 

 

How do customer know that site is using SSL:

How do customer know that site is using SSL

Most browsers display a security icon, usually a small locked padlock when the site is secured. Also, they make the whole address bar green depending on the type of certificate you have installed on your server. Read more about it here.


Follow the steps below in order to install SSL on your website:

  1. Procure SSL Certificate or if you first want to begin testing your website without spending money on SSL then you should go ahead with self-signed certificate(Please refer section 6.2 for more information)
  2. Login to your server
  3. Install OpenSSL if not found on your server or upgrade this. Please be aware about the Heartbleed bug.
  4. Create Private Key on apache server

You can create the private key with both encryption and without encryption. Remember if you go ahead for private key with encryption the server will always ask for the passphrase every time you restart it.

A. Create private key with triple DES encryption:
openssl genrsa -des3 -out domainname.key 2048

B. Create private key without triple DES encryption:
openssl genrsa -out domainname.key 2048

I would recommend to store this key and the passphrase (if entered) at some secured place because if you lose it then you again have to create this private key.

You can view the content of the key by typing the following command:

openssl rsa -noout -text -in domainname.key

Your generated private key text should begin with —–BEGIN RSA PRIVATE KEY—– and end with —–END RSA PRIVATE KEY—–.

5. Generate CSR (Certificate Signing Request) on apache server using the RSA private key generated        above

a) openssl req -new -key domainname.key -out domainname.csr

Now you will be prompted to enter some information about your website which will eventually be visible if someone looks the certificate from the browser:

Country Name (2 letter code) : US

State or Province Name  North Carolina // Please enter full name

Locality Name : Raleigh

Organization Name  Company Ltd

Organizational Unit Name : IT

Common Name : mysubdomain.mydomain.com

Email Address : some_email_address

Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password : Leave Blank

An optional company name : Leave Blank

The Common Name is where you should enter the fully qualified domain name of the website you require the certificate for.

Note: for wildcard certificates, the Common Name should be in the format: *.mydomain.com

b) You can verify the content of the CSR with the following command:

openssl req -noout -text -in domainname.csr

6. Get trusted 3rd party certificate or create self signed certificate:

6.1 Use CA signed certificates if you don’t want to have warnings like “Unknown Publisher” or “Untrusted” or “Unverified”. Read about CA here.

Now you need to submit your CSR to any trusted 3rd party SSL Certificate Authorities (CA)  like Geotrust, GlobalSign etc while purchasing SSL certificates. You will receive a certificate file and a CA bundle.

Install Certificate on apache server:

a) Copy the certificate file in /etc/ssl/ssl.crt/domain.crt

b) Copy the bundle file in /etc/ssl/certs/received_file_name.crt

– If .crt file is provided: then just copy that file in /etc/ssl/certs/CA_Bundle.crt

– If .p7b file is provided, then we will have to extract .crt file from it by the following command:

openssl pkcs7 -inform der -in CA_Bundle.p7b -out CA_Bundle.crt

 then just copy that .crt file in /etc/ssl/certs/

6.2 Use self signed certificates if the site is for testing purpose

a) Generate a self signed certificate which will be valid for 365 days by the following command

openssl x509 -req -days 365 -in domainname.csr -signkey domainname.key -out domain.crt

b) Copy the certificate file in /etc/ssl/ssl.crt/domain.crt

Edit the apache config file

– Open the linux apache configuration file found in /etc/apache2/sites-enabled/your_site_name.conf

– Configure the <VirtualHost> block for enabling SSL

<VirtualHost *:80>

ServerName example.com

Redirect permanent / https://example.com  // to redirect the url opened on http to https

DocumentRoot ..

..

..

</VirtualHost>

<VirtualHost *:443>

ServerName example.com

DocumentRoot ..

SSLEngine on

SSLCertificateFile /etc/ssl/ssl.crt/domain.crt

SSLCertificateKeyFile /path/to/domainname.key

SSLCertificateChainFile  /etc/ssl/certs/CA_Bundle.crt    // remove this line if the certificate is self signed

..

..

</VirtualHost>

Enable SSL module for apache using the following command

sudo a2enmod ssl

9. As SSL runs on 443 port therefore you need your apache to listen on this port. Therefore makge your changes in your ports configuration file /etc/apache2/ports.conf

10.Now just restart your apache server by the following command

sudo /etc/init.d/apache2 restart

 

And that’s all to install the SSL certificate on your site.