In simple terms, SSL certificate is like digital passport given to a website, by a certified authority, that is used to establish an encrypted connection to transfer data between the browser and the website.
Now comes the question – what problem does this solve ?
It provides safe and secured environment to the customers of the site by 2 ways – Encryption and Identification. First by establishing encrypted connection, only intended recipient can understand the information sent.
How do customer know that site is using SSL:
Most browsers display a security icon, usually a small locked padlock when the site is secured. Also, they make the whole address bar green depending on the type of certificate you have installed on your server. Read more about it here.
Follow the steps below in order to install SSL on your website:
- Procure SSL Certificate or if you first want to begin testing your website without spending money on SSL then you should go ahead with self-signed certificate(Please refer section 6.2 for more information)
- Login to your server
- Install OpenSSL if not found on your server or upgrade this. Please be aware about the Heartbleed bug.
- Create Private Key on apache server
You can create the private key with both encryption and without encryption. Remember if you go ahead for private key with encryption the server will always ask for the passphrase every time you restart it.
A. Create private key with triple DES encryption:
openssl genrsa -des3 -out domainname.key 2048
B. Create private key without triple DES encryption:
openssl genrsa -out domainname.key 2048
I would recommend to store this key and the passphrase (if entered) at some secured place because if you lose it then you again have to create this private key.
You can view the content of the key by typing the following command:
openssl rsa -noout -text -in domainname.key
Your generated private key text should begin with —–BEGIN RSA PRIVATE KEY—– and end with —–END RSA PRIVATE KEY—–.
5. Generate CSR (Certificate Signing Request) on apache server using the RSA private key generated above
a) openssl req -new -key domainname.key -out domainname.csr
Now you will be prompted to enter some information about your website which will eventually be visible if someone looks the certificate from the browser:
Country Name (2 letter code) : US
State or Province Name North Carolina // Please enter full name
Locality Name : Raleigh
Organization Name Company Ltd
Organizational Unit Name : IT
Common Name : mysubdomain.mydomain.com
Email Address : some_email_address
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password : Leave Blank
An optional company name : Leave Blank
The Common Name is where you should enter the fully qualified domain name of the website you require the certificate for.
Note: for wildcard certificates, the Common Name should be in the format: *.mydomain.com
b) You can verify the content of the CSR with the following command:
openssl req -noout -text -in domainname.csr
6. Get trusted 3rd party certificate or create self signed certificate:
6.1 Use CA signed certificates if you don’t want to have warnings like “Unknown Publisher” or “Untrusted” or “Unverified”. Read about CA here.
Now you need to submit your CSR to any trusted 3rd party SSL Certificate Authorities (CA) like Geotrust, GlobalSign etc while purchasing SSL certificates. You will receive a certificate file and a CA bundle.
Install Certificate on apache server:
a) Copy the certificate file in /etc/ssl/ssl.crt/domain.crt
b) Copy the bundle file in /etc/ssl/certs/received_file_name.crt
– If .crt file is provided: then just copy that file in /etc/ssl/certs/CA_Bundle.crt
– If .p7b file is provided, then we will have to extract .crt file from it by the following command:
openssl pkcs7 -inform der -in CA_Bundle.p7b -out CA_Bundle.crt
then just copy that .crt file in /etc/ssl/certs/
6.2 Use self signed certificates if the site is for testing purpose
a) Generate a self signed certificate which will be valid for 365 days by the following command
openssl x509 -req -days 365 -in domainname.csr -signkey domainname.key -out domain.crt
b) Copy the certificate file in /etc/ssl/ssl.crt/domain.crt
Edit the apache config file
– Open the linux apache configuration file found in /etc/apache2/sites-enabled/your_site_name.conf
– Configure the <VirtualHost> block for enabling SSL
Redirect permanent / https://example.com // to redirect the url opened on http to https
SSLCertificateChainFile /etc/ssl/certs/CA_Bundle.crt // remove this line if the certificate is self signed
Enable SSL module for apache using the following command
sudo a2enmod ssl
9. As SSL runs on 443 port therefore you need your apache to listen on this port. Therefore makge your changes in your ports configuration file /etc/apache2/ports.conf
10.Now just restart your apache server by the following command
sudo /etc/init.d/apache2 restart
And that’s all to install the SSL certificate on your site.