Search form

Adding an SSL Certificate on Apache

I do this just infrequently enough to forget the details. So here's the process for purchasing and installing a SSL certificate for https on your Linux/Apache web server (using Ubuntu 12.04 and Apache 2.2 here):

Generate Local Key/CSR, Purchase SSL Certificate

  1. Generate your key and CSR on your server.
    $ openssl req -nodes -newkey rsa:2048 -keyout mysite.com.key -out mysite.com.csr -subj "/C=country/ST=state/L=city/O=company/OU=my department/CN=mysite.com"
    
  2. Move the .key file to your .keys directory, readable only by root. e.g., /etc/ssl/keys.
    $ mv mysite.com.key /etc/ssl/keys/.
    $ chmod 400 mysite.com.key
    
  3. Purchase a certificate from InCommon, GeoTrust, etc. You'll need to send them the contents of the .csr file generated in step 1. Most likely you're purchasing an Apache/ModSSL or Apache/OpenSSL certificate.
  4. The certificate authority will prompt you to download the certificate (a .cer or .crt file). Download it as 'X509 certificate only'.

Install Your SSL Certificate

  1. Put the file in your certificates directory on your web server (e.g., /etc/ssl/certs), and chown/chmod to root:root 644.
  2. If your certificate is an intermediate certificate (likely), your issuer will also give you a file like mysite_com.ca-bundle that "chains" your certificate to a trusted root certificate. Put this bundle file somewhere like /etc/ssl/bundle/ and chown/chmod to root:root 644.
  3. Set up the mysite-ssl virtualhost in your Apache configuration with links to your .key and .cer/.crt files:
    <VirtualHost *:443>
            ServerAdmin me@mysite.com
            ServerName mysite.com
    
            DocumentRoot /path/to/mysite.com
    
            SSLEngine on
            SSLCertificateFile    /etc/ssl/certs/mysite.com.cer
            SSLCertificateKeyFile /etc/ssl/keys/mysite.com.key
            # If you have a chained certificate, add this as well
            SSLCACertificateFile  /etc/ssl/bundle/mysite_com.ca-bundle
    </VirtualHost>
    
  4. Restart Apache:
    $ /etc/init.d/apache2 restart
    
  5. Test your site to make sure it works with SSL: https://mysite.com/
  6. If you want to force SSL on your site or certain pages, you could use mod_rewrite:
    <Location /login.php>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    >/Location>
    

Categories: