HOW-TO Setup SSL in Apache on Ubuntu server

This time I will show you my quick way to proceed with ssl certificate from the request at the CA (Certificate Authority) to the installation on apache.

1. Generating CSR (Certificate Signing Request) file for Apache

The first step that we must take during the process of getting the certificate is to generate a private key and a CSR file related to this key, which we will further send to CA (Certificate Authority – the organization that will generate a trusted certificate for us). Next we will install the pair formed by our private key and the trusted cert that we got from CA, on our web server.

First we generate a private key, the best place to do this is in /etc/apache2/ssl directory on the server:
If we want a key with a password we must run this command (the password will be asked for every time the apache server is started or restarted)

openssl genrsa -des3 -out PVK.pem 2048

or if we want a key without a password protection, we run the following command:

openssl genrsa -out PVK.pem 2048

The next step is to generate the CSR file related to our newly generated private key:

openssl req -new -key PVK.pem -out CSR.pem

After that command, the application will ask you for some information about your organization and about the page that you want to shield with the new certificate.

Ok, now we have two files: PVK.pem – our private key and CSR.pem – which is a certificate signing request, which we will send to our CA.

Before we send our CSR.pem file to the CA in order to generate a trusted certificate, we can check if everything is ok with our newly generated key and csr, with the following commands:

Private key verification:

openssl rsa -noout -text -in PVK.pem

CSR file verification:

openssl req -noout -text -in CSR.pem

2. Sending files to CA

Now, we have all the needed files to send the request for our new ssl certificate to the CA. So we are sending the CSR.pem file to one of the ssl company (eg. Godaddy.com etc.) and in reply they will send us a *.crt file, which we will install on our apache2 server together with our private key (PVK.pem).

3. Installing trusted SSL certificate on Apache2

First we must enable the SSL support on our server…

a2enmod ssl

If we don’t have the SSL already installed on our server, we can do it typing the following command:

sudo apt-get install apache2 libapache-mod-ssl

Next, let’s say we have already got a configured and running virtual host with the name: example.com, we need to copy this virtual host and make it SSL friendly. To do this, we should go to /etc/apache2/sites-available directory

cd /etc/apache2/sites-available

and we should copy this virtual host as example.com-ssl

cp example.com example.com-ssl

Then we open the example.com-ssl file with our favourite text editor and make some changes: set listening port for this virtual host to 443 and add 4 lines which activate the SSL support.

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example_com.crt #the certificate that we got from the CA
SSLCertificateKeyFile /etc/ssl/certs/PVK.pem #private key
SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt #the chain that authorizes the 2 items, here it depends on what we get in reply from the CA
SSLCertificateChainFile /etc/apache2/ssl/COMODOHigh-AssuranceSecureServerCA.crt

The whole VirtualHost section may look like below:

<VirtualHost *:443>
	ServerAdmin webmaster@example.com
	ServerName example.com
	ServerAlias www.example.com
	DocumentRoot /home/www/example.com/public_html

	SSLEngine On
	SSLCertificateFile /etc/apache2/ssl/example_com.crt #the certificate that we got from the CA
	SSLCertificateKeyFile /etc/ssl/certs/PVK.pem #private key
	SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt #the chain that authorizes the 2 items, here it depends on what we get in reply from the CA
	SSLCertificateChainFile /etc/apache2/ssl/COMODOHigh-AssuranceSecureServerCA.crt


	<Directory /home/www/example.com/public_html>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		Allow from all
	</Directory>

	CustomLog /home/www/example.com/log/access-ssl.log combined
	ErrorLog /home/www/example.com/log/error-ssl.log
</VirtualHost>

And that’s it! If we want, we can also add a redirection which will force all the traffic to use the secure connection. In this case we need to add this simple mod_rewrite conditions inside our VirtualHost section (this time a “normal” one, on port 80)

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

The whole VirtualHost may look like below:

<VirtualHost *:80>
	ServerAdmin webmaster@example.com
	ServerName example.com
	ServerAlias www.example.com
	DocumentRoot /home/www/example.com/public_html

	RewriteEngine on
	RewriteCond %{SERVER_PORT} ^80$
	RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
</VirtualHost>

Now we only need to enable this Virtual Host

a2ensite example.com-ssl

and restart the apache

/etc/init.d/apache2 restart

If in the first step we chose that we wanted to have a private key protected with password, then apache will ask us for this password now, if we chose a key without a password, apache should just run normally.

And that’s it, now after typing in http://example.com in the browser, we will be redirected into the secure connection https://example.com that will use our new installed certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *