- Bez kategorii (21)
- Codes Scratches (4)
HOW-TO Setup SSL in Apache on Ubuntu server
This time I will show you my quick way to proceed with ssl certificate from the request at the CA (Certificate Authority) to the installation on apache.
1. Generating CSR (Certificate Signing Request) file for Apache
The first step that we must take during the process of getting the certificate is to generate a private key and a CSR file related to this key, which we will further send to CA (Certificate Authority – the organization that will generate a trusted certificate for us). Next we will install the pair formed by our private key and the trusted cert that we got from CA, on our web server.
First we generate a private key, the best place to do this is in /etc/apache2/ssl directory on the server:
If we want a key with a password we must run this command (the password will be asked for every time the apache server is started or restarted)
openssl genrsa -des3 -out PVK.pem 2048
or if we want a key without a password protection, we run the following command:
openssl genrsa -out PVK.pem 2048
The next step is to generate the CSR file related to our newly generated private key:
openssl req -new -key PVK.pem -out CSR.pem
After that command, the application will ask you for some information about your organization and about the page that you want to shield with the new certificate.
Ok, now we have two files: PVK.pem – our private key and CSR.pem – which is a certificate signing request, which we will send to our CA.
Before we send our CSR.pem file to the CA in order to generate a trusted certificate, we can check if everything is ok with our newly generated key and csr, with the following commands:
Private key verification:
openssl rsa -noout -text -in PVK.pem
CSR file verification:
openssl req -noout -text -in CSR.pem
2. Sending files to CA
Now, we have all the needed files to send the request for our new ssl certificate to the CA. So we are sending the CSR.pem file to one of the ssl company (eg. Godaddy.com etc.) and in reply they will send us a *.crt file, which we will install on our apache2 server together with our private key (PVK.pem).
3. Installing trusted SSL certificate on Apache2
First we must enable the SSL support on our server…
a2enmod ssl
If we don’t have the SSL already installed on our server, we can do it typing the following command:
sudo apt-get install apache2 libapache-mod-ssl
Next, let’s say we have already got a configured and running virtual host with the name: example.com, we need to copy this virtual host and make it SSL friendly. To do this, we should go to /etc/apache2/sites-available directory
cd /etc/apache2/sites-available
and we should copy this virtual host as example.com-ssl
cp example.com example.com-ssl
Then we open the example.com-ssl file with our favourite text editor and make some changes: set listening port for this virtual host to 443 and add 4 lines which activate the SSL support.
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example_com.crt #the certificate that we got from the CA
SSLCertificateKeyFile /etc/ssl/certs/PVK.pem #private key
SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt #the chain that authorizes the 2 items, here it depends on what we get in reply from the CA
SSLCertificateChainFile /etc/apache2/ssl/COMODOHigh-AssuranceSecureServerCA.crt
The whole VirtualHost section may look like below:
<VirtualHost *:443>
ServerAdmin webmaster@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/www/example.com/public_html
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example_com.crt #the certificate that we got from the CA
SSLCertificateKeyFile /etc/ssl/certs/PVK.pem #private key
SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt #the chain that authorizes the 2 items, here it depends on what we get in reply from the CA
SSLCertificateChainFile /etc/apache2/ssl/COMODOHigh-AssuranceSecureServerCA.crt
<Directory /home/www/example.com/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
CustomLog /home/www/example.com/log/access-ssl.log combined
ErrorLog /home/www/example.com/log/error-ssl.log
</VirtualHost>
And that’s it! If we want, we can also add a redirection which will force all the traffic to use the secure connection. In this case we need to add this simple mod_rewrite conditions inside our VirtualHost section (this time a “normal” one, on port 80)
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
The whole VirtualHost may look like below:
<VirtualHost *:80>
ServerAdmin webmaster@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/www/example.com/public_html
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
</VirtualHost>
Now we only need to enable this Virtual Host
a2ensite example.com-ssl
and restart the apache
/etc/init.d/apache2 restart
If in the first step we chose that we wanted to have a private key protected with password, then apache will ask us for this password now, if we chose a key without a password, apache should just run normally.
And that’s it, now after typing in http://example.com in the browser, we will be redirected into the secure connection https://example.com that will use our new installed certificate.