Subscribe:

Tuesday 26 June 2012

How to install an SSL certificate for Apache, from start to finish

  1. Create an SSL key to use to generate the certificate signing request

    (Save this, you’ll need it to install the certificate). To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:

    openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.....................++++++
.................++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for server.key:
     
    Enter a passphrase.

    Now we’ll remove the passphrase from the key, so that you don’t have to enter this passphrase whenever you restart Apache:

    openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

  2. Generate a certificate signing request

    openssl req -new -key server.key -out server.csr
     
    It will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.
    You can now submit this CSR file to a Certificate Authority (CA) for processing. The CA will use this CSR file and issue the certificate.

  3. Purchase an SSL certificate

    You will be asked to supply the CSR that you generated in #2.

  4. Install the SSL key from #1, the SSL certificate from #3, and the SSL issuer root certificates (aka “bundle” or “chain”).

    On an Ubuntu server, I usually upload the files here:

    /etc/apache2/ssl/domain.com.key
/etc/apache2/ssl/domain.com.crt
/etc/apache2/ssl/domain.com.bundle

  5. Modify your Apache vhost

    Note: Apache only supports one SSL vhost per IP address.
    Replace {ip_address} with the public IP address of the server:

    <VirtualHost {ip_address}:443>
    DocumentRoot /var/www/vhosts/domain.com

    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile /etc/apache2/ssl/domain.com.crt
    SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key
    SSLCertificateChainFile /etc/apache2/ssl/domain.com.bundle

    <Directory /var/www/vhosts/domain.com>
        AllowOverride All
        order allow,deny
        allow from all
        Options -Includes -ExecCGI
        AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/x-javascript
    </Directory>
</VirtualHost>

  6. Restart Apache

    /etc/init.d/apache2 restart
Source:jonathonhill
Posted by John Asthlon at 22:03

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)