Tuesday, 26 June 2012

How to install an SSL certificate for Apache, from start to finish

  1. Create an SSL key to use to generate the certificate signing request

    (Save this, you’ll need it to install the certificate). To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:

    openssl genrsa -des3 -out server.key 1024
    Generating RSA private key, 1024 bit long modulus
    unable to write 'random state'
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    Enter a passphrase.

    Now we’ll remove the passphrase from the key, so that you don’t have to enter this passphrase whenever you restart Apache:

    openssl rsa -in server.key -out server.key.insecure
    mv server.key
    mv server.key.insecure server.key
  2. Generate a certificate signing request

    openssl req -new -key server.key -out server.csr
    It will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.
    You can now submit this CSR file to a Certificate Authority (CA) for processing. The CA will use this CSR file and issue the certificate.
  3. Purchase an SSL certificate

    You will be asked to supply the CSR that you generated in #2.
  4. Install the SSL key from #1, the SSL certificate from #3, and the SSL issuer root certificates (aka “bundle” or “chain”).

    On an Ubuntu server, I usually upload the files here:

  5. Modify your Apache vhost

    Note: Apache only supports one SSL vhost per IP address.
    Replace {ip_address} with the public IP address of the server:

    <VirtualHost {ip_address}:443>
        DocumentRoot /var/www/vhosts/
        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile /etc/apache2/ssl/
        SSLCertificateKeyFile /etc/apache2/ssl/
        SSLCertificateChainFile /etc/apache2/ssl/
        <Directory /var/www/vhosts/>
            AllowOverride All
            order allow,deny
            allow from all
            Options -Includes -ExecCGI
            AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/x-javascript
  6. Restart Apache

    /etc/init.d/apache2 restart

No comments:

Post a Comment