Generating and using a ssl certificate in apache2 isn’t excactly straightforward for the uninitiated. Here’s how to do one in Debian/Ubuntu, it’s similar in CentOS and others, but this will give you an idea.
apache2 ssl setup
First you have to enable apache ssl support like:
a2enmod ssl |
Now you have to set up apache2 to handle ssl for your site, so set up a new file like (change yourdomain and pathtositeroot to the actual values, yours will be different, also, this example has lots of extra stuff you probably don’t need, so delete whatever you want, like the custom log stuff, etc):
vi /etc/apache2/sites-available/yoursite.com.ssl NameVirtualHost 216.105.40.109:443 <VirtualHost www.logicalwebhost.com:443> #SSL Configuration SSLEngine on SSLCertificateFile /etc/apache2/ssl/yourdomain.com.csr SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key #SSLCertificateChainFile /etc/apache2/ssl/logicalwebhost/sf_issuing.crt DocumentRoot /pathtositeroot/yourdomain.com/www/ ScriptAlias /cgi-bin/ /pathtositeroot/yourdomain.com/cgi/ ServerAlias yourdomain.com www.yourdomain.com *.yourdomain.com ServerName www.yourdomain.com ErrorLog /pathtositeroot/yourdomain.com/logs/error_log LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "|/usr/bin/cronolog /pathtositeroot/yourdomain.com/logs/%Y/%m/%d/access_log" combined AddType application/x-httpd-php .html <Directory /> Options -Indexes FollowSymLinks MultiViews AllowOverride All Order deny,allow Allow from all </Directory> </VirtualHost> |
now you have to reload apache2 and watch for errors:
/etc/init.d/apache2 reload |
it shouldn’t give you any errors, if it does, you have to fix them or the rest of this won’t work right.
Next you generate the certificate for your site. Here we show a server with virtual hosts:
mkdir /etc/apache2/ssl cd /etc/apache2/ssl openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.com.key -out yourdomain.com.csr |
it will ask you tons of stuff and look like:
Generating a 2048 bit RSA private key .....................................+++ .......................+++ writing new private key to 'yourdomain.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: <-- enter your country State or Province Name (full name) [Some-State]: <-- enter your state Locality Name (eg, city) []: <-- enter your city Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- enter your business/organization name Organizational Unit Name (eg, section) []: <-- not required Common Name (eg, YOUR name) []: <-- not required Email Address []: <-- your email address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <-- you don't need this, many people don't use it An optional company name []: |
now you should have 2 files in your ssl folder:
yourdomain.com.csr yourdomain.com.key |
you need to submit the contents of yourdomain.com.csr to the entity you bought the SSL certificate from, like GoDaddy, Network Solutions or whomever. They will tell you how to do that, but usually you just cut/paste into their web portal where it prompts you.
cat yourdomain.com.csr (copy the stuff below this line, yours will look different) ----BEGIN CERTIFICATE REQUEST----- MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH EwhTYW5EaWVnbzEYMBYGA1UEChMPU2Vhc29ucyBpbiBUaW1lMScwJQYJKoZIh ... ... (more lines) ... ... 27rskwojTRhjrqwrikYvRaISfigRztl8rnK81jiCzGBR9nN6WnM87IyH94EC177o B5ZjioT/fyaHQXihlXqV7IXSTtG1NLs7sA== -----END CERTIFICATE REQUEST----- |
after you submit this information to them, they will generate either a yourdomain.com.CRT file (or a bundle file). Note it’s really easy to visually confuse the .csr and the .crt file, which is why I capitalized it here. The .csr is the request you send to them, the .crt is the certificate they send back to you, which they do after verifying that if they go to your server and ask for your site’s ssl config files, what they get back matches what you cut/paste into their system. This means your server appears to be who it is, and they are therefore willing to be a third party who verifies it to shoppers/visitors to your site.
Now you have to put the .crt file they gave you back in your ssl folder and tell apache2 about it. So first, upload it (ftp, scp, whatever) to your webserver then copy it to /etc/apache2/ssl.
cp /pathtowhereyourcrtfileis/yourdomain.com.crt /etc/apache2/ssl/ chown www-data.www-data /etc/apache2/ssl/yourdomain.com.crt |
Now you have to update your apache2 Virtual Host information for that site:
vi /etc/apache2/sites-available/yourdomain.com.ssl SSLCertificateFile /etc/apache2/ssl/yourdomain.com.csr (change this line to read like the one below with the .crt instead) SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt /etc/init.d/apache2 reload |
again, look for errors, you shouldn’t see any. Now go visit your site to see if it works with https/ssl:
https://www.yourdomain.com |
you should see a little lock showing you that your third party has verified you have a valid SSL now that matches your information.