Using An SSL Certificate With Apache

When you have a website that transmits information from a user to your server it is very important to encrypt it. The last thing you want is someones password being sniffed by a malicious user when they register or sign in. By using Secure Socket Layer (SSL), data is encrypted between client and server preventing any malicious users from sniffing your password in plain text.

The following will help you install an SSL certificate to one of your Apache web server virtual hosts.

Create your server key and certificate signing request (CSR)

Start by creating your server private key. This key will be used when creating your certificate signing request. From your server, run the following to create the key:

sudo openssl genrsa -des3 -out server.key 2048

I strongly recommend you use 2048 strength or higher as anything lower is not secure.

Now that you have your private key you can create the certificate signing request:

sudo openssl req -new -key server.key -out server.csr

You will be asked many questions when creating your CSR. Answer all questions to the best of your ability with the exception of the Common Name. This must be the URL that the certificate will protect or the server IP. For example use api.yoursite.com as the Common Name. Leave the challenge password blank.

Now this next part is entirely up to you. If you don’t want to have to enter your key password every time Apache starts you’ll need to remove the password. The following will remove the password on the private server.key file:

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key

Pick your SSL certificate authority

It’s time to figure out where you want to buy your SSL certificate. I use Namecheap, and they offer PositiveSSL certificates for a very fair price, but it’s up to you what you’d like to choose. The differences between certificate authorities are usually related to overall customer service, however, some of the cheaper ones may not be recognized by all browsers or older browsers. You’ll have to do some research.

Set up your SSL certificate with Apache

We will be setting up SSL for a particular domain. In other words, we did not purchase a wildcard certificate. If you went the same route as I did and got the PositiveSSL certificate you should have been sent an archive with the following files inside:

• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSADomainValidationSecureServerCA.crt
• yoursite.crt

Start by finding the virtual host you want to edit. You can probably find it in /etc/apache2/sites-available. Let’s use the following example:

<virtualhost *:80>
        ServerName api.yoursite.com
        DocumentRoot /path/to/your/site
</virtualhost>

<VirtualHost *:443>
        ServerName api.yoursite.com
        DocumentRoot /path/to/your/site
        SSLEngine on
        SSLCertificateFile /path/to/your/cert/yoursite.crt
        SSLCertificateKeyFile /path/to/your/private/key/server.key
        SSLCertificateChainFile /path/to/your/cert/chain.pem
</VirtualHost>

You’ll notice a lot of this looks familiar. If the site is accessed from port 80 (http), then display the site without SSL. If the site is accessed from port 443 (https) then display the site with SSL. However you’ll notice that there is the following line:

SSLCertificateChainFile /path/to/your/cert/chain.pem

This is actually a concatenation of all your certificate files. It tells the web browser the order which to look up the certificate. The order of concatenation is important. If you’re using PositiveSSL you can accomplish this file by doing the following:

cat yoursite.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > chain.pem

Save the virtual host file and reload it in Apache. If everything went smooth you should be able to navigate to https://yoursite.com (or whatever you registered the certificate common name as) and see that it is verified and secure.

Nic Raboy

Nic Raboy is an advocate of modern web and mobile development technologies. He has experience in C#, JavaScript, Golang and a variety of frameworks such as Angular, NativeScript, and Unity. Nic writes about his development experiences related to making web and mobile development easier to understand.