When you have a website that transmits information from a user to your server it is very important to encrypt it. The last thing you want is someones password being sniffed by a malicious user when they register or sign in. By using Secure Socket Layer (SSL), data is encrypted between client and server preventing any malicious users from sniffing your password in plain text.
The following will help you install an SSL certificate to one of your Apache web server virtual hosts.
Start by creating your server private key. This key will be used when creating your certificate signing request. From your server, run the following to create the key:
sudo openssl genrsa -des3 -out server.key 2048
I strongly recommend you use 2048 strength or higher as anything lower is not secure.
Now that you have your private key you can create the certificate signing request:
sudo openssl req -new -key server.key -out server.csr
You will be asked many questions when creating your CSR. Answer all questions to the best of your ability with the exception of the Common Name. This must be the URL that the certificate will protect or the server IP. For example use api.yoursite.com as the Common Name. Leave the challenge password blank.
Now this next part is entirely up to you. If you don’t want to have to enter your key password every time Apache starts you’ll need to remove the password. The following will remove the password on the private server.key file:
sudo cp server.key server.key.org sudo openssl rsa -in server.key.org -out server.key
It’s time to figure out where you want to buy your SSL certificate. I use Namecheap, and they offer PositiveSSL certificates for a very fair price, but it’s up to you what you’d like to choose. The differences between certificate authorities are usually related to overall customer service, however, some of the cheaper ones may not be recognized by all browsers or older browsers. You’ll have to do some research.
We will be setting up SSL for a particular domain. In other words, we did not purchase a wildcard certificate. If you went the same route as I did and got the PositiveSSL certificate you should have been sent an archive with the following files inside:
Start by finding the virtual host you want to edit. You can probably find it in /etc/apache2/sites-available. Let’s use the following example:
<virtualhost *:80> ServerName api.yoursite.com DocumentRoot /path/to/your/site </virtualhost> <VirtualHost *:443> ServerName api.yoursite.com DocumentRoot /path/to/your/site SSLEngine on SSLCertificateFile /path/to/your/cert/yoursite.crt SSLCertificateKeyFile /path/to/your/private/key/server.key SSLCertificateChainFile /path/to/your/cert/chain.pem </VirtualHost>
You’ll notice a lot of this looks familiar. If the site is accessed from port 80 (http), then display the site without SSL. If the site is accessed from port 443 (https) then display the site with SSL. However you’ll notice that there is the following line:
This is actually a concatenation of all your certificate files. It tells the web browser the order which to look up the certificate. The order of concatenation is important. If you’re using PositiveSSL you can accomplish this file by doing the following:
cat yoursite.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > chain.pem
Save the virtual host file and reload it in Apache. If everything went smooth you should be able to navigate to https://yoursite.com (or whatever you registered the certificate common name as) and see that it is verified and secure.