Creating & Installing SSL Certificate on Apache

Purchase a Certificate

If you are interested in securing your site, and you are the administrator for the site, follow these steps.  These steps are for creating and installing an SSL certificate on a Apache server.  However, on other web servers it will be similar but I recommend looking for other documentation.

One can purchase an SSL certificate from any SSL provider.  I purchased a certificate from a site called Cheap SSL Certificates.  Yes, they were the cheapest.  You can visit them by going to Cheap SSL Certificates.  Each certificate is $6.98 per year or you can pay for three years and it works out roughly to about $4.00 a year.

HINT: Cheap SSL Certificates also provide chat support for a total of $5.00.  Very reasonable and they did provide great support if you are not sure how to configure the certificates.
  1. Create an account with your SSL provider (
    Cheapsslsecurity.com  purchase a certificate
    cheapsslsecurity.com

     

    cheapsslsecurity.com).  

PRODUCTS

Look at their products, and you should see a list of the various certificates available.  I purchased a regular domain certificate for one subdomain.  This will only work for one subdomain.  You will need to purchase more certificates if you have multiple subdomains.  SSL CertificatesAnother option is to purchase a wild card certificate.

PURCHASE

Once purchased, you will have to generate your CSR certificate.  CSR stands for Certificate Signing Request, which is a certificate that you will generate from your server.  You can also be able to use the web based CSR generation tool.  This tool will ask you details about the administrator to the site.  

GENERATE CSR

Generate the certificate through the sellers CSR web based generation tool.

Web Based CSR Generator
Generate CSR

A copy of the CSR Request should be placed in a file called subdomain.domain.com.csr, and download the private key, which should go in a file called subdomain.domain.com.key.   

Alternatively, you can use the Openssl command generated by the CSR generation tool use on your command line on your server:

openssl req -new -newkey rsa:2048 -sha256 -nodes -out sub.domain.com.csr -keyout sub.domain.com.key -subj "/C=US/ST=Florida/L=Plantation/OU=Ricks Blog/CN=sub.domain.com"

This will reflect your domain settings. Running this command will generate two files, your CSR and your Key.You will not have to create your certificate from the seller.  Enter your content or CSR value into the sellers interface to generate the certificate.  

VALIDATE CERTIFICATE

You will need to validate the certificate, one way to do it is by creating a TXT record through your DNS host.  I use Godaddy, so you can manage your DNS and create a TXT file with the hash code provided by your SSL seller.  It might take up to an hour to update the DNS.  Once this is done you will be able to validate that you are the owner of the domain.

DNS TXT File for
DNS TXT file for validation

 

SSL Seller Zip Content
Certificate File Download and Needed Files.

Once it has been validated, you can download your certificate.  You will get multiple files in a zip file.  The content will look like this: 

Copy the contents from the www_domain_com file into your csr file.

Place a copy of the My_CA_Bundle file in your directory where your certificates will be.

For Permissions and ownerships of the files, please see the section at the bottom.

PERMISSIONS

You should change the ownership of these files to whatever user runs your webserver.  In my case its apache.  For example, you can change the file permissions with 
chown apache:apache file

Also, your file permissions should be 600 for both.
chmod 600 filename

CONFIGUERING APACHE

Whether you use your virtualhost file or your httpd.conf file to configure your apache webserver is up to you and how you have configured your server. Here are the basics.

#SSL STUFF...
      SSLEngine on
      SSLCertificateFile /etc/apache2/crts/mysite.crt
      SSLCertificateKeyFile /etc/apache2/crts/mysite.key
      SSLCertificateChainFile /etc/apache2/crts/DigiCertCA.crt
  • SSLCertificateFile – point to the location of your crt file.
  • SSLCertificateKeyFile – will point to your key file.
  • SSLCertificateChainFile should point to the file you received from the download from your SSL seller.

If you need further information on how to configure your Apache web server, you the following link. https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm

Leave a Comment