The Short and Sweet SSL How-to

Got a site you need to serve up via SSL? Here are your Cliffs notes. This assumes 1) your site already runs without SSL; 2) you’re using Apache and Ubuntu; 3) you don’t want any browser warnings, so no self-signed certificates.

1. Generate a Private Key

$ openssl genrsa -des3 -out 2048

You have to assign a passphrase when you run this command. However, you’ll want to immediately strip the passphrase so Apache can start unattended. To strip the passphrase:

openssl rsa -in -out

You now have:

2. Generate a Certificate Signing Request (CSR)

You’ll supply the CSR to a certificate provider (Thawt, Verisign, GoDaddy, etc).

$ openssl req -new -key -out

There is only one question you have to answer when you run this command. For the Common Name, enter the domain from which the site will be served. Include the www only if you serve the site with the www prefix. For this example, we’ll use to answer this question. You can ignore all the other questions.

You now have:

3. Get the CSR signed by an Authority

Godaddy is cheap and fast: a single-domain certificate costs $49 per year, and is issued immediately. The signing process consists of:

The whole process takes about 15 Minutes.

You now have:

Put all of these in /etc/apache2/ssl/, and restrict permissions so only root can read:

$ chmod 400 /etc/apache2/ssl/*

4. Configure the SSL version of your site

SSLCertificateFile /etc/apache2/ssl/
SSLCertificateKeyFile /etc/apache2/ssl/
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt

5. Enable the site

It’s always a good idea to check your syntax first: $ apache2ctl configtest. If SSL isn’t enabled in you Apache build (unlikely), enable it: $ a2enmod ssl

You should now be able to access If Apache refuses to restart, doublecheck that you have the right .crt and .key files associated with the right configurations in Apache.

Related Post