Got a site you need to serve up via SSL? Here are your Cliffs notes. This assumes 1) your site already runs without SSL; 2) you’re using Apache and Ubuntu; 3) you don’t want any browser warnings, so no self-signed certificates.
1. Generate a Private Key
$ openssl genrsa -des3 -out yourdomain.com.key.orig 2048
You have to assign a passphrase when you run this command. However, you’ll want to immediately strip the passphrase so Apache can start unattended. To strip the passphrase:
openssl rsa -in yourdomain.com.key.orig -out yourdomain.com.key
You now have:
yourdomain.com.key: the private key without a passphrase.
2. Generate a Certificate Signing Request (CSR)
You’ll supply the CSR to a certificate provider (Thawt, Verisign, GoDaddy, etc).
$ openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
There is only one question you have to answer when you run this command. For the Common Name, enter the domain from which the site will be served. Include the www only if you serve the site with the www prefix. For this example, we’ll use yourdomain.com to answer this question. You can ignore all the other questions.
You now have:
yourdomain.com.key: the private keyyourdomain.com.csr: the Certificate Signing Request
3. Get the CSR signed by an Authority
Godaddy is cheap and fast: a single-domain certificate costs $49 per year, and is issued immediately. The signing process consists of:
- Paying for the SSL certificate
- uploading the yourdomain.com.csr file you created in step 2
- downloading a zip file with two
.crtfiles in it
The whole process takes about 15 Minutes.
You now have:
yourdomain.com.key: the private keyyourdomain.com.crt: the certificate for your domaingd_bundle.crt: the intermediate certificate. Will be named something else if you didn’t get your certificate through GoDaddyyourdomain.com.csr: the Certificate Signing Request
Put all of these in /etc/apache2/ssl/, and restrict permissions so only root can read:
$ chmod 400 /etc/apache2/ssl/*
4. Configure the SSL version of your site
- Find the
<VirtualHost>configuration for your site. On Ubuntu, it’s in/etc/apache2/sites-available/yourdomain - copy
/etc/apache2/sites-available/yourdomainto/etc/apache2/sites-available/yourdomain-ssl - edit
yourdomain-ssl:- At the top, change the VirtualHost directive from
<VirtualHost *:80>to<VirtualHost *:443>. - include the following lines:
- At the top, change the VirtualHost directive from
SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
5. Enable the site
It’s always a good idea to check your syntax first: $ apache2ctl configtest. If SSL isn’t enabled in you Apache build (unlikely), enable it: $ a2enmod ssl
- Enable your site:
$ a2ensite yourcomain.com-ssl - Restart Apache:
$ /etc/init.d/apache2 restart
You should now be able to access https://yourdomain.com. If Apache refuses to restart, doublecheck that you have the right .crt and .key files associated with the right configurations in Apache.