How To Install Apache SSL Certificates

Pre-Conditions = Certificate Signing Request Generated, Signed Certificates Received from CA (Certificate Authority)
Bread Crumbs = Website Security / HTTPS Connections and SSL Certificates Portal

Note – To set up https and Apache SSL (on port 443) in an Amazon EC2 web services environment you must make sure to add a security group for https. This is how you do it.

Signed Certificate Apache Install Pre-Conditions

Before the Apache SSL certificate install process can proceed you must have
certificate into Apache

  • the private key file (.key) generated by openssl here
  • your website certificate file (.crt) sent by the cert. authority
  • the certificate authority’s certificate file (.crt)

Install Certificates and Private Key

To install your private key file, your website certificate and the certification authority’s certificate you must rename them, create an apache ssl folder, copy them in and tighten up the private key’s permissions.

This site is www.build-business-websites.co.uk so follow our naming conventions (but use your website’s name). Our certification authority is GoDaddy.

  • rename your cert like this www.build-business-websites.co.uk.crt
  • rename the private key to www.build-business-websites.co.uk.key
  • rename your certification authority cert to reflect the name eg go-daddy.crt
  • Now create /etc/apache2/ssl folder if it does not exist
  • Copy the 3 files (2 certificates and 1 private key file) into /etc/apache2/ssl
  • Lock down your private key file with the chmod 400 command given below

To lock down your private key – ensure that only the root user (who starts the Apache process) can read the file (Apache should itself run as a non-root user – usually www-data on Ubuntu).

sudo chmod 400 /etc/apache2/ssl/www.build-business-websites.co.uk.key

In place of www.build-business-websites.co.uk put your domain name in. Now you are ready to enable Apache’s SSL module.

Enable Apache’s SSL Module

Enabling Apache’s SSL module is necessary for https to work and use the website and certificate authority’s .crt files. Two commands and a restart will enable SSL.

Enable Apache’s SSL module

sudo a2enmod ssl

Use Apache’s default SSL configuration

sudo a2ensite default-ssl

Restart the Apache service

sudo service apache2 restart

You may be asked for the pass phrase you used when generating the public/private key pair with openssl. This feature is out of favour so don’t worry if Apache just restarts peacefully.

Apache’s SSL Configuration Updates

Apache’s SSL (https) configuration happens in the default-ssl.conf file found in

/etc/apache2/sites-available/default-ssl.conf

Only 5 lines are changed (six if you include the ServerAdmin e-mail address). 2 of the 5 lines are the ServerName and ServerAlias (the first is your domain without the www and the second is your domain with the www).

The final 3 configurations point to the 2 certificate files and the SSL private key file. This just hooks up with where you put them inside the /etc/apache2/ssl folder.

SSLCertificateFile    /etc/apache2/ssl/www.build-business-websites.co.uk.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.build-business-websites.co.uk.key
SSLCACertificateFile  /etc/apache2/ssl/go-daddy.crt

default-ssl.conf

Stripped of comments the below is the default-ssl.conf after the config changes for https operation.

    
        ServerAdmin helpdesk@build-business-websites.co.uk
        ServerName build-business-websites.co.uk
        ServerAlias www.build-business-websites.co.uk
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/www.build-business-websites.co.uk.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.build-business-websites.co.uk.key
        SSLCACertificateFile  /etc/apache2/ssl/go-daddy.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        
        
                        SSLOptions +StdEnvVars
        
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    

SSL Configured – Certification Installed – HTTPS Ready

Finally – bounce (restart) the Apache web server so that it reads the new SSL configuration directives.

sudo service apache2 restart

That’s it. Fire up Google Chrome or Firefox and use https. Click on the padlock to read the details of the certificate. The line that says “This certificate is trusted” should make you feel proud.

What to Do After SSL / HTTPS Apache Install

Important – 3 Steps to Secure Your Web Environment

Installing the SSL certificate into Apache is like fitting a lock to a door. You’ve done well but if you don’t lock the door you’ve wasted your time.

After installing SSL (enabling certified HTTPS protocol usage) you should follow the below HowTo use cases.

  1. How To Force WordPress Admin to Use SSL
  2. How To Make Webpages 100% HTTPS Compliant
  3. My Menu Style Disappears When I Use SSL (HTTPS connection) – Help!
  4. How to Force Apache to globally use SSL
  5. How To Configure SSL for E-Mail, Subversion, MySQL, Jenkins, Bugzilla, MediaWiki, PhpMyAdmin, AWStats

Common SSL/HTTPS Help Topics – Glitches Resulting from HTTPS Usage

  1. My Menu Style Disappears When I Use SSL (HTTPS connection) – Help!
  2. Google Chrome Has a Warning Yellow Triangle and Grey Padlock – Help!

Addendum – Extra SSL / HTTPS Apache Install Notes

If HTTPS / SSL and Apache are refusing to work well together, try reading the below notes.

Configure Apache to use the Signed SSL Certificate

If you are using Ubuntu 12.04, you will need to add an entry to ‘/etc/apache2/ports.conf’ for the IP address you’ll be using to host your SSL-enabled site.

/etc/apache2/ports.conf

Create a line like the below but substitute your public IP address instead of the 23.24.25.26 one. But keep the colon and the https port which is usually set at 443.

NameVirtualHost 23.24.25.26:443

Replace “12.34.56.78” with the IP address of your SSL-enabled site. Next, edit the virtual host configuration file for the site you would like to enable SSL on (www.mydomain.com in this example). Add the following stanza to your configuration file. Note that this example essentially reproduces the configuration for the non-SSL version of the site, with the addition of four lines for SSL. This example uses the CA certificate file for a certificate signed by Verisign.

/etc/apache2/sites-enabled/default-ssl.conf


     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/www.mydomain.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com.key
     SSLCACertificateFile /etc/apache2/ssl/verisign.cer

     ServerAdmin info@mydomain.com
     ServerName www.mydomain.com
     DocumentRoot /var/www/mydomain.com/public_html/
     ErrorLog /var/www/mydomain.com/log/error.log
     CustomLog /var/www/mydomain.com/log/access.log combined


Restart Apache:

service apache2 restart

You should now be able to visit your site with SSL enabled. Congratulations, you’ve installed a commercial SSL certificate!

Leave a Reply

Your email address will not be published. Required fields are marked *