This article goes through the steps required to create and install a secure certificate on a website which will allow web traffic to be encrypted over https. The article uses the default website on an Apache 2 Ubuntu web server. It also mentions what to do for multiple websites each with their own secure certificate.
It is part of my other articles on setting up an Ubuntu Linux server hosted using Amazon Web Services, but the same principals can be applied to any website on any server as the steps are the same. The starting point for this article is a server that has been setup following the examples in my previous articles and in particular, “Hosting multiple websites on a single Apache server“.
Whilst you can create a local secure certificate on your web server, this article uses a purchased one from a cheap certificate provider with the domain authentication method. A local secure certificate will warn users visiting the site that it is a “self-certified” one and they should only visit it they trust the site. Purchasing a secure certificate from an independent trusted provider will not present the warning to visitors.
However, trusted providers validate the purchaser so you need to be ready for that. In this example we are using domain authentication where the validity is verified through the domain owner or administrator. For this purpose, you will need access to the email mailbox that is registered with the domain registrar or an administration mailbox (admin, administrator, hostmaster, webmaster or postmaster).
The process
The process can be summarised as follows:
1. Create a private key on the web server
2. Create a Certificate Signing Request (CSR) for the website using the private key
3. Use the CSR to create a secure certificate at the trusted provider
4. Go through certificate payment and requestor authentication
5. Copy the new SSL certificate and provider’s Intermediate certificate to the web server
6. Move the new SSL, Intermediate certificate and private key to Apache folders
7. Edit the website configuration file to point to the cert/keys in the Apache folders
8. Enable the websites SSL configuration (if not already done)
9. Reload the website configuration
10. Test the website using HTTPS
Before you begin
Make sure you have openssl installed and enabled before you begin.
sudo apt-get install openssl
sudo a2enmod ssl
sudo service apache2 restart
In this example, I am using the default Apache website configuration which comes in two files 001-default.conf for the normal website on port 80 using the “html” directory as I’ve not edited it and default-ssl.conf for secure traffic on port 443. I will assume that these as they would be from the previous articles and still set up this way. Before starting, if you haven’t already done so, make a copy of the SSL configuration file for the default website.
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.orig
Now we will configure the SSL configuration file using “nano”.
sudo nano /etc/apache2/sites-available/default-ssl.conf
Or, in the example, I have changed the directory and then edited the file.
sudo cd /etc/apache2/sites-available/
sudo nano default-ssl.conf
You can delete comments and some of the entries from the configuration file. You will need to add/replace until it reads like below. The important ones that you will need to edit for other websites are highlighted below.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName example.com
ServerAlias *.example.com
ServerAdmin patrick.howe@example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine On
SSLCertificateFile /etc/ssl/certs/dev-ssl.pem
SSLCertificateFile /etc/ssl/private/dev-private.key
SSLCACertificateFile /etc/ssl/certs/dev-intermediate.pem
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /var/www/html>
AllowOverride All
</Directory>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 forceresponse-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .* – [F]
</VirtualHost>
</IfModule>
The website secure configuration will not work until you have installed the secure certificate so if it is not already disabled, it would probably be best to disable it now.
sudo a2dissite default-ssl.conf
We need to move files between the server and the local macine using FTP so make sure you are back at your ubuntu home directory so we don’t have to worry about permissions.
cd ~
Step by step instructions
1. Create a private key on the web server
sudo openssl genrsa -out buck-private.key 2048
2. Create a Certificate Signing Request (CSR) for the website using the private key
openssl req -new -key buck-private.key -out buck-cert.csr
You will be prompted to enter your country, company and domain details. In this example:
Country Name: GB
State: London
City: London
Organization Name: My Web Minder
Organizational Unit: (leave blank)
Common Name: example.com
Email Address: (leave blank)
Challenge Password: (leave blank)
Optional Company Name: (leave blank)
3. Use the CSR to create a secure certificate at the trusted provider
Use FTP to copy the generated CSR file somewhere locally that you can copy the contents from your machine in the certificate generation process.
Open the CSR locally (in Notepad) and copy all of the contents (Ctrl+A and Ctrl+C) to the clipboard.
Visit a certificate reseller. I’ve used Trustico. The QuickSSL Basic domain authenticated option is a domain validated certificate from GeoTrust. It is a very quick process as they just email the domain owner (or admin contact), it’s very cheap (at the time of writing it costs £39+VAT for 1 year), it can be installed on multiple servers and the single www.example.com name also serves example.com (some provers you would have needed two certs for this).
Go through the screens after selecting QuickSSL Basic and then to Buy New and then 1 year (or more) and filling in your details which need to be correct, especially your email and phone number. Make sure you make a note of the memorable date that you enter as you’ll need it if you need to revisit the site to get your invoice and the details of the PEM files.
Select a “Submit Newly Generated Certificate Signing Request” and paste (Ctrl+V) in the contents of your CSR file. It will read these and if correct you can proceed to verification.
4. Go through certificate payment and requestor authentication
Email verification can be done using the contact information from WhoIs if that is available or from a general administrative email address at that domain. Whichever you choose you will need access to that mailbox or at the very least have some sort of forwarding in place (that’s been tested) on that mailbox redirecting email to a mailbox you do have access to.
Pay for the certificate.
Once paid for, an approver email is generated to the email address you chose. Click the link.
Approve.
Once approved, you’ll have to wait a few minutes before the final email from Trustico comes through with the tracking link (as before) but also with your certificate details at the end of the email.
I use the tracking link with my order number and memorable date to get my certificate and intermediate certificate and also get a copy of my invoice.
When you are at this stage, copy the contents of your SSL Certificate and Intermediate Certificate into two text files and name them with PEM extensions.
5. Copy the new SSL certificate and provider’s Intermediate certificate to the web server
Copy the PEM files to the server in the ubuntu home directory using your FTP client software.
6. Move the new SSL, Intermediate certificate and private key to Apache folders
Now from the CLI copy them to the appropriate places that you specified in default-ssl.conf. Copy the private key to /etc/ssl/private and the two certificates to /etc/ssl/certs using the following:/
sudo cp buck-private.key /etc/ssl/private/
sudo cp buck-ssl.pem /etc/ssl/certs/
sudo cp buck-intermediate.pem /etc/ssl/certs/
7. Edit the website configuration file to point to the cert/keys in the Apache folders
You will not need to do anything here if you already followed the instructions in the “Before you begin” section. If not refer back to that section to edit the default-ssl.conf file using “nano”.
8. Enable the websites SSL configuration (if not already done)
sudo a2ensite default-ssl.conf
sudo service apache2 reload
9. Reload the website configuration
10. Test the website using HTTPS
Finally test the site on https from your web browser.
Redirect http traffic to https in configuration file
If you want to redirect all traffic for your website to https, then you just need to add a redirect command to the configuration for port 80. Using the same website as above this command will be added 001-default.conf.
The command to add is:
Redirect permanent / https://www.example.com/
If you want to redirect all port 80 traffic to port 443 then you actually don’t need a lot in the configuration file other than the domain and the redirection.
If you don’t already have the configuration enabled you will need to do that.
After any changes remember to reload the Apache configurations. You shouldn’t forget as Apache will remind you after you made any site configuration changes.
Other notes
For any other secure websites on the same Apache server, you can copy the default-ssl.conf and use the steps above, although you could reuse the private key if you wanted or create a new one.
This is part of a series of short articles covering setting up and maintaining a multiple domain web hosting environment using an Ubuntu Linux server. You can find an up-to-date list of those from the Hosting – Ubuntu category.
That’s all for today – I hope you found it useful.