Friday, 29 May 2015

Configuring SSL for Apache on Debian or Ubuntu

As root, Navigate to /path/to/certs        

Note: Default for Debian and Ubuntu is /etc/ssl/certs/
$ cd /path/to/certs      

To generate .CSR key to be signed by provider with Apache 2 and OpenSSL use the following command:

$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Below are explanations for the values that you should provide.

Country Code: For this question, we will want to supply the 2-digit ISO abbreviation for your country.  If you’re in the United States, then your 2-digit ISO abbreviation will be US.
State or Province Name: This should be the full name of the state or province where your organization is located.  Do not abbreviate the name, you must use the full name.
Locality Name(city): This will be the town or city where your organization is located.  If your location is basedin Mountain View, CA, then your locality name would be Mountain View.
Organization Name: This should be the legal name of your organization.  If your organization is Example, LLC, then your CSR’s organization should be Example, LLC.
Organization Unit: This value should reflect the section of the section of your organization, such as accounting, marketing, billing, Information Technology, etc.
Common Name: This would be the fully qualified domain name for your website, for example if your website is https://www.example.com then your CSR’s common name should be www.example.com.
Email Address: An email address that can be used to contact your organization.
 
Note: You will be prompted to supply ‘extra’ attributes.  It is in most cases advised to leave these fields  blank, you can do so by just pressing enter at the prompt.
Once the files have been generated, we will need to print the the contents of example.com.csr by using the cat command.  This will generate an encrypted signature preceded by -----BEGIN CERTIFICATE REQUEST-----

and followed by -----BEGIN CERTIFICATE REQUEST-----, we will need to copy the contents of the file in its entirety into your ssl providers web ui.

Once you submit the contents of your example.com.csr file, you will be able to download a package containing (2) files: Example.com.crt, and provider_bundle.crt.”

Note: If you’re using GoDaddy your “provider_bundle.crt” file may be called either “gd_bundle.crt” or “sf_bundle.crt.”
Download and unzip the signed certificate, and move the contents of the .zip file into /path/to/certs.

Once both files have been placed in the /path/to/certs directory, you then must next modify your Apache Virtual Host to reflect the signed certificate.

If your are adding SSL encryption to a pre-existing site, odds are you already have the first Virtual Host entry, however for this tutorial we will focus on the second entry for port 443.  Below is an example of how your the virtual host file for your website should appear:

<VirtualHost *:80>
     ServerAdmin example@example.com
     ServerName www.example.com
     ServerAlias example.com
     DocumentRoot /path/to/example.com/public_html
     ErrorLog /path/to/example.com/logs/error.log
     CustomLog /path/to/example.com/access.log combined
</VirtualHost>


<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /path/to/certs/Example.com.crt
     SSLCertificateKeyFile /path/to/certs/example.key
     SSLCACertificateFile /path/to/certs/sf_bundle.crt

     ServerAdmin example@example.com
     ServerName www.example.com
     DocumentRoot /srv/www/example.com/public_html/
     ErrorLog /path/to/example.com/logs/error.log
     CustomLog /path/to/example.com/logs/access.log combined
</VirtualHost>

Enable SSL Module

$ a2enmod ssl

Reload Apache to Update the Changes

$ /etc/init.d/apache2 reload

No comments:

Post a Comment