Tuesday, July 08, 2014

Setting up SSL on an Apache Server

I administer my own Apache2 server running on Ubuntu, and I had previously setup SSL using a self-signed certificate. Recently I needed to start using a certificate signed by a Certificate Authority to avoid the "untrusted site" browser warnings. In this post I outline the steps I went through to set it up.

I only needed to secure one domain with no subdomains, so I purchased a basic Geotrust RapidSSL certificate. I then went about all the steps needed to activate the certificate and install it on my server.

Login to the server command line (from MAC terminal):
  • ssh -l yourUserName yourDomainName.com
  • This assumes your SSH server is running on port 22. If you have it running on a different port number, then you need to specify that using the -p option. Just add to the end of the line.
  • ssh -l yourUserName yourDomainName.com -p yourPortNumber
  • You will be prompted for a password and then we'll be logged in to the command line on the server. (note: If you have SSH setup with pre-shared keys then you won't need to enter a password to log in.)

GENERATE A PRIVATE KEY

  • openssl genrsa -des3 -out .key 2048
  • I'm going to leave -des3 off because I'm not going to be using a pass phrase.
  • openssl genrsa -out gc.key 2048
  • However, this will not work on my server because I need to run the command with root privileges so I have to add a sudo to the beginning of the command.
  • sudo openssl genrsa -out gc.key 2048
  • This command generates a 2048 bit RSA private key and stores it in the file gc.key
  • You can verify this by listing files with ls command to see that gc.key was created.

GENERATE CSR AND ACTIVATE THE CERTIFICATE

  • openssl req -new -key .key -out .csr
  • sudo openssl req -new -key gc.key -out gc.csr
  • Answer a series of questions which will include countryName(US), yourState, yourCity, companyName and commonName. Skip the email address, challenge password, optional company name. This information will be incorporated into your certificate request. When you are finished, you will be back to command prompt. Do an ls and you should see gc.csr which you will be using to activate your SSL certificate.
  • In the next step (activating your SSL certificate), they are going to ask for the .csr file. You can copy and paste after typing from command line: cat gc.csr

ACTIVATING THE CERTIFICATE

  • Make sure your have an email account setup on the domain name you are getting
    the certificate for, because as part of the activation they will want to email you at an
    account on that domain.
  • Go to the activation page for the certificate (a page on Namecheap in my case)
    and follow the steps to activate the certificate. This will involve pasting in the CSR generated above, and providing an email address on your domain where you can receive mail (e.g. admin@yourdomain.com).
  • They will send an email to confirm activation of the certificate. Copy the link from the email and bring it up in a browser window. This page asks you a single question which you will answer as yes. Believe it or not, there's more to be done... In the next section we will install the certificate on the Apache server.

INSTALLING THE CERTIFICATE ON APACHE

  • You will receive the actual certificate in an email. Save the certificate contents to a file on your server. In my case the email also includes a certificate authority chain file, which I saved as "intermediate.csr".
  • I already had an Apache virtual host configuration, so I just needed to add some configuration to it for the new secure site. I just copied my VirtualHost config,
    changed the DocumentRoot, and added the following settings to point to:
    the certficate, the original private key you created in the first steps above, and the chain file (intermediate.csr). This will look like this:
    SSLProtocol all
                 SSLCertificateFile /etc/httpd/conf/ssl.crt/public.crt
                 SSLCertificateKeyFile /etc/httpd/conf/ssl.key/private.key
                 SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt
    
  • Now put some content (index.html) in the directory for your secure site, and restart Apache. Assuming no configuration errors, Apache should start up and you will be able
    to access your secure site over SSL (https) with no warnings from the browser.

Post a Comment