9 Steps To Setup SSL on UBUNTU 12.04 APACHE 2.22
I found a lot of misleading and confusing How-To stuff when installing an SSL certificate on Ubuntu 12.04 LTS and Apache 2.22. I also share most people confusion when it comes to encryption. Only after a lot of repetition has the fog begun to clear. It helps to realize:
- The “key” is your PRIVATE file. Don’t ever share it. Its stays on your server. The “csr” know the “key”.
- The “csr” is exactly what is says, your “Certificate Signing Request”. You share this with the company that provides your “ssl certificate”. The “csr” know your private key and the SSL Issuer will produce a “crt” that know the “csr”.
- The “crt” is the “ssl certificate” you buy from a “SSL Issuer” (such as Thawht). This SSL Issuer uses this certificate (that lives on your server) to identify you are authentic (in the browser of the visitor to your site) because the “crt” knows the “csr” and the “csr” knows your private “key”. OK? OK!
You can create your own ssl certificate (that costs exactly 0.00). The difference is that no one would know your ssl certificate is really you! The browser will always make the noise about “you are visiting an unknown site”. Thus the need for companies that do the “authenticating” for the browser, that is the CRT.
For reference: https://www.openssl.org/docs/HOWTO/keys.txt
SO here finally is a succinct 9 step guide that worked for me:
You will want the answers to the following in advance of creating your CSR file:
- A KEY STRING: (you will need a string (a password) of some sort to create your certificate. Whatever you like, but a string that you will never forget or loose!)
- Your Fully Qualified Domain Name (FQDN) : www.example.com
- Organization Name : example LLC
- Organizational unit : company
- Country Code : US
- State or Province : FL
- Locality : Miami
- common name : www.example.com
1) Execute the following command. I recommend that you DO NOT USE A PASSWORD to create your key! That means leave the -des3 out of the following command.
openssl genrsa -des3 -out www.example.com.key 4096
I recommend to use this command:
openssl genrsa -out www.example.com.key 4096
1.a) The number 4096 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
1.b) You will be prompted for a protecting password.
1.b.1) If you don’t want your key to be protected by a password, remove the flag ‘-des3’ from the command line above.
1.b.2) If you intend to use the key together with a server certificate, it may be a good thing to avoid protecting it with a password, since that means someone would has to type in the password every time the server needs to access the key, WHICH MEANS THE SERVER WILL FREEZE ON REBOOT! Trust me you don’t want this to happen. Do not use a password!
You will see your private key file has been generated. (DO NOT EDIT) Inside it will look like this:
—–BEGIN RSA PRIVATE KEY—–
(key would be here)
—–END RSA PRIVATE KEY—–
2) Execute the following command on the server
openssl req -new -key www.example.com.key -out www.example.com.csr
You will now input the Certificate Request information outlined above. If you enter ‘.’, the field will be left blank.
2.a) The “challenge password” here is part of the Certificate Signing Request (csr) generation, and is not the same thing as the password used above to encrypt your (key). This challenge password is only shared between you and the SSL issuer and is embedded in the Certificate Signing Request (csr), which the issuer then uses to authenticate you (should that ever be necessary). THIS CHALLENGE PASSWORD IS NOT needed to restart apache. THIS PASSWORD is needed IF YOU EVER need to re-install your certificate for any reason! Write it down and keep it safe somewhere you won’t forget.
You will see the public csr file has been generated. (DO NOT EDIT) Inside it will look like this:
—–BEGIN CERTIFICATE REQUEST—–
(key would be here)
—–END CERTIFICATE REQUEST—–
3) Now go purchase your SSL Certificate
3.a) You provide your “csr” file to the SSL Issuer when you purchase the “crt”. Often the “crt” is called the “inbetween” certificate by the certificate provider.. YEH! Thanks for making mud so much clearer! It will be named something like ca-bundle.crt or intermediate.crt
So you now should have 3 files that can be re-named anything you like. I like easy names such as:
- public.csr
- private.key
- intermediate.crt
4) Place these files in /etc/apache2/ssl (for convenience or whereever you prefer)
5) IMPORTANTLY change the permissions for /etc/apache2/ssl to:
sudo chown -R root:ssl-cert /etc/apache2/ssl
sudo chmod -Rf 600 /etc/apache2/ssl
If you have a problem you can’t seem to figure out, chances are this will be it – always with the privileges!
6) Create or edit your VirtualHost file in /etc/apache2/sites-available/www.example.com
<VirtualHost *:80> ServerAdmin webmaster@example.com ServerName www.example.com DocumentRoot /var/www/www.example.com ServerAlias www.example.com </VirtualHost> <VirtualHost 000.000.000.000:443> ServerAdmin webmaster@example.com ServerName www.example.com DocumentRoot /var/www/www.example.com ServerAlias www.example.com SSLEngine on SSLCertificateFile /etc/apache2/ssl/public.csr SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt </VirtualHost>
NOTE : Apache requires the SSL keys are attached to the IP address
000.000.000.000:443
rather than the virutalhost or domain names. GOT THAT? A (non-wildcard) SSL certificate is created using the fully qualified domain name (FQDN). However, Apache uses the IP address when listening for SSL connections on port 443. This can cause some confusion regarding how the domain-ip-cert relate to each other. That means you can moved SSL certificates to another server (when moving a website) because the SSL certificates are tied to the domain and NOT to the IP address. Makes sense.
7) Apache says to edit this file:
sudo vi /etc/apache2/ports.conf
add http to the end of the line “listen 443”. It should look like this:
listen 443 http
My installation worked fine without the “http”
8) And you need to enable SSL on Apache
sudo a2enmod ssl
Now all you have to do is finish up Apache if you have not done this already.
sudo a2ensite www.example.com
9) Restart Apache
sudo service apache2 restart
NOTE: sudo apachectl configtest (does not work in Ubuntu 12.04)
You are done. Check to see if your website works as expected.
Some other references are:
http://www.seleads.com/ssl-setup-how-to-on-virtualhost-for-debian-apache-wordpress/