Categories
Server Administration

How to Generate CSR and Install SSL in Apache 2.4

This article covers:

  1. How to generate CSR (certificate signing request), which is required before when you purchase an SSL.
  2. How to install SSL in a shared hosting environment
  3. How to redirect http to https

The server environment:

  1. Apache 2.4, Ubuntu 18.04
  2. Certificate purchased from RapidSSL Online and issued by GeoTrust.
  3. Website platform can be either WordPress or Magento

Step 1 Generate private key and CSR

Firstly we need to generate a server key for CSR and SSL; we recommend to use an encrypted key. However please keep in mind that, if you use an encrypted key, each time you restart apache server it will prompt you to enter the passphrase you used for encryption, this might cause issues in a multi-user environment unless you share the keys with all SSH users.

Since we’re installing SSL in a shared hosting environment. We prefer to keep things organised, so all certificate related files are stored in

/etc/ssl/your_website_name

The command to generate the key is:

sudo openssl genrsa -des3 -out www.your_domain_name.com.key 2048

// if you do not wish to use a passphrase simply use below:

sudo openssl genrsa -out www.your_domain_name.com.key 2048

Type in the passphrase, then keep it safe. If you haven’t heard of, passpack is one of the best password solutions.

The command you need to generate your CRS is:

sudo openssl req -new -key www.your_domain_name.com.key -out www.your_domain_name.com.csr

Then follow the prompts to filling the business information of your website. In case you might wonder, a common name is the same as the domain name.

Step 2 Purchase and save certificate files

If your SSL issuer is GeoTrust, then make sure you choose the domain validation method as file-based validation, because email validation requires you to have a domain email which is not as convenient.

Make sure you create the validation file and put it in the right folder GeoTrust suggested. If everything goes into plan and you’re only purchasing a basic SSL, you should receive your certificates in a couple of minutes once you complete the CSR process. There will be two files, server certificate and intermediate certificate which is also called chain file in Apache2.

Once again the folder should be same as above mentioned, and we prefer to name them as below:

cd /etc/ssl/your_website_name

sudo pico www.your_website_name.com.au.cert

sudo pico www.your_website_name.com.au.cert

Step 3 Install SSL certificate

Now go to Apache virtual host configuration folder:

cd /etc/apache2/sites-available/

Make a copy of your existing non-secure apache site configuration file:

sudo cp your_website_name_80.conf  your_website_name_443.conf

Then edit the _433.conf file and firstly, change the port number to 443.

<VirtualHost *:443> ... </VirtualHost>

Then at the bottom of the file before the virtual host closing tag, paste the certificate details in:

SSLEngine on
SSLCertificateFile /etc/ssl/your_website_name/www.your_website_name.com.au.cert
SSLCertificateKeyFile /etc/ssl/your_website_name/www.your_website_name.com.au.key
SSLCertificateChainFile /etc/ssl/your_website_name/www.your_website_name.com.au.chain.cert

Once completed, enable the new site configuration file, then reload apache2.

sudo a2enssite /etc/apache2/sites-available/your_website_name_433.conf

sudo systemctl apache2 reload

Step 4 Fix non-https contents and redirect http to https

If your website is built on WordPress, then you’re likely to have some http links awaiting to be addressed. You may use a plugin such as SSL Insecure Content Fixer to do the majority of the work but make sure to back up the site before installing this plugin! The changes will be made soon as you activate this plugin, so be cautious as there is a risk of breaking your WordPress site.

To redirect http to https, add below in your .htaccess file, right after RewriteEngine On

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^(www\.)?your_website_name\.com
RewriteRule ^(.*)$ https://www.your_website_name.com/$1 [R,L]

Lastly, make sure you test all the variants:

http://your_website_name.com

http://www.your_website_name.com

https://your_website_name.com

https://www.your_website_name.com

They should be all working with http versions redirected to https versions.

Remove Private Key Passphrase

If your server contains individual SSLs and they all have passphrase in their private keys, it’s a bit of pain when restarting Apache as you need to key in every single passphrase. Even worse, you got too many passphrase to enter and it times out.

The simplest way is to remove the passphrase from your private keys:

sudo openssl rsa -in private_key -out private_key
# Then just enter your old passphrase and it will be removed

By Ethan

To many, a business is a lifetime commitment. It's easy to start one yet difficult to make it successful. Attitude, skills, experiences and dedication help hone the craft along the way, but it's often the great vision and resilience to remain focused wins the game. Read more about me here