The Short and Sweet SSL How-to

May 10 Bullet_white By Andre Bullet_white Posted in Development Bullet_white Comments Comments

Got a site you need to serve up via SSL? Here are your Cliffs notes. This assumes 1) your site already runs without SSL; 2) you’re using Apache and Ubuntu; 3) you don’t want any browser warnings, so no self-signed certificates.

1. Generate a Private Key

$ openssl genrsa -des3 -out yourdomain.com.key.orig 2048

You have to assign a passphrase when you run this command. However, you’ll want to immediately strip the passphrase so Apache can start unattended. To strip the passphrase:

openssl rsa -in yourdomain.com.key.orig -out yourdomain.com.key

You now have:
  • yourdomain.com.key: the private key without a passphrase.

2. Generate a Certificate Signing Request (CSR)

You’ll supply the CSR to a certificate provider (Thawt, Verisign, GoDaddy, etc).

$ openssl req -new -key yourdomain.com.key -out yourdomain.com.csr

There is only one question you have to answer when you run this command. For the Common Name, enter the domain from which the site will be served. Include the www only if you serve the site with the www prefix. For this example, we’ll use yourdomain.com to answer this question. You can ignore all the other questions.

You now have:
  • yourdomain.com.key: the private key
  • yourdomain.com.csr: the Certificate Signing Request

3. Get the CSR signed by an Authority

Godaddy is cheap and fast: a single-domain certificate costs $49 per year, and is issued immediately. The signing process consists of:

  • Paying for the SSL certificate
  • uploading the yourdomain.com.csr file you created in step 2
  • downloading a zip file with two .crt files in it

The whole process takes about 15 Minutes.

You now have:
  • yourdomain.com.key: the private key
  • yourdomain.com.crt: the certificate for your domain
  • gd_bundle.crt: the intermediate certificate. Will be named something else if you didn’t get your certificate through GoDaddy
  • yourdomain.com.csr: the Certificate Signing Request

Put all of these in /etc/apache2/ssl/, and restrict permissions so only root can read:

$ chmod 400 /etc/apache2/ssl/*

4. Configure the SSL version of your site

  • Find the <VirtualHost> configuration for your site. On Ubuntu, it’s in /etc/apache2/sites-available/yourdomain
  • copy /etc/apache2/sites-available/yourdomain to /etc/apache2/sites-available/yourdomain-ssl
  • edit yourdomain-ssl:
    • At the top, change the VirtualHost directive from <VirtualHost *:80> to <VirtualHost *:443>.
    • include the following lines:
SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt

5. Enable the site

It’s always a good idea to check your syntax first: $ apache2ctl configtest. If SSL isn’t enabled in you Apache build (unlikely), enable it: $ a2enmod ssl

  • Enable your site: $ a2ensite yourcomain.com-ssl
  • Restart Apache: $ /etc/init.d/apache2 restart

You should now be able to access https://yourdomain.com. If Apache refuses to restart, doublecheck that you have the right .crt and .key files associated with the right configurations in Apache.

Related Post

Get notified of new posts.

Once a month, we'll deliver a finely-curated selection of optimization tips to your inbox.

Comments

comments powered by Disqus