Tag Archives: mod_ssl

SSL Certificate Installation with Ubuntu & Apache & PositiveSSL

Posted on by

This is a quick and dirty “how to” that will get you running commercially-verified, high grade encryption, HTTPS connections on your Apache server.  The process should be roughly the same across all Linux distributions (probably different filepaths), but it was tested with Ubuntu 10.04.  The basic assumption here is that you have the mod_ssl module installed and enabled for Apache and a dedicated IP address for each each domain you wish to provide encryption for (multiple SSL certs will each require their own IP, so you’ll have to go with a static IP configuration).  Okay?  Great, let’s get started.  One thing to note is that most of the time (if you buy a cheap certificate) you’ll only be able to verifiably encrypt either www.mysitesname.com or mysitesname.com, but not both, so choose one (or something like secure.mysitesname.com).

  1. First thing you’ll want to do is create a private key and public certificate signing request (CSR) for the domain, using the following command (replace www_yourdomain_com with www_example_com or example_com or secure_example_com… see above) : 
    openssl req -nodes -newkey rsa:2048 -keyout www_yourdomain_com.key -out www_yourdomain_com.csr
  2. You’ll be prompted to fill out org info.  Please do so, but (if you’re using the cheap Comodo’s PositiveSSL from NameCheap) you’ll need to set COMMON NAME parameter to the domain (i.e.  www.yourdomain.com).  Skip the challenge password and optional company name.
  3. Open your newly created www_yourdomain_com.csr and copy & paste the entire certificate signing request into your registration of a new SSL cert (from PositiveSSL, for instance).
  4. Follow the SSL company’s instructions.
  5. You should receive from them something like the following:
    1. www_yourdomain_com.crt
    2. www_yourdomain_com.ca-bundle
  6. If you didn’t receive a bundle, you’ll need to create your own bundle from the files they do send over.
  7. You might have “ssl.key” and “ssl.crt” sub-directories located at /etc/ssl.  If you do not, I recommend creating them (N.B. /etc/ssl/ssl.key and its contents should be set to visible only by Apache!).
  8. Move the www_yourdomain_com.key file to /etc/ssl/ssl.key
  9. Move the CRT (www_yourdomain_com.crt) and the bundle (www_yourdomain_com.ca-bundle) to /etc/ssl/ssl.crt
  10. Now go wild in the /etc/apache2/sites-enabled/ directory by finding the domain for which you want to enable SSL and open them for editing.
  11. Copy the entire <VirtualHost XXX.XXX.XXX.XXX:PORT>blah blah blah </VirtualHost> and paste it into the same file, just immediately below its existing location.   Change the port number from :80 to :443 (SSL default).
  12. Add the following entries inside of your new <VirtualHost> configuration:
    • SSLEngine on
    • SSLCertificateKeyFile /etc/ssl/ssl.key/www_yourdomain_com.key
    • SSLCertificateFile /etc/ssl/ssl.crt/www_yourdomain_com.crt
    • SSLCertificateChainFile /etc/ssl/ssl.crt/www_yourdomain_com.ca-bundle
  13. Save the file and give Apache the old restart:  /etc/init.d/apache2 restart
  14. Go to bed.