Tudip
03 July 2018
How to Install an SSL Certificate On Ubuntu Server using Apache/Nginx.
What is an SSL and SSL certificate?
- SSL stands for Secure Sockets Layer and it is a standard protocol for establishing the encrypted form of links between the server and user’s browser in an online communication channel.
- An SSL certificate is a digital certificate which used to authenticates the identity of your website with a unique cryptographic key.
Why Do we need SSL certificate?
It is essential that the information you send on the Internet is passed from computer to computer to the destination server. However, fraudsters and cybercriminals who are ready to exploit any opportunity to steal consumer bank account numbers and card details while in the transaction process. Any skilled hacker tries to get intercept and will read the traffic unless the connection between user’s internet browser and a web server is encrypted.
How does SSL certificate works?
Sequence Diagram to install SSL certificate on Ubuntu server:
How Do I configure SSL certificate on my website?
Before, proceeding further find out the prerequisites to configure SSL.
- Register/own a domain for your website and registered it with registrars like Namecheap, Godaddy, Servertastic etc.
- You need a web server to install the SSL certificate on. Typically, this will be an Apache, Nginx, HAProxy, or Varnish server etc.
- Choose your Certificate types (e.g. Single Domain, Wildcard, Multiple domains) while purchasing SSL certificate from the registrars.
Steps to request a SSL certificate from the registrars:
- Create private key:
- Create private .key file using the command “openssl genrsa -out domain_name.com.key 2048” (Here, domain_name.com is your site name like tudip.com.key but you can name it as per your requirement with .key extension followed by 2048)
- Check the domain_name.com.key file created or not where you have executed the above command in the command line.
- Before generating .key file check openssl installed or not on your ubuntu machine where your site is hosted. If not install, then install it using “apt-get install openssl”.
- Create CSR (Certificate Signing Request):
- To create .csr file used the command “openssl req -new -sha256 -key domain_name.com.key -out domain_name.com.csr”
- After executing above command it will ask for Country Name, State or Province Name, Locality Name(eg, city), Organisation Name, Common Name (e.g. server FQDN or Your Name) and Email Address.
- Thereafter will ask for an extra attribute such as Challenge Password, an optional company name etc.
- After successfully performing the above steps we are able to create domain_name.com.csr file and checked it by decoding online for cross verification.
- Request Certificate by providing CSR:
- Go to your specific SSL registrar admin account (i.e. Godaddy, Namecheap, Servertastic etc.) My Account > Manage SSL Certificates.
- Provide your CSR which is generated using your private key with appropriate information filled.
- Filled all the required field like SAN domains and mandatory checkboxes of terms and condition.
- Before proceeding further check the preview of the form and proceed to check the CSR for validation.
- Clicked the Request Certificate Button/Proceed for provider approval.
- Download the certificate’s zip file:
- After verifying, check the email (the one that you registered with) for a message that says your SSL certificate has been issued.
- Download the zip and unzip the file. It contains your intermediate certificate (intermediate.crt) and certificate with a .crt extension (domain_name.com.crt)
- The files required for configuration are intermediate_certificate.crt/.ca-bundle, domain_name.com.crt and domain_name.com.key.
- As well as if you have a firewall enabled, be sure that it allows port 443 (HTTPS)
- Please make sure that this all files should be kept on web server where you are going to enable and configure your site for SSL.
Installation Steps for SSL Certificate On Web Server:
- Configuring the SSL certificate on Nginx server:
- In Nginx, you have to create a single “chained” certificate file which contains your certificate and CA’s intermediate certificate.
- Change to the directory where your private key and file containing certificates(domain_name.com.crt and intermediate.crt). For instance, we will assume they are in the home directory for example.
- Combine the files (domain_name.com.crt) and intermediate.crt by following way using the command line (replace the highlighted part with your own domain).
~$ cat domain_name.com.crt intermediate.crt > .chained.crt
- Now, go to your nginx server configuration directory located at /etc/nginx/sites-enabled using “cd /etc/nginx/sites-enabled” command.
- Create “default” server block file using “sudo vi default” command.
- Modify listen directive to listen 443 ssl;
- Find the server_name directive which should be matched with your common name provided while creating CSR and certificate. Add ssl_certificate and ssl_certificate_key directive to specify the paths of your chained certificate and private key.
“server_name domain_name.com; ssl_certificate /home/ssl/domain_name.com.chained.crt; ssl_certificate_key /home/ssl/domain_name.key; “
- To allow secure SSL protocols and ciphers, add following lines
“ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ssl prefer server ciphers on; ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;“
- To redirect the traffic to HTTPS, add following block.
“ server { listen 80; server_name domain_name.com; rewrite ^/(.*) https://domain_name.com/$1 permanent; }” and then save and quit.
- Restart the Nginx server using “sudo service nginx restart” and test your site via HTTPS e.g. https://domain_name.com .
- Configuring the SSL certificate on Apache server:
- Create a virtual host configuration file by copying default file from “/etc/apache2/sites-available/000-default.conf”
- After copying open file for editing using “sudo vi 000-default.conf”
- Find <VirtualHost *:80> and modify port to listen 443 like <VirtualHost *:443>. Add ServerName directive e.g. “ServerName domain_name.com”
- Add following lines to specify your certificate and key paths as given below. Here there is no need to concat the certificate and intermediate files.
“ SSLEngine on SSLCertificateFile /home/ssl/domain_name.com.crt SSLCertificateKeyFile /home/ssl/domain_name.com.key SSLCACertificateFile /home/ssl/intermediate.crt “
- To redirect HTTP requests to HTTPS, add following to the top of the file.
“ <VirtualHost *:80> ServerName domain_name.com Redirect permanent / https://domain_name.com/ </VirtualHost>” save and exit the .conf file.
- Enable Apache SSL using command “sudo a2enmod ssl” and restart the apache server using “sudo service apache2 restart”
- Test the site by accessing via HTTPS, e.g. https://domain_name.com.
- After successful installation of certificate, please test the installed SSL certificate information from “https://www.ssllabs.com/ssltest/”.
Conclusion:
Now, you will get the idea about how to install, add and configure the SSL certificate on your webserver with much easier steps.
Read here the basic steps to add multiple SSL certificates on single AWS ELB