Request and install SSL using Apache2 and OpenSSL

First we’ll need to create a certificate signing request (CSR) containing the certificate application info and a private key. Make sure you don’t expose you’re private key (test.com.key) to the public or the safety of the encrypted information could be compromised.

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -nodes -keyout test.com.key -out test.com.csr


Answer the questions with information about you/your company and the domain that will be validated. Make sure you use a fully qualified domain name (FQDN) in the common name section. When the certificate has been issued you can access the encrypted web by visiting https://FQDN. You can safely skip the extra attributes.

Now you can submit the CSR to your favorite certificate authority for validation. test.com.csr should read something like this (pico test.com.csr):

-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRl
MRAwDgYDVQQHEwdNeSBjaXR5MSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQxCzAJBgNVBAsTAklUMREwDwYDVQQDEwh0ZXN0LmNvbTEcMBoGCSqGSIb3
DQEJARYNdGVzdEB0ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
vE4BTEVYiRKvAxQToVIg7q5BsdyxgLNwSURwvpK71+mOv21/A5D5svfMNVWC7djv
offcbN7WeHChBOJPBUxsOIuE5oF3/PAXRIcEDA5v3felPz6Dx0Z8NwbDfjpBjgJZ
e1H82Qki17Eue+RhNUG/y3Te3PwWjFBwKGbeYdi/GpECAwEAAaAAMA0GCSqGSIb3
DQEBBQUAA4GBAG5HIpwL5LhMfMEm7rEZKpCs/nplT57eEd5O3vXE72CQIom5oKTz
0PrpIrdzBdWM3B9sKNRKi/wl0TkkOEsDrq9HMe9WmnM6k8pjLYVUpdhuwhorBwyv
8E/Men1hbqDXckDeVU8ZdrZ2OJuCu/iuuMoGFcAco9kuK7mZM286IqjI
-----END CERTIFICATE REQUEST-----


Here is a short list of popular certificate authorities:

Verisign
Thawte
GlobalSign
Comodo

When you have received your certificate from your certificate authority we’ll need to enable it in Apache. Create a file that will contain the certificate and paste your new certificate (pico test.com.crt):

-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAAhAF
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNlVTMSAw
(.......)
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
-----END CERTIFICATE-----


Make sure the certificate and private key are only readable by root:

chmod 400 test.com.key test.com.crt


Download the CA root certificate. You can find CA certificates for the authorities mentioned above here:

Verisign -> http://www.verisign.com/support/verisign-intermediate-ca/
Thawte -> http://www.thawte.com/roots/index.html
Globalsign -> http://secure.globalsign.net/cacert/
Comodo -> https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0

In this example we’ll download RapidSSL CA certificate:

wget http://www.rapidssl.com/cps/rapidssl_01.cer


Configure apache to use this certificate to encrypt data (pico /etc/apache2/sites-enabled/000-default). Add these lines somewhere outside your Virtualhost entry:

<VirtualHost {ipaddress}:443>
DocumentRoot {docroot}
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/test.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/test.com.key
SSLCACertificateFile /etc/apache2/ssl/rapidssl_01.cer
</VirtualHost>


In the SSLCACertificateFile entry you need to specify a location to the root certificate for the certificate authority that issued the certificate.

Restart apache

/etc/init.d/apache2 restart


Now you should be able to access https://FQDN.