Using an SSL certificate is a must for ensuring your website is protected and meets the demands of today's modern sites/browsers. Customers and visitors to your site will know that their browsing session is safe, and that payment details and personal information is secure and encrypted in transit.

The following guide creates a certificate through Apache and a trusted certificate authority, applying the certificate to your website then forcing all traffic to use HTTPS rather than HTTP.

Create the Certificate Signing Request (CSR)

Connect to your Ubuntu server using SSH

Create the CSR and private key

sudo openssl req -new -newkey rsa:2048 -nodes -keyout infraengineer.key -out infraengineer.csr

You will be prompted to enter some additional details about your organisation before the key can be generated;

Generating a 2048 bit RSA private key
.......................................................+++
..................+++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Tyne and Wear
Locality Name (eg, city) []:Newcastle Upon Tyne
Organization Name (eg, company) [Internet Widgits Pty Ltd]:infra.engineer
Organizational Unit Name (eg, section) []:infra.engineer
Common Name (e.g. server FQDN or YOUR name) []:infra.engineer
Email Address []:emailaddress

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:
 

View the CSR

cat infraengineer.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC/TCCAeUCAQAwgbcxCzAJBgNVBAYTAkdCMRYwFAYDVQQIDA1UeW5lIGFuZCBX
etc
etc
aQ1BMflzrZHww29QL0lAMqvAQ1haen8i
-----END CERTIFICATE REQUEST-----

Purchase certificate through Certification Authority

Purchase a standard SSL certificate with your preferred certificate authority (i.e. GoDaddy/Digicert etc)

Copy the CSR text above, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the CSR box when prompted to do so

Process certificate through certificate authority with CSR, domain verification will be required from the CA to prove that you own the domain, this is normally achieved by email or a DNS TXT record.

Download certificate from CA and apply

Transfer these files across to your working directory of your web server (i.e. WinSCP), along with the .key file you generated when creating the CSR.

Move private key to the /etc/ssl/private folder

sudo mv infraengineer.key /etc/ssl/private/infraengineer.key

Move crt files to public folder

sudo mv *.crt /etc/apache2/ssl/

Enable support for SSL in Ubuntu

sudo a2enmod ssl

Configure the VirtualHost in Apache

Identify the SSL <VirtualHost> block you need to configure, i.e.

cat /etc/apache2/sites-enabled/000-default.conf

If your site needs to be accessible through both secure (https) and non-secure (http) connections, you need two separate files in this file. One file is for port 80 and the other file is for port 443.

Configure the <VirtualHost> block for the SSL enabled site

sudo vi /etc/apache2/sites-enabled/000-default.conf

 An example of a virtual host configured for SSL. 

<VirtualHost *:80>
   ServerName www.infra.engineer
   ServerAdmin youremailaddress
   DocumentRoot /var/www/infra
   ServerAlias infra.engineer *.infra.engineer
</VirtualHost>

<VirtualHost *:443>
   ServerName www.infra.engineer
   ServerAdmin youremailaddress
   DocumentRoot /var/www/infra
   ServerAlias infra.engineer *.infra.engineer
   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/www_infra_engineer.crt
   SSLCertificateKeyFile /etc/ssl/private/infraengineer.key
   SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt
</VirtualHost>

Save and exit vi (esc then :wq!)

Test Apache config before restarting apache

sudo apachectl configtest

Restart Apache2.

You can use apachectl commands to stop and start Apache2 with SSL support.

apachectl stop
apachect1 start

Verify your domain works with https by specifying https in the URL

Providing this works successfully, put on redirect from unsecure site so all traffic goes over HTTPS by adding the Redirect line below then restart Apache2 service as above;

sudo vi /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
   ServerName www.infra.engineer
   Redirect / https://infra.engineer
   DocumentRoot /var/www/infra
   ServerAlias infra.engineer *.infra.engineer
</VirtualHost>

Test your domain through your browser in private mode that by going to http://yourdomain should now automatically redirected to https://yourdomain without any certificate errors. Any errors need to be dealt with and is likely related to your certificate chain.

Tip: Remember that your certificate will expire in 1, 2, 3 years depending on what you have purchased and will need to be renewed then reapplied.