Using an SSL certificate is a must for ensuring your website is protected and meets the demands of today's modern sites/browsers. Customers and visitors to your site will know that their browsing session is safe, and that payment details and personal information is secure and encrypted in transit.
The following guide creates a certificate through Apache and a trusted certificate authority, applying the certificate to your website then forcing all traffic to use HTTPS rather than HTTP.
Create the Certificate Signing Request (CSR)
Connect to your Ubuntu server using SSH
Create the CSR and private key
sudo openssl req -new -newkey rsa:2048 -nodes -keyout infraengineer.key -out infraengineer.csr
You will be prompted to enter some additional details about your organisation before the key can be generated;
Generating a 2048 bit RSA private key
writing new private key to 'test.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Tyne and Wear
Locality Name (eg, city) :Newcastle Upon Tyne
Organization Name (eg, company) [Internet Widgits Pty Ltd]:infra.engineer
Organizational Unit Name (eg, section) :infra.engineer
Common Name (e.g. server FQDN or YOUR name) :infra.engineer
Email Address :emailaddress
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :password123
An optional company name :
View the CSR
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Purchase certificate through Certification Authority
Purchase a standard SSL certificate with your preferred certificate authority (i.e. GoDaddy/Digicert etc)
Copy the CSR text above, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the CSR box when prompted to do so
Process certificate through certificate authority with CSR, domain verification will be required from the CA to prove that you own the domain, this is normally achieved by email or a DNS TXT record.
Download certificate from CA and apply
Transfer these files across to your working directory of your web server (i.e. WinSCP), along with the .key file you generated when creating the CSR.
Move private key to the /etc/ssl/private folder
sudo mv infraengineer.key /etc/ssl/private/infraengineer.key
Move crt files to public folder
sudo mv *.crt /etc/apache2/ssl/
Enable support for SSL in Ubuntu
sudo a2enmod ssl
Configure the VirtualHost in Apache
Identify the SSL <VirtualHost> block you need to configure, i.e.
If your site needs to be accessible through both secure (https) and non-secure (http) connections, you need two separate files in this file. One file is for port 80 and the other file is for port 443.
Configure the <VirtualHost> block for the SSL enabled site
sudo vi /etc/apache2/sites-enabled/000-default.conf
An example of a virtual host configured for SSL.
<VirtualHost *:80> ServerName www.infra.engineer ServerAdmin youremailaddress DocumentRoot /var/www/infra ServerAlias infra.engineer *.infra.engineer </VirtualHost> <VirtualHost *:443> ServerName www.infra.engineer ServerAdmin youremailaddress DocumentRoot /var/www/infra ServerAlias infra.engineer *.infra.engineer SSLEngine on SSLCertificateFile /etc/apache2/ssl/www_infra_engineer.crt SSLCertificateKeyFile /etc/ssl/private/infraengineer.key SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt </VirtualHost>
Save and exit vi (esc then :wq!)
Test Apache config before restarting apache
sudo apachectl configtest
You can use apachectl commands to stop and start Apache2 with SSL support.
apachectl stop apachect1 start
Verify your domain works with https by specifying https in the URL
Providing this works successfully, put on redirect from unsecure site so all traffic goes over HTTPS by adding the Redirect line below then restart Apache2 service as above;
sudo vi /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerName www.infra.engineer Redirect / https://infra.engineer DocumentRoot /var/www/infra ServerAlias infra.engineer *.infra.engineer </VirtualHost>
Test your domain through your browser in private mode that by going to http://yourdomain should now automatically redirected to https://yourdomain without any certificate errors. Any errors need to be dealt with and is likely related to your certificate chain.
Tip: Remember that your certificate will expire in 1, 2, 3 years depending on what you have purchased and will need to be renewed then reapplied.