SSL_Certificates_Powered_by_GeoTrust_0

Apache: Add SSL certificate

Supposed that you already have installed apache2. If not, check this post

Lets start:

Enable SSL

  1. sudo a2enmod ssl
sudo a2enmod ssl

Restart apache

  1. sudo service apache2 restart
sudo service apache2 restart

Create directory, where we will keep certificates

  1. sudo mkdir /etc/apache2/ssl
sudo mkdir /etc/apache2/ssl

Create a self signed SSL Certificate that will expire in 365 days

  1. sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/sitename.key -out /etc/apache2/ssl/sitename.crt
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/sitename.key -out /etc/apache2/ssl/sitename.crt

Next step, fill up information in certificate. The most important line is «Common Name». Type there your site name or site IP address:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a Distinguished Name or a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. Country Name (2 letter code) [AU]:NL
  9. State or Province Name (full name) [Some-State]:NorthHolland
  10. Locality Name (eg, city) []:Amsterdam
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company name
  12. Organizational Unit Name (eg, section) []:Your company unit
  13. Common Name (e.g. server FQDN or YOUR name) []:yourdomain.com          
  14. Email Address []:email@domain.com
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:NorthHolland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company name
Organizational Unit Name (eg, section) []:Your company unit
Common Name (e.g. server FQDN or YOUR name) []:yourdomain.com           
Email Address []:email@domain.com

Edit apache ssl v-host config

  1. vim /etc/apache2/sites-available/default-ssl
vim /etc/apache2/sites-available/default-ssl

and you can edit exist config, you can get something like this:

  1.        
  2. <IfModule mod_ssl.c>
  3.         <VirtualHost _default_:443>
  4.                 ServerAdmin admin@domain.com
  5.                 DocumentRoot /home/ubuntu/httpd/domain.com/public_html
  6.                 ServerName domain.com
  7.                 ServerAlias www.domain.com
  8.  
  9.                 ErrorLog /home/ubuntu/httpd/logs/domain.com.errors.loc
  10.                 CustomLog /home/ubuntu/httpd/logs/domain.com.access.log combined
  11.  
  12.                 <Directory /home/ubuntu/httpd/domain.com/public_html>
  13.                         AllowOverride All
  14.                         Options Indexes FollowSymLinks
  15.                         Require all granted
  16.                 </Directory>
  17.  
  18.                 #   SSL Engine Switch:
  19.                #   Enable/Disable SSL for this virtual host.
  20.                SSLEngine on
  21.  
  22.                 #   If both key and certificate are stored in the same file, only the
  23.                #   SSLCertificateFile directive is needed.
  24.                SSLCertificateFile      /etc/apache2/ssl/sitename.crt
  25.                 SSLCertificateKeyFile   /etc/apache2/ssl/sitename.key
  26.  
  27.                 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  28.                <FilesMatch "\.(cgi|shtml|phtml|php)$">
  29.                                 SSLOptions +StdEnvVars
  30.                 </FilesMatch>
  31.                 <Directory /usr/lib/cgi-bin>
  32.                                 SSLOptions +StdEnvVars
  33.                 </Directory>
  34.  
  35.                 BrowserMatch "MSIE [2-6]" \
  36.                                 nokeepalive ssl-unclean-shutdown \
  37.                                 downgrade-1.0 force-response-1.0
  38.                 # MSIE 7 and newer should be able to use keepalive
  39.                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
  40.  
  41.         </VirtualHost>
  42. </IfModule>
        
<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin admin@domain.com
                DocumentRoot /home/ubuntu/httpd/domain.com/public_html
                ServerName domain.com
                ServerAlias www.domain.com

                ErrorLog /home/ubuntu/httpd/logs/domain.com.errors.loc
                CustomLog /home/ubuntu/httpd/logs/domain.com.access.log combined

                <Directory /home/ubuntu/httpd/domain.com/public_html>
                        AllowOverride All
                        Options Indexes FollowSymLinks
                        Require all granted
                </Directory>

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/apache2/ssl/sitename.crt
                SSLCertificateKeyFile   /etc/apache2/ssl/sitename.key

                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        </VirtualHost>
</IfModule>

Activate v-host

  1. sudo a2ensite default-ssl
sudo a2ensite default-ssl

And restart Apache

  1. sudo service apache2 restart
sudo service apache2 restart

Don’t forget to heck if port 443 allowed in firewall for TCP requests from external networks.

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterEmail this to someoneShare on LinkedIn

Aboutalex

Вэб-программист. Занимаюсь разработкой cервисов, написанием API, вэб-приложений. Интересна разработка приложений для высоконагруженных систем, анализ данных..

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *

13 − 12 =