Apache on Ubuntu SSL Installation Guide
Secure Sockets Layer (SSL) certificates are essential for establishing an encrypted connection between a web server and browsers. An SSL certificate enables data transmitted between the server and end users to be secured through cryptographic protocols.
Installing an SSL certificate on your Apache web server running on Ubuntu is important for preventing unauthorized access and securing sensitive customer information. The certificate installation process only takes a few simple steps.
In this comprehensive guide, we will walk through the entire process of obtaining, installing, and configuring an SSL certificate on an Apache web server on Ubuntu.
Also Read: How to Install an SSL Certificate on Qmail
Prerequisites for Installing SSL Certificate on Apache Ubuntu Server
Before beginning the SSL installation process on your Ubuntu server, you’ll need to complete the following preparatory steps:
- Obtain an SSL Certificate: Purchase a certificate from a trusted Certificate Authority (CA) like Comodo, DigiCert, or GlobalSign. The CA will require you to generate a Certificate Signing Request (CSR).
- Create a CSR: A CSR is an encoded file that provides the CA with your server’s public key to generate the SSL certificate. You can use the OpenSSL toolkit on Ubuntu to create the CSR.
- Have Access to Root User Privileges: You will need access to the administrative root account on your Ubuntu server to install the SSL certificate and modify the Apache configuration files.
- Own or Manage the Domain: The domain name must match the one you’ll be securing with the SSL certificate. The CA will validate you control the domain as part of issuing the certificate.
- Install Apache and OpenSSL: Apache and OpenSSL will need to already be installed on your Ubuntu server. You can use apt-get install apache2 OpenSSL to install them.
A Step-by-Step Guide to Install SSL Certificate on Apache Ubuntu Server
Now let’s go through the step-by-step process of generating a CSR, acquiring an SSL certificate, and installing it on Apache.
Generating a CSR on Ubuntu for Apache
The Certificate Signing Request contains your server’s public key and information that will be included in the certificate such as the common name (domain), organization details, country, and locality. You can use the OpenSSL toolkit on Ubuntu to easily generate a CSR.
Follow these steps:
- Access your Ubuntu server terminal using SSH and log in as the root user.
- Generate an RSA private key by running:
openssl genrsa -out domain.key 2048
- Replace “domain” with your actual domain name. The 2048 is the key size.
- Next, generate the CSR using your private key:
openssl req -new -sha256 -key domain.key -out domain.csr
- OpenSSL will prompt you to enter details like country name, state/province, organization, etc. Enter them accurately as they will be verified by the CA.
- Once complete, you now have two files: domain.key contains the private key and domain.csr is the Certificate Signing Request.
- Open the CSR and copy its content. You’ll need to paste it into the SSL certificate order form later.
The CSR you generated will be used by the Certificate Authority to create your SSL certificate tailored to your server. Next, it’s time to pick a trusted CA and purchase your certificate.
Installing the SSL Certificate on Apache
After obtaining the SSL certificate for your domain, it’s time to install and configure it on the Apache server. This involves uploading the certificate files to your server, modifying the Apache configuration, and restarting the service.
Follow these key steps:
Step 1: Upload SSL Certificate Files to Server
The CA will send you a zip archive with the certificate files needed. Extract the archive and you should have:
- Certificate File: Your domain’s SSL certificate will be named something like “certificate.crt”
- Private Key File: The private key generated earlier when creating the CSR. Usually named “private.key”.
- CA Bundle / Intermediate Certs: Optional file containing certificates from intermediate CAs to establish the chain of trust for your cert.
Use SFTP, FTP or SSH file transfer tools to upload these three files into the appropriate directories on your Ubuntu server:
- The certificate.crt goes into the /etc/ssl/certs/ directory
- The private.key goes into the /etc/ssl/private/ directory
- Optionally place the CA bundle file into /etc/ssl/certs/ as well
Remember the exact path where you placed these files as you’ll need to reference them later.
Step 2: Update Apache Configuration File
The SSL certificate needs to be enabled in the Apache configuration using several new parameters.
- Edit the Apache configuration file at /etc/apache2/sites-available/default-ssl.conf using nano or vim.
- Add the following configuration either above or below the existing <VirtualHost *:443> directive:
SSLEngine On
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
The first line enables SSL for this virtual host. The next lines specify the paths to the certificate, private key and CA bundle you uploaded earlier.
- Finally, restart Apache to load the new configuration:
systemctl restart apache2
That completes the SSL installation steps on Ubuntu. Apache is now serving your domain over a secure HTTPS connection using the SSL certificate.
Verifying the SSL Certificate Installation
To verify that your certificate has been installed correctly and is active, you can:
- Use your Browser: Open your website URL in a browser, it should redirect to HTTPS and show a padlock icon indicating active SSL. Click the lock and inspect the certificate details.
- Test with OpenSSL: Use the openssl s_client -connect yourdomain:443 command to connect to your site’s HTTPS port and output the certificate details.
- Use Online SSL Scanners: There are various free online tools like SSL Labs, Digicert OpenSSL Analyzer, etc that will test your server’s SSL configuration and provide detailed reports on its status.
- Check Logs for Errors: Look for any errors related to SSL or certificates in the Apache error and access logs indicating problems.
Renewing and Managing Your SSL Certificate
SSL certificates are valid for a fixed period of time, usually 1-2 years at most. Once your certificate nears its expiry date, you will need to renew it to maintain security on your website. The renewal process is quite straightforward.
Most CAs will send you a renewal notification email with detailed instructions when your certificate is about to expire. Typically, you can renew an SSL certificate via two methods:
Online from CA Website
- Login to your CA account and select the option to renew existing certificates.
- Authorize the domain and pay the renewal fees.
- The CA will generate a new certificate with an updated validity period.
Using a New CSR
- Generate a fresh CSR and private key for your domain.
- Follow the purchase process like when originally buying the SSL cert.
- Install the renewed certificate files on your server.
Depending on your CA, you may be able to reuse your existing CSR when renewing multiple times. The private key remains the same.
Some CAs also provide auto-renewal services where they will automatically renew the certificate before expiry and email you the new files. This ensures your website remains securely encrypted without any disruptions.
Conclusion on Install SSL Certificate on Apache Ubuntu Server
Installing an SSL certificate on your Apache web server running Ubuntu is crucial for securing sensitive user data and transactions on your website. By following the step-by-step process outlined in this guide, you can obtain a trusted SSL certificate from a leading CA, generate a CSR, install the certificate files on your server, update the Apache configuration to activate SSL, and test the implementation. Properly configuring HTTPS encryption only takes a few simple steps but provides immense security benefits. Be sure to renew your certificate before expiration to maintain security without disruptions. With an SSL cert from a reputable CA, you can confidently encrypt connections on your Ubuntu server.