Apache on Debian SSL Installation Guide
Securing your Debian web server with an SSL certificate is crucial for protecting sensitive user data and providing secure encrypted access to your site. SSL certificates establish an encrypted link between a web server and browser to ensure all data passed between them remains private. By installing an SSL certificate on your Debian server, you activate HTTPS protection for your website and enable key web security features like data encryption, authentication, and integrity checks. This step-by-step guide will take you through the entire process of procuring a trusted SSL certificate compatible with Debian servers and properly installing it. Follow along to learn how to install an SSL certificate on a Debian server from start to finish.
Prerequisites
- A Debian-based Linux server with root access
- Apache or Nginx web server installed
- Ownership of a domain name
- Basic knowledge of Linux server administration
A Step-by-Step Guide to Install an SSL Certificate on a Debian Server
Step 1 – Generate a CSR (Certificate Signing Request)
- Generate CSR using OpenSSL
- Use an Online CSR Generator
Step 2 – Purchase an SSL Certificate
Step 3: Install the SSL Certificate
Step 4: Test SSL Installation
- Validate HTTPS Redirect
- Verify Green Padlock Icon
- Use SSL Testing Tools
Step 5: Make Additional SSL Configurations (Optional)
- Redirect all HTTP traffic to HTTPS
- Enable HSTS
- Use Strong Ciphers Only
- Set Shorter Session Timeout
Step 1 – Generate a CSR (Certificate Signing Request)
The first step is to generate a Certificate Signing Request (CSR) and private key. The CSR contains information that will be used to create your SSL certificate, while the private key allows you to decrypt and access the data encrypted through your certificate.
There are two ways to generate a CSR on Debian – using the OpenSSL command line tool or an online CSR generator.
Method 1 – Generate CSR using OpenSSL
Here are the steps to generate a CSR using OpenSSL on your Debian server:
- Access your server terminal as root user using SSH.
- Navigate to the directory where you want to store the CSR and private key files. For example:
cd /etc/apache2
- Generate a 2048 bit private key and CSR:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
- You will be prompted to enter information like domain name, company details, etc. Make sure to enter the exact fully qualified domain name you want the SSL certificate for.
- Once done, two files will be created – domain.key (private key) and domain.csr (CSR).
- Open and copy the contents of the CSR to use during certificate enrollment.
Method 2 – Use an Online CSR Generator
Alternatively, you can use any free online CSR generator tool to create the CSR and private key easily through a web interface.
For example, you can use the Comodo CSR Generator:
- Go to Comodo CSR Generator
- Enter your domain name and company details
- Choose the signature algorithm and key size. Go with 2048 bit RSA.
- Download the generated CSR and private key files.
- Open the CSR file and copy its contents to use during certificate enrollment.
No matter which method you use, make sure to store the private key file securely. You will need it later during SSL installation.
Step 2 – Purchase an SSL Certificate
Once you have a CSR, it’s time to purchase an SSL certificate from a trusted Certificate Authority (CA).
There are different types of SSL certificates depending on validation level and number of domains secured:
- Domain Validation (DV): Only validates domain ownership, no business validation. Ideal for blogs and small websites.
- Organization Validation (OV): Validates domain and legitimate business. Gives more trust.
- Extended Validation (EV): Highest level of validation. Displays green address bar. Ideal for ecommerce sites.
Some other things to consider when purchasing:
- Validation: DV, OV or EV?
- Duration: 1 year or 2 years? Longer validity means better value.
- Domains: Single domain, wildcard, multiple domains?
- Budget: Cheaper DV costs $10/year while EV costs $150+/year.
Once you decide, purchase the certificate from vendors like Comodo, Digicert, GeoTrust, etc.
During enrollment you will be asked to provide:
- The CSR content generated earlier
- Approver email
- Payment information
After purchase, the CA will verify your information depending on the validation level. Upon approval, they will email you the SSL certificate files within a few minutes (for DV) or 1-3 days (for OV/EV).
Step 3: Install the SSL Certificate
Once you receive the SSL certificate files from the CA, it’s time to install it on the Debian server.
The certificate will be sent in a .zip archive containing the following files:
- Certificate File: Your domain’s SSL certificate (public key) with .crt extension
- Intermediate Certificate: Certificate chain file from the CA (.pem or .crt)
- Root Certificate: The root CA’s self-signed certificate (.pem or .crt)
- Private Key: The private key file you generated earlier (.key)
Follow these steps to install the certificate:
- Upload the four files to a designated folder on your server using SFTP. For example:
/etc/ssl/mydomain
- Open the directory and ensure all files are present:
cd /etc/ssl/mydomain
ls
- Modify ownership permissions on the private key file to owner read/write only:
chmod 400 mydomain.key
For Apache
nano /etc/apache2/sites-available/default-ssl.conf
For Nginx
nano /etc/nginx/sites-available/default
- In the configuration file, find the SSL/TLS section and add the following lines:
Apache
SSLCertificateFile /etc/ssl/mydomain/mydomain.crt
SSLCertificateKeyFile /etc/ssl/mydomain/mydomain.key
SSLCertificateChainFile /etc/ssl/mydomain/intermediate.crt
Nginx
ssl_certificate /etc/ssl/mydomain/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain/mydomain.key;
ssl_trusted_certificate /etc/ssl/mydomain/intermediate.crt;
- Save and close the configuration file.
- Finally restart the web server to load the new SSL certificate:
Restart Apache
service apache2 restart
Restart Nginx
service nginx restart
That’s it! Your Debian server is now serving content over a secure HTTPS connection using the installed SSL certificate.
Step 4: Test SSL Installation
It’s important to test that HTTPS and the new certificate are working properly.
Try these validation steps:
Validate HTTPS Redirect
- Open your site URL in the browser
- It should redirect from HTTP to HTTPS by default
For example:
http://www.mydomain.com -> https://www.mydomain.com
Verify Green Padlock Icon
- Make sure you see the green padlock icon in the browser address bar
- This indicates an active SSL certificate
- Click the icon and inspect the certificate details
Use SSL Testing Tools
Additionally, use online tools like the SSL Server Test to test key parameters:
- Proper certificate chain
- Key exchange algorithm
- Certificate validity
- Cipher strength
Fix any issues found before launching your site.
Step 5: Make Additional SSL Configurations (Optional)
You can further optimize the security of your SSL implementation by making these additional configurations:
1. Redirect all HTTP traffic to HTTPS
By default, the site may still be accessible over plain HTTP. To enforce secure HTTPS connections only:
Apache
- Open the HTTP site configuration file:
nano /etc/apache2/sites-available/000-default.conf
- Add these lines:
<VirtualHost *:80>
ServerName www.mydomain.com
Redirect "/" "https://www.mydomain.com/"
</VirtualHost>
This will redirect all HTTP traffic to the HTTPS site.
Nginx
- Open the HTTP server block in Nginx config:
nano /etc/nginx/sites-available/default
- Add the redirect rule:
server {
listen 80;
listen [::]:80;
server_name www.mydomain.com;
return 301 https://$host$request_uri;
}2. Enable HSTS
HTTP Strict Transport Security (HSTS) forces browsers to only interact with the site over HTTPS connections. This prevents SSL stripping attacks.
To enable it:
Apache
- Use the Header always set Strict-Transport-Security header in the SSL virtual host configuration:
Header always set Strict-Transport-Security "max-age=31536000"
This will set the HSTS max-age to 1 year (31536000 seconds).
Nginx
- In the SSL server block, add:
add_header Strict-Transport-Security "max-age=31536000";
3. Use Strong Ciphers Only
Make sure your server only allows strong ciphers by specifying them in the configuration.
For example in Apache:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-
AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
And in Nginx:
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-
GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
4. Set Shorter Session Timeout
Reduce the SSL session timeout period to 1-2 minutes for improved security:
Apache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
Nginx
ssl_session_timeout 1m;
ssl_session_cache shared:SSL:50m;
This will force new SSL handshakes after 1 minute idle time.
Conclusion on Install SSL Certificate on Debian Server
Installing an SSL certificate on your Debian server is crucial for securing sensitive data transmission between the server and end users. By following the step-by-step process outlined in this guide, you can obtain a trusted SSL certificate, generate a private key and CSR, install the certificate files correctly on Apache or Nginx, and optimize your configuration for best security practices. Taking the time to set up HTTPS and SSL encryption will benefit your website by enabling secure connections, building user trust, and boosting your search engine ranking. So, start securing your Debian server today for a safer, faster and more trusted website.
FAQs
How do I choose the right SSL certificate for my Debian server?
When choosing an SSL certificate for your Debian server, you’ll need to decide on validation level (DV, OV, EV), number of domains/subdomains needed (single domain, wildcard, SAN certificate), and preferred certificate authority (Comodo, Digicert, etc). Evaluate your budget, security needs and website traffic to pick the ideal SSL certificate type.
What are the steps to renew my SSL certificate on a Debian server?
The steps to renew an SSL certificate on a Debian server involve generating a new certificate signing request (CSR), purchasing and downloading renewed certificate from CA, uploading new certificate files to server, installing the new certificate in Apache/Nginx configuration, and restarting the web server to activate renewed certificate. Most CAs will notify you when renewal is required.
How can I automate SSL certificate renewal on my Debian server?
You can use free tools like acme.sh or Certbot to automate SSL certificate renewal from LetsEncrypt CAs on your Debian server. This will automatically renew the certificates and configure your Apache/Nginx server when required, removing manual intervention.
What is an SSL certificate chain file and how do I install it?
The SSL certificate chain file (also called intermediate certificate) validates the link between your certificate and root CA certificate. It should be bundled by the CA upon purchase and installed alongside the domain certificate file for proper browser trust.
How do I find my existing SSL certificate details on a Debian server?
To find your current SSL certificate details on a Debian server, locate your Apache/Nginx configuration file and look for the certificate file path usually defined in SSLCertificateFile or ssl_certificate directive. Open this .crt file to see the certificate contents including validity dates, signature algorithm, public key and more.
What is the recommended key length and signature algorithm for an SSL certificate?
It is recommended to use a minimum 2048-bit key length and SHA-256 signature algorithm for your SSL certificates in 2022. This provides adequate encryption strength for secure transactions on your website based on industry standards.
How can I test my SSL certificate installation on Debian is working correctly?
To test that your SSL certificate is installed properly on Debian, verify the padlock icon shows in the browser URL bar, use an SSL test tool to check for errors, confirm HTTPS redirect works, check certificate expiration date, and inspect that certificate details match what you purchased from the CA.
