Configuring SSL for Apache on Debian or Ubuntu

Overview

Manually configuring SSL for Apache can be tricky for the beginner or those coming from a shared hosting where everything is handled from a control panel such as cPanel or Webmin. The following tutorial will guide you through the steps required for configuring SSL on a Debian based operating system such as Ubuntu, Debian Mint, or good old vanilla Debian. The operating system used for this tutorial was Debian 6 Squeeze, and the SSL certificate was supplied by GoDaddy.com


First thing we should do is navigate to the directory on the filesystem that contains all of our secure certificates. If you’re using Debian or Ubuntu, this directory typically can be found at /etc/ssl/certs/, but before we go any further we should go ahead and elevate our permissions to root.

As root, Navigate to /path/to/certs

Note: Default for Debian and Ubuntu is /etc/ssl/certs/

$ cd /path/to/certs

To generate .CSR key to be signed by provider with Apache 2 and OpenSSL use the following command:

$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Below are explanations for the values that you should provide.

QuestionExplanation
Country CodeFor this question, we will want to supply the 2-digit ISO abbreviation for your country. If you’re in the United States, then your 2-digit ISO abbreviation will be US.
State or Province NameThis should be the full name of the state or province where your organization is located. Do not abbreviate the name, you must use the full name.
Locality Name(city)This will be the town or city where your organization is located. If your location is basedin Mountain View, CA, then your locality name would be Mountain View.
Organization NameThis should be the legal name of your organization. If your organization is Example, LLC, then your CSR’s organization should be Example, LLC.
Organization UnitThis value should reflect the section of the section of your organization, such as accounting, marketing, billing, Information Technology, etc.
Common NameThis would be the fully qualified domain name for your website, for example if your website is https://www.example.com then your CSR’s common name should be www.example.com.
Email AddressAn email address that can be used to contact your organization.

Note: You will be prompted to supply ‘extra’ attributes. It is in most cases advised to leave these fields blank, you can do so by just pressing enter at the prompt.

Once the files have been generated, we will need to print the the contents of example.com.csr by using the cat command. This will generate an encrypted signature preceded by -----BEGIN CERTIFICATE REQUEST-----

and followed by -----BEGIN CERTIFICATE REQUEST-----, we will need to copy the contents of the file in its entirety into your ssl providers web ui.

Once you submit the contents of your example.com.csr file, you will be able to download a package containing (2) files: Example.com.crt, and provider_bundle.crt.”

Note: If you’re using GoDaddy your “provider_bundle.crt” file may be called either “gd_bundle.crt” or “sf_bundle.crt.”

Download and unzip the signed certificate, and move the contents of the .zip file into /path/to/certs.

Once both files have been placed in the /path/to/certs directory, you then must next modify your Apache Virtual Host to reflect the signed certificate.

If your are adding SSL encryption to a pre-existing site, odds are you already have the first Virtual Host entry, however for this tutorial we will focus on the second entry for port 443. Below is an example of how your the virtual host file for your website should appear:

<VirtualHost *:80>
     ServerAdmin example@example.com
     ServerName www.example.com
     ServerAlias example.com
     DocumentRoot /path/to/example.com/public_html
     ErrorLog /path/to/example.com/logs/error.log
     CustomLog /path/to/example.com/access.log combined
</VirtualHost>


<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /path/to/certs/Example.com.crt
     SSLCertificateKeyFile /path/to/certs/example.key
     SSLCACertificateFile /path/to/certs/sf_bundle.crt

     ServerAdmin example@example.com
     ServerName www.example.com
     DocumentRoot /srv/www/example.com/public_html/
     ErrorLog /path/to/example.com/logs/error.log
     CustomLog /path/to/example.com/logs/access.log combined
</VirtualHost>

Enable SSL Module

a2enmod ssl

Reload Apache to Update the Changes

$ /etc/init.d/apache2 reload

About the author

Will works as a technical lead for Kanopi Studios and provides Drupal support for a wide range of amazing projects. He current resides in South Carolina along with his wife, son and two dogs. When not working on tech projects, Will enjoys spending time with family and photographing the stars.