Apache SSL certificates: Learn how to secure your server in 5 minutes.

Deploying Apache SSL certificates is an important aspect of the secure and reliable part of development when you decide to go into production. Being a backend developer, adding SSL certification to your endpoints is the most basic thing that you can do to secure your production API endpoints. SSL adds end-to-end encryption to your data sent over HTTP and hence makes it secure HTTP, hence called “HTTPS”.

I have had difficulty figuring out how to deploy my SSL certificates onto my Apache server which is hosted on another web host. So after trying so hard and searching for a few references on the internet, I came to a solution and decided to put it into a blog post. Deploying the ApacheSSL certificates is not as hard as it sounds. The process of deploying certificates is a pretty simple two-way step.

Considering you already have a website say, http://mywebsite.com running on a web server that you have shell access to. And let’s assume that you want to secure this website endpoint via SSL by installing Apache SSL certificates and hence make the endpoint https://mywebsite.com. You will need to purchase the SSL certificate with the subscription. DigiCert and GoDaddy are the most famous providers that you can consider. I will use GoDaddy for this blog post because I already have an SSL purchased on GoDaddy and I can use that to demonstrate the steps.

Requesting the new Apache SSL certificate and Generating CSR

After purchasing the SSL, you need to request the certificate for the website domain, which is http://mywebsite.com in our case. In order to request the SSL certificate you will need a CSR request generated that contains the information related to your target domain and hence will be used as a key to generating the SSL certificate. There are two ways to generate the CSR request.

1. You can use the GoDaddy SSL wizard to request a new certificate. This wizard will also create the CSR request and a private key for your SSL.
2. You can use the standard SSL commands to generate the CSR requests on the server console. This is done by logging into the server terminal over SSH. This method is the preferred way because this will also save the key file on the server which you might need to copy to the server later if using the first method.

Generating the CSR and requesting the certificate

I will be using the second method to generate the CSR on the server:

1. Log into the server terminal.
2. Considering you are configuring the SSL for the Apache server. Let’s go into the Apache configuration directory by:

sudo bash
cd /etc/apache2/sites-available

3. Create a configuration file for your application.

touch mywebsite.conf
nano mywebsite.conf

4. Adding your VirtualHost configuration.

<VirtualHost *:80>
        ServerName www.mywebsite.com
        ServerAdmin webmaster@localhost        ProxyRequests Off
        ProxyPreserveHost On
        ProxyVia Full
        ProxyPass / http://localhost:8001/
        <Proxy *>
                Require all granted
        </Proxy>
        <Location /development>
                ProxyPass http://localhost:3000
                ProxyPassReverse http://127.0.0.1:3000
        </Location>
        <Location /admin>                
                ProxyPass /admin http://localhost:8002
                ProxyPassReverse /admin http://127.0.0.1:8002
        </Location>
        ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log
        CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined
</VirtualHost>

Creating a symlink will allow handling the deployed and un-deployed applications by creating a link of sites-available into sites-enabled, hence allowing auto-deployment of sites-enabled whenever Apache is booted up.

Linking the config file with the deployed Apache configurations:

ln -s /etc/apache2/sites-available/mywebsite.conf /etc/apache2/sites-enabled/

Testing the configurations:

apachectl configtest

Now restart Apache to discover your website services:

apachectl restart

or

service restart apache2

5. Now in this directory, we will run the command to generate the CSR request and a private key that we will later use to configure Apache SSL certificates on the Apache server.

openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr

You have to replace “mywebsite” with the domain of your website. Say, for “Facebook.key” and “facebook.csr”

This command will generate 2 files:

• A cryptographic private .key file. That will be needed in .conf the configuration file.
• And an .csr file that will be needed to generate the SSL certificate.

Request the certificate with existing CSR

There is an option on GoDaddy that allows you to request SSL certificates when you already have an existing CSR. That is one of the reasons we chose the second method to generate CSR because you might need to regenerate the SSL for another domain, in that case, the First method won’t work and you’ll have to follow step 2 for CSR.

1. On the certificate Setup page, input a CSR.
2. If you already own a certificate and doing the rekey process then select the SSL key and choose rekey and Manage option.

3. Input the generated CSR and click Save. After this process, you might need to perform the domain verification process (If not done already). This process. simply requires you to verify that you are the actual owner of the domain that you are requesting SSL. This is typically done by adding a verification id to the domain name record and providing the value generated by GoDaddy. Set the minimum TTL i.e. 600 seconds and wait until GoDaddy automatically verifies the domain. After the verification is done, GoDaddy will allow you to download the SSL certificates which as distributed as .zipfile.

4. On extracting the zip file, you will find 3 files:

• *.crt file provided by GoDaddy.
• *.bundle.crt file provided by GoDaddy.
• *.pem key file.

You will need both of the *.crt files in the configuration file and the .keyfile that you’ve got after generating the CSR request.

Renaming and Moving the Apache SSL certificate files to the server

After downloading, we move the .crt files to the server. I will use the scp command to copy files to the server over SSH.

renaming the files to:

• mywebsite.com.crt
• mywebiste.bundle.crt for *.bundle.crt file.

moving the files to the server folder:

sudo scp *.crt root@host:/etc/apache2/sites-available/

You will need the root permission in ssh to move files to /etc/apache2/sites-abailable/ directory. Replace host with your server host name and scp will also prompt for password in the next step.

This will copy the .crt files to the /etc/apache2/sites-available/directory on the server.

Apache SSL certificates configurations for the Apache config file

Finally, we will configure the Apache configuration file to enable the Apache SSL certificates in the Virtual host.

nano /etc/apache2/sites-available/mywebsite.conf

and now your configuration will look like this:

<VirtualHost *:80>
        ServerName www.mywebsite.com
        Redirect permanent / https://mywebsite.com
</VirtualHost>
<VirtualHost *:443>
        ServerName www.mywebsite.com
        ServerAdmin webmaster@localhostSSLEngine on
        SSLCertificateFile sites-available/mywebsite.com.crt
        SSLCertificateKeyFile sites-available/mywebsite.key
        SSLCertificateChainFile sites-available/mywebsite.bundle.crtProxyRequests Off
        ProxyPreserveHost On
        ProxyVia Full
        ProxyPass / http://localhost:8001/
        <Proxy *>
                Require all granted
        </Proxy>
        <Location /development>
                ProxyPass http://localhost:3000
                ProxyPassReverse http://127.0.0.1:3000
        </Location>
        <Location /admin>
                ProxyPass /admin http://localhost:8002
                ProxyPassReverse /admin http://127.0.0.1:8002
        </Location>        
        ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log
        CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined
</VirtualHost>

Restart the server

Use the following command to restart the Apache server to bring Apache SSL certificates to action

apachectl restart

or

service restart apache2

Congrats, Your Apache SSL certificates setup is done.

You’ll see that now not even https://mywebsite.com will start working, also, visiting http://mywebsite.com will redirect you directly to https://mywebsite.com. Also, you’ll start seeing the fancy security lock on top of your web browser.

If you have any doubts, do let me know in the comments section. I would be happy to help you out. Also if you need help related to any other web server, say nginx, tomcat, etc. Let me know in the comments. I will help you out or create another post for that. Till then, Happy coding and happy security.

Other free alternative ways to install Apache SSL certificates

You can also request and install the free Apache SSL certificates on your Apache web server. There are 2 other ways that I will recommend that you can go ahead with:

1. LetsEncrypt: Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. They issue free certificates for people to enable SSL/TLS for websites. You can follow the steps to generate the certificates and follow the steps mentioned in this blog to configure the Apache SSL certificates setup guidelines shared in this post.
2. Cloudflare: You can use free Cloudflare-generated Edge certificates issued by Cloudflare if you are using Cloudflare for your DNS management. After generating and downloading the certificates, you can follow the steps shared in this blog to configure Apache SSL certificates.

References

1. https://linuxize.com/post/how-to-set-up-apache-virtual-hosts-on-ubuntu-18-04/
2. Apache Redirect to HTTPS — How to Redirect to HTTPS on Apache — Namecheap
3. https://serverfault.com/a/478048
4. For more similar articles, check out https://theserverfault.com