Deploying Apache SSL certificates is an important aspect of the secure and reliable part of development when you decide to go into production. Being a backend developer, adding SSL certification to your endpoints is the most basic thing that you can do to secure your production API endpoints. SSL adds end-to-end encryption to your data sent over HTTP and hence makes it secure HTTP, hence called “HTTPS”.
I have had difficulty figuring out how to deploy my SSL certificates onto my Apache server which is hosted on another web host. So after trying so hard and searching for a few references on the internet, I came to a solution and decided to put it into a blog post. Deploying the ApacheSSL certificates is not as hard as it sounds. The process of deploying certificates is a pretty simple two-way step.
Considering you already have a website say, http://mywebsite.com running on a web server that you have shell access to. And let’s assume that you want to secure this website endpoint via SSL by installing Apache SSL certificates and hence make the endpoint https://mywebsite.com. You will need to purchase the SSL certificate with the subscription. DigiCert and GoDaddy are the most famous providers that you can consider. I will use GoDaddy for this blog post because I already have an SSL purchased on GoDaddy and I can use that to demonstrate the steps.
Requesting the new Apache SSL certificate and Generating CSR
After purchasing the SSL, you need to request the certificate for the website domain, which is http://mywebsite.com in our case. In order to request the SSL certificate you will need a CSR request generated that contains the information related to your target domain and hence will be used as a key to generating the SSL certificate. There are two ways to generate the CSR request.
- You can use the GoDaddy SSL wizard to request a new certificate. This wizard will also create the CSR request and a private key for your SSL.
- You can use the standard SSL commands to generate the CSR requests on the server console. This is done by logging into the server terminal over SSH. This method is the preferred way because this will also save the key file on the server which you might need to copy to the server later if using the first method.
Generating the CSR and requesting the certificate
I will be using the second method to generate the CSR on the server:
- Log into the server terminal.
- Considering you are configuring the SSL for the Apache server. Let’s go into the Apache configuration directory by:
sudo bash
cd /etc/apache2/sites-available
3. Create a configuration file for your application.
touch mywebsite.conf
nano mywebsite.conf
4. Adding your VirtualHost configuration.
<VirtualHost *:80> ServerName www.mywebsite.com ServerAdmin webmaster@localhost ProxyRequests Off ProxyPreserveHost On ProxyVia Full ProxyPass / http://localhost:8001/ <Proxy *> Require all granted </Proxy> <Location /development> ProxyPass http://localhost:3000 ProxyPassReverse http://127.0.0.1:3000 </Location> <Location /admin> ProxyPass /admin http://localhost:8002 ProxyPassReverse /admin http://127.0.0.1:8002 </Location> ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined </VirtualHost>
Creating a symlink will allow handling the deployed and un-deployed applications by creating a link of sites-available into sites-enabled, hence allowing auto-deployment of sites-enabled whenever Apache is booted up.
Linking the config file with the deployed Apache configurations:
ln -s /etc/apache2/sites-available/mywebsite.conf /etc/apache2/sites-enabled/
Testing the configurations:
apachectl configtest
Now restart Apache to discover your website services:
apachectl restart
or
service restart apache2
5. Now in this directory, we will run the command to generate the CSR request and a private key that we will later use to configure Apache SSL certificates on the Apache server.
openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr
You have to replace “mywebsite” with the domain of your website. Say, for “Facebook.key” and “facebook.csr”
This command will generate 2 files:
- A cryptographic private
.key
file. That will be needed in.conf
the configuration file. - And an
.csr
file that will be needed to generate the SSL certificate.
Request the certificate with existing CSR
There is an option on GoDaddy that allows you to request SSL certificates when you already have an existing CSR. That is one of the reasons we chose the second method to generate CSR because you might need to regenerate the SSL for another domain, in that case, the First method won’t work and you’ll have to follow step 2 for CSR.
- On the certificate Setup page, input a CSR.
- If you already own a certificate and doing the rekey process then select the SSL key and choose rekey and Manage option.
3. Input the generated CSR and click Save. After this process, you might need to perform the domain verification process (If not done already). This process. simply requires you to verify that you are the actual owner of the domain that you are requesting SSL. This is typically done by adding a verification id to the domain name record and providing the value generated by GoDaddy. Set the minimum TTL i.e. 600 seconds and wait until GoDaddy automatically verifies the domain. After the verification is done, GoDaddy will allow you to download the SSL certificates which as distributed as .zip
file.
4. On extracting the zip file, you will find 3 files:
*.crt
file provided by GoDaddy.*.bundle.crt
file provided by GoDaddy.*.pem
key file.
You will need both of the *.crt
files in the configuration file and the .key
file that you’ve got after generating the CSR request.
Renaming and Moving the Apache SSL certificate files to the server
After downloading, we move the .crt
files to the server. I will use the scp
command to copy files to the server over SSH.
renaming the files to:
mywebsite.com.crt
mywebiste.bundle.crt
for*.bundle.crt
file.
moving the files to the server folder:
sudo scp *.crt root@host:/etc/apache2/sites-available/
You will need the
root
permission in ssh to move files to /etc/apache2/sites-abailable/ directory. Replace host with your server host name andscp
will also prompt for password in the next step.
This will copy the .crt
files to the /etc/apache2/sites-available/directory on the server.
Apache SSL certificates configurations for the Apache config file
Finally, we will configure the Apache configuration file to enable the Apache SSL certificates in the Virtual host.
nano /etc/apache2/sites-available/mywebsite.conf
and now your configuration will look like this:
<VirtualHost *:80> ServerName www.mywebsite.com Redirect permanent / https://mywebsite.com </VirtualHost> <VirtualHost *:443> ServerName www.mywebsite.com ServerAdmin webmaster@localhostSSLEngine on SSLCertificateFile sites-available/mywebsite.com.crt SSLCertificateKeyFile sites-available/mywebsite.key SSLCertificateChainFile sites-available/mywebsite.bundle.crtProxyRequests Off ProxyPreserveHost On ProxyVia Full ProxyPass / http://localhost:8001/ <Proxy *> Require all granted </Proxy> <Location /development> ProxyPass http://localhost:3000 ProxyPassReverse http://127.0.0.1:3000 </Location> <Location /admin> ProxyPass /admin http://localhost:8002 ProxyPassReverse /admin http://127.0.0.1:8002 </Location> ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined </VirtualHost>
Restart the server
Use the following command to restart the Apache server to bring Apache SSL certificates to action
apachectl restart
or
service restart apache2
Congrats, Your Apache SSL certificates setup is done.
You’ll see that now not even https://mywebsite.com will start working, also, visiting http://mywebsite.com will redirect you directly to https://mywebsite.com. Also, you’ll start seeing the fancy security lock on top of your web browser.
If you have any doubts, do let me know in the comments section. I would be happy to help you out. Also if you need help related to any other web server, say nginx, tomcat, etc. Let me know in the comments. I will help you out or create another post for that. Till then, Happy coding and happy security.
Other free alternative ways to install Apache SSL certificates
You can also request and install the free Apache SSL certificates on your Apache web server. There are 2 other ways that I will recommend that you can go ahead with:
- LetsEncrypt: Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. They issue free certificates for people to enable SSL/TLS for websites. You can follow the steps to generate the certificates and follow the steps mentioned in this blog to configure the Apache SSL certificates setup guidelines shared in this post.
- Cloudflare: You can use free Cloudflare-generated Edge certificates issued by Cloudflare if you are using Cloudflare for your DNS management. After generating and downloading the certificates, you can follow the steps shared in this blog to configure Apache SSL certificates.
It’s just an SSL certificate, not an Apache SSL certificate. Article might confuse users that all steps are not applicable for them but e.g. generating CSR with openssl and requesting certificate from GoDaddy doesn’t matter what webserver they are using, if it’s Nginx, IIS, or whateverelse.
Agree. I will add the note that same process can be repeated for other web servers too.
SEO Optimizers Team
I offer mutually beneficial cooperation
Cool website. There is a suggestion
I really liked your site. Do you mind?
Here’s what I can offer for the near future
Content for your website
Web Development Wizards
Can provide a link mass to your website
Your site’s position in the search results
We offer cooperation on SEO optimization [Link deleted]