How to secure your Apache2 webserver with a free SSL certificate

Protecting your website with TLS (SSL) is generaly a good idea, as soon as you have a admin backend or an internal statistik tool installed.

One way to do it is to sign your own SSL certificate. This offers encryption but unfortunately no verification that you really talk to the right server. Additionally all your guests will receive warnings and have to click through warnings.

Thats why a Ceritficate Authority (CA) needs to sign your cerificate. StartSSL does this for free.

In this article I show you how you can get a SSL certificate and how you configure your Apache 2 webserver to use it.

Prerequisites

In order for you to obtain a certificate you need a domain under your control. Which means you need one of the following email adresses and you need to be able to read these mails.

You can install the certificate on any modern webserver. However in this article I describe how you install it with Apache2 and ModSSL.

Obtaining the certificate

Register with StartSSL

Visit StartSSL.com and click on the Sign-Up button.

Fill in your personal details. Provide true informations here. StartSSL will check your data.

After having supplied your details, you will receive a verification code via email, that you have to fill in.

Now you will get a client certificate, that you can use to verify your identity to StartSSL in the future.

Validate your domain name

Log into the Controll Panel and click onto the Validations Wizard tab.

Choose Domain Name Validation.

Enter the name of your domain.

Now you have to select one of the email adresses I mentioned. StartSSL uses this adress to verify, that you own the domain.

Now you will remove a confirmation code via email, that you have to enter into the next form.

Creating a Certificate Signin Request (CSR)

Now you have established, that the domain belongs to you and StartSSL is ready to sign a Cerificate Signing Request for you. So let's create a CSR!

Log into your webserver and do the following:

$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Enter the name of your domain, when you are asked for the common name. Here is a how the dialoge looks like:

$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Generating a 2048 bit RSA private key  
................+++
...................+++
writing new private key to 'example.com.key'  
-----
You are about to be asked to enter information that will be incorporated  
into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,  
If you enter '.', the field will be left blank.  
-----
Country Name (2 letter code) [AU]:DE  
State or Province Name (full name) [Some-State]:Bavaria  
Locality Name (eg, city) []:Munich  
Organization Name (eg, company) [Internet Widgits Pty Ltd]:  
Organizational Unit Name (eg, section) []:  
Common Name (eg, YOUR name) []:example.com  
Email Address []:robert@example.com

Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:  

Now copy the content of the CSR into your clipboard

cat example.com.csr

Let StartSSL sign your CSR

Visit the "Certificates Wizard" tab and choose Webserver SSL/TLS Certificate and click on continue.

Click on skip and paste the contents of the csr file you just created into the text field.

On the next step add www. as the subdomain (or another subdomain if you do not have www).

Now save your certificate. If your domain is example.com I would save it as example.com.crt

Configure Apache2 to use the certificate

Become root or execute the following stuff with sudo

First we have to activate ModSSL

a2enmod ssl

Create a directory for your certificates

mkdir /etc/apache2/ssl

Move the .crt and the .key into the new folder

mv example.com.* /etc/apache2/ssl

We also need a ca.pem file. This file contains both the intermediate and the root certificate. You can download a finished one.

curl -L http://www.rocu.de/x/5s > ca.pem

Now configure the Virtual Host for SSL

vim /etc/apache2/sites-enabled/example.com.ssl
<VirtualHost *:443>  
DocumentRoot /var/www/vhosts/example.com/  
ServerName example.com  
ServerAlias www.example.com

SSLEngine on  
SSLCertificateFile /etc/apache2/ssl/example.com.crt  
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key  
SSLCertificateChainFile /etc/apache2/ssl/ca.pem  
</VirtualHost>  

Test your Apache config before restarting

apachectl configtest

Now restart your webserver

sudo /etc/init.d/apache2 restart

You're website can be viewed with SSL now.

Final words

The process at StartSSL is anti-intuitive. I hope you were able to follow this tutorial and that your website is SSL secured now.

Depending on your use case, there are more steps that you have to take. For example you should load all assets from HTTPS or your users will get mixed content warnings.

Another good idea is to redirect your visitors to HTTPS and to activate Strict Transport Security.

If you have user other then yourself at the website, you should also follow SSL best pratices. Here is a tool that you can use to find out, what you can improve.

I leave all this as an excercise for the reader. Please leave me a comment if you have any questions or corrections.