A Simple Guide to Obtain and Install an SSL Certificate

More and more companies use SSL certificates (small data files that digitally bind a cryptographic key) to protect their customers sensitive data, as username, password and credit card number, as they are transmitted over the internet.

There is a large number of companies provide SSL certificates (Certificate authorities) – see here – and a wide variety of SSL certificates. So, it is often difficult for the average user to choose the right SSL certificate.

Basically there are three “levels” of SSL certificates:

  1. Domain Validation (DV) this is the most common
  2. Organization Validation (OV) – it also offers Company validation
  3. Extended Validation (EV) – it also offers Company validation and a Green Bar is displayed in the browser.

All “levels” offer the necessary encryption. Certificates of Level 1 are relatively cheap (5-50 dollars per year), while others are much more expensive. The level 1 certificates are usually issued in 10-15 minutes, while level 2 and 3 certificates need enough paperwork to be issued (2-3 days). On the other hand, τhey offer greater prestige in the online presence of a company.

As a general rule, a dedicated IP is required for an SSL certificate to operate with a domain (site.com + www.site.com). However, there are available SSL certificates for many domains, subdomains (more expensive, of course). However, it is possible to setup multiple SSL certificates using a single IP with multiple Apache virtual hosts (see at the end of the article), but there are some security issues with this method.

Personally, I usually use certificates of level 1. I often use SSLs, because it offers the full range of SSL certificates from various Certificate authorities, has cheap prices, brings the possibility of detailed comparisons between SSL certificates and has very good documentation and support.

In the following post I describe the process of obtaining and installing a Comodo PositiveSSL SSL certificate on a Debian server for domain “site.com” with:

  • Apache web server ver. 2.4.10 (over port 443)
  • openssl – the open source cryptography and SSL/TLS toolkit (should be installed by default)

Additionally, you will find information about:

  • SSL Certificate Renewal
  • Move SSL Certificate from a server to another

There are small differences in this procedure in other operating systems and web servers. You will usually find detailed documentation on the site where you purchased the SSL certificate.

1. Purchase SSL certificate

Just choose the SSL certificate and pay for it. At this time, your SSL certificate is not associated with your domain, it is a “blank certificate”.

2. Create CSR (Certificate Signing Request)

If you would like to obtain an SSL certificate from a certificate authority (CA), you must generate a Certificate Signing Request (CSR)

Creating the CSR (Certificate Signing Request) you actually associate your domain, company etc with the Certificate you have just purchased.

As root, use openssl as follows

openssl req -new -newkey rsa:2048 -nodes -keyout site.com.key -out site.com.csr

After completing this procedure, two files are created

  • your private key (site.com.key) – ATTENTION: keep it always secret.

    It starts with

    -----BEGIN PRIVATE KEY-----
    

    and ends with

    -----END PRIVATE KEY-----
    
  • the CSR file (site.com.csr) you have to submit to your Certificate authority, in order to issue your SSL certificate

    It starts with

    -----BEGIN CERTIFICATE REQUEST-----
    

    and ends with

    -----END CERTIFICATE REQUEST-----
    

3. Activate SSL certificate

Every Certificate authority has a special form in its website, where you submit the CSR file you have just created.

In case of SSLs, they ask you to upload a file on your web server to validate your domain and activate your certificate.

NOTE: When SSL is already issued and installed on your server, you can remove this file.

After 5-10 minutes you will receive an email with you new Certificate. Congratulations! See next step for installation.

4. Install SSL certificate

There are two scenarios:

  • you received a zip file with 4 files
  • you received a zip file with 2 files

4.1.a you received a zip file with 4 files

The files you received seem like:

  1. site_com.crt this is the main SSL Certificate

there are three more files (intermediate and root certificates):

  1. COMODORSADomainValidationSecureServerCA.crt
  2. COMODORSAAddTrustCA.crt
  3. AddTrustExternalCARoot.crt

They all start with

-----BEGIN CERTIFICATE-----

and end with

-----END CERTIFICATE-----

4.1.b you received a zip file with 2 files

The first file is

  1. site_com.crt this is the main SSL Certificate

and the second file is

  1. site_com.ca-bundle this is a bundle of intermediate certificates. No root certificate is included. This is located in modern up to date Operating Systems in their certificate storage.

4.2 Store Certificate files

Store Certificate files in /etc (or any other path). As root:

mkdir /etc/ssl-certs
mkdir /etc/ssl-certs/site.com

Create the file site.com.crt by concatenating the main Certificate file and intermediate and root certificates. Something like:

cat site_com.crt \
        COMODORSADomainValidationSecureServerCA.crt \
        COMODORSAAddTrustCA.crt \
        AddTrustExternalCARoot.crt > /etc/ssl-certs/site.com/site.com.crt

Move the file site.com.key

mv /root/site.com.key /etc/ssl-certs/site.com/site.com.key

In case you received a zip file with 2 files just put them in /etc/ssl-certs.

And of course move the created key file here (as in first scenario):

mv /root/site.com.key /etc/ssl-certs/site.com/site.com.key

4.3 Enable SSL Apache module

Use:

a2enmod ssl

4.4 Modify Apache configuration

I suppose that www.site.com configuration file is /etc/apache2/sites-available/www.site.com.conf

cd /etc/apache2/sites-available/
nano www.site.com.conf

The first VirtualHost concerns port 443 and the second the classic port 80. It is recommended to redirect all requests on port 80 to 443. So, modify the file as follows:

<VirtualHost YOUR_IP_HERE:443>
        ServerName  www.site.com
        ServerAdmin YOUR_EMAIL_HERE

        DocumentRoot /var/www/site.com

        <Directory /var/www/site.com>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride All
                Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/site.com_error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/site.com_access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
        SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key

</VirtualHost>

<VirtualHost YOUR_IP_HERE:80>
        ServerName  www.site.com
        Redirect permanent / https://www.site.com/
</VirtualHost>

Probably, you need another configuration file to redirect site.com requests to www.site.com:

nano /etc/apache2/sites-available/site.com.conf

use:

<VirtualHost YOUR_IP_HERE:443>
        ServerName site.com

        SSLEngine on
        SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
        SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key

        Redirect / https://www.site.com/
</VirtualHost>

<VirtualHost YOUR_IP_HERE:80>
        ServerName site.com
        Redirect / https://www.site.com/
</VirtualHost>

Restart Apache

systemctl restart apache2.service

In case you received a zip file with 2 files just use the syntax

        SSLEngine on
        SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
        SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key
        SSLCACertificateFile /etc/ssl-certs/site.com/site.com.ca-bundle

4.5 Apache versions less than 2.4.8

You have to use the syntax

        SSLEngine on
        SSLCertificateFile /etc/ssl-certs/site.com/site.com.crt
        SSLCertificateKeyFile /etc/ssl-certs/site.com/site.com.key
        SSLCertificateChainFile /etc/ssl-certs/site.com/site.com.ca-bundle

where ca-bundle contains intermediate and (probably) root certificates. Of cource, in this case, site.com.crt contains only the main Certicate file site_com.crt.

REMARK: SSLCertificateChainFile is deprecated in Apache > 2.4.8. As you can see above SSLCACertificateFile is used instead.

5. Validate SSL certificate

Check your Certificate with one of the following (free) online tools:

Is is possible to setup multiple SSL certificates using a single IP with multiple Apache virtual hosts?

YES IT IS. Since Apache v2.2.12 and OpenSSL v0.9.8j a transport layer security (TLS) is supported. This is called SNI. More about SNI, here or here.

Furthermore, only recent browsers are supporting SNI. Most current major desktop and mobile browsers support SNI. See here.

You can use virtual hosts configuration as described above. No changes needed.

Is it safe to use SNI in production?

Please, note that IT IS NOT recommended for E-Commerce sites (or where security is critical). Dedicated IP is the most secure way to implement SSL.

Use your SSL certificate with Webmin

In case you use Webmin, browser complains about the Webmin certificate when in SSL mode. So. it is a good idea to use your SSL certificate with Webmin.

This happens because the default SSL certificate that is generated by webmin is not issued by a recognized certificate authority. From a security point of view, this makes the certificate less secure because an attacker could theoretically redirect traffic from your server to another machine without you knowing, which is normally impossible if using a proper SSL certificate. Network traffic is still encrypted though, so you are safe against attackers who are just listening in on your network connection. If you want to be really sure that the Webmin server you are connecting to is really your own, the only solution is to order a certificate from an authority like Verisign that is associated with your server’s hostname and will be recognized web browsers. This certificate should be placed in the file /etc/webmin/miniserv.pem and be in the same certifcate+key format as the existing miniserv.pem file.

Backup /etc/webmin/miniserv.pem and then create it again concatenating the main Certificate file and your Private key:

cat site_com.crt site.com.key > /etc/webmin/miniserv.pem

Then restart Webmin

systemctl restart webmin.service

Summary (obtain a new SSL certificate)

Here are the steps:

  1. Purchase SSL certificate
  2. Create CSR (Certificate Signing Request)
  3. Activate SSL certificate (by submitting CSR to your Certificate authority)
  4. Install SSL certificate on your server
  5. Validate SSL certificate

Renew SSL Certificate

When the SSL certificate expires (after 1 year or more) you have the option to renew it using the existing private key (site.com.key). The process is similar with the previous described with some differences in STEP 2:

  1. Purchase SSL certificate renewal
  2. Create CSR (Certificate Signing Request) based on your existing private key:

    First copy your existing private key (site.com.key) somewhere else from its location (eg to /root)

    cd /root
    cp -p /etc/ssl-certs/site.com/site.com.key .
    

    Use openssl as root. This command creates a new CSR (site.com.csr) based on an existing private key (site.com.key):

    openssl req -key site.com.key -new -out site.com.csr
    

    After creating the new CSR (in this example /root/site.com.csr), submit it to your Certificate Authority and just follow the steps 3, 4, 5 as described above:

  3. no differences
  4. no differences
  5. no differences

Move SSL Certificate from a server to another

In case of Apache – openssl based server, the only thing you have to do is to copy the files in the appropriate location in the new machine. That’s all!

Do not forget to validate your SSL certificate in the new server (see STEP 5).

Utility commands

View CSR Entries

This command allows you to view and verify the contents of a CSR (site.com.csr) in plain text. Use openssl as root:

openssl req -text -noout -verify -in site.com.csr

View SSL Certificate Entries

This command allows you to view the contents of a certificate (site.com.crt) in plain text. Use openssl as root:

openssl x509 -text -noout -in site.com.crt