Check this Out!Visit our social network pages for recent updates!

Lesson 46: Installing SSL/TLS Certificates on Ubuntu

Students lesson 46 assignment: How do you install SSL/TLS certificates on Ubuntu servers?

Few days ago we showed students how to generate Certificate Signing Request (CSR) for on Ubuntu systems. Anyone who want to protect their website or blog with SSL/TLS, generating CSR is the first step in that process.

In that post, we wrote that after generating a CSR for your domain, the next step was to send it to a certificate authority to generate a trusted certificate based on information embedded in CSR.

To read that tutorial, please follow the link below.

Lesson 38: Generate Certificate Signing Request (CSR) for Apache2

So, after pasting the CSR into the CA’s certificate creation wizard and completing the process, you should receive your certificate in few minutes or hours.

The zipped folder from your CA may contain your server certificate, the CA’s Chain (Intermediate) and Root certificates.

Installing Apache2 Certificate

After you’ve received the folder, extract it and copy the certs to a secure location on the server. Next, go and edit Apache2 SSL config file and add the certificate details.

In Ubuntu, run the commands below to open the default SSL file.

sudo nano /etc/apache2/sites-available/default-ssl.conf

Then make the highlighted change below

<IfModule mod_ssl.c>
          <VirtualHost _default_:443>        
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/certs/ssl/your_domain_name.crt
                SSLCertificateKeyFile /etc/certs/ssl/your_private.key

                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the
                #   concatenation of PEM encoded CA certificates which form the
                #   certificate chain for the server certificate. Alternatively
                #   the referenced file can be the same as SSLCertificateFile
                #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                SSLCertificateChainFile /etc/certs/ssl/CAChain.crt

                #   Certificate Authority (CA):
                #   Set the CA certificate verification path where to find CA
                #   certificates for client authentication or alternatively one



Make the highlighted change above and save the file. In Some cases, you may not need to add the CA Chain or Intermediate certificate.

Adjust the file name and path to match your certificate files

  • SSLCertificateFile should be your CA issued certificate file (eg. your_domain_name.crt).
  • SSLCertificateKeyFile should be the server key file generated when you created the CSR.
  • SSLCertificateChainFile should be the CA issued intermediate certificate file (your_CA.crt)

After installing the certificates, run the commands below to active Apache2 SSL virtualhost.

sudo a2ensite default-ssl.conf

Finally, run the command below to restart Apache2

sudo systemctl restart apache2

That’s it! To test your configuration, browse to the server IP or hostname via port 443 or HTTPS and you should see a valid certificate installed.

That’s it!

Enjoy and please come back soon.

You may also like the post below:

Lesson 39:Configure HTTP Strict Transport Security (HSTS) on Apache2

Leave a Reply