HTTPS Certificate Purchased from SSLs.com (Should work on other Cert Providers)
Installation on Ubuntu 14.04 / 16.04 + Apache 2.4
With Apache settings to harden SSL settings for better security.
Too lazy to research and type every time so put it here for my own copy-and-paste.
1. Generate CSR and Private Key
openssl req -new -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr -subj '/CN=domain.com/O=Tiger-Workshop Limited/C=HK'
2. Paste content of .csr to your Cert Provider and finish all validations they need.
cat domain.csr
3. Install Apache2 Certificates
mkdir /etc/apache2/ssl/ cp domain.com.* /etc/apache2/ssl chmod 0600 /etc/apache2/ssl/*.key a2enmod ssl a2ensite default-ssl.conf
4. Extract *.crt, *.ca-bundle downloaded from your Cert Provider to /etc/apache2/ssl/
5. Install Certificates
Edit /etc/apache2/sites-available/default-ssl.conf, update the following lines
ServerName domain.com SSLCertificateFile /etc/apache2/ssl/domain.com.crt SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key SSLCertificateChainFile /etc/apache2/ssl/domain.ca-bundle
6. Improve SSL Settings:
a2enmod headers
Edit /etc/apache2/mods-available/ssl.conf, update the following lines
# Disable RC4 + Enable Forward secrecy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on
# Prevent Poodle Attack SSLProtocol all -SSLv3 -SSLv2
Edit /etc/apache2/sites-available/default-ssl.conf and add line:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Restart Apache
service apache2 restart
3. Test SSL
You should able to obtain an A+ grade with above setup
https://www.ssllabs.com/ssltest/index.html
https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
One Reply to “Apache HTTPS Certificate Purchase and Installation”