Apache HTTPS Certificate Purchase and Installation

HTTPS Certificate Purchased from SSLs.com (Should work on other Cert Providers)
Installation on Ubuntu 14.04 / 16.04 + Apache 2.4
With Apache settings to harden SSL settings for better security.

Too lazy to research and type every time so put it here for my own copy-and-paste.

1. Generate CSR and Private Key

openssl req -new -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr -subj '/CN=domain.com/O=Tiger-Workshop Limited/C=HK'

2. Paste content of .csr to your Cert Provider and finish all validations they need.

cat domain.csr

3. Install Apache2 Certificates

mkdir /etc/apache2/ssl/
cp domain.com.* /etc/apache2/ssl
chmod 0600 /etc/apache2/ssl/*.key

a2enmod ssl
a2ensite default-ssl.conf

4. Extract *.crt, *.ca-bundle downloaded from your Cert Provider to /etc/apache2/ssl/

5. Install Certificates

Edit /etc/apache2/sites-available/default-ssl.conf, update the following lines

ServerName domain.com

SSLCertificateFile    /etc/apache2/ssl/domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key

SSLCertificateChainFile /etc/apache2/ssl/domain.ca-bundle

6. Improve SSL Settings:

a2enmod headers

Edit /etc/apache2/mods-available/ssl.conf, update the following lines

# Disable RC4 + Enable Forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on
# Prevent Poodle Attack
SSLProtocol all -SSLv3 -SSLv2

Edit /etc/apache2/sites-available/default-ssl.conf and add line:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Restart Apache

service apache2 restart

3. Test SSL
You should able to obtain an A+ grade with above setup

https://www.ssllabs.com/ssltest/index.html


References
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

One Reply to “Apache HTTPS Certificate Purchase and Installation”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.