At work we have recently had a lot of customers asking us about how to configure their SSL certificate files for their webserver. This may seem intimidating to many persons, especially those without any technical experience, however it really need not be so frustrating. There are only just a few things that need to be done to make sure that your website can use HTTPS SSL (or the secure hypertext transfer protocol (https) using the secure sockets layer (SSL). This tutorial should be good for most debian, centos, and redhat operating systems, or nearly any linux distribution, but you may need to install nano;

# for debian or ubuntu

apt-get install nano

 

# for centos or Redhat

yum install nano

You will have likely been sent two files by your registrar or SSL provider which are
the CRT and KEY file. Each file you have been sent looks a bit like the following, you cannot do this tutorial without these two files:

yourdomainname.com.crt

—–BEGIN CERTIFICATE REQUEST—–
MIICJDCCAY0CAQAwgagxGzAZBgNVBAoTElRoZSBTYW1wbGUgQ29tcGFueTEUMBIG
A1UECxMLTWFpbCBTZXJ2ZXIxJDAiBgkqhkiG9w0BCQEWFXBvc3RtYXN0ZXJAc2Ft
cGxlLmNvbTETMBEGA1UEBxMKTWV0cm9wb2xpczERMA8GA1UECBMITmV3IFlvcmsx
CzAJBgNVBAYTAlVTMRgwFgYDVQQDEw9tYWlsLnNhbXBsZS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPJhc++WxcBaoDbJpzFbDg42NcOz/ELVFMU4FlPa
yUzUO+xXkdFRMPKo54d4Pf1w575Jhlu9lE+kJ8QN2st6JFySbc9QjPwVwl9D2+I3
SSf2kVTu+2Ur5izCPbVAfU0rPZxxK8ELoOkA1uwwjFz6EFuVvnHwlguonWKDtmYW
u7KTAgMBAAGgOzA5BgkqhkiG9w0BCQ4xLDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYE
FLWaQsUVIQzWr58HtDinH1JfeCheMA0GCSqGSIb3DQEBBAUAA4GBAAbe0jrGEQ3i
tyVfy5Lg4/f69rKvDGs+uhZJ9ZRx7Dl92Qq2osE7XrLB1bANmcoEv/ORLZOjWZEY
NjMvuz60O7R8GKBrvb/YhAwWhIIt2LJqPkpAEWS0kY0AkoQcfZ7h6oC35+eJ7okg
Uu3WuE57RgcNt7/ftr0sG1jUyRwMLvhv
—–END CERTIFICATE REQUEST—–

yourdomainname.com.key

—–BEGIN CERTIFICATE REQUEST—–
LKSDIJUCJCdsjdicx933FKJ£DKCJDIDKFJVKSIdjjhan3FGdf1wbGUgQ29tcGFueTEUMBIG
A1UECxMLTWFpbCBTZXJ2ZXIxJDAiBgkqhkiG9w0BCQEWFXBvc3RtYXN0ZXJAc2Ft
cGxlLmNvbTETMBEGA1UEBxMKTWV0cm9wb2xpczERMA8GA1UECBMITmV3IFlvcmsx
CzAJBgNVBAYTAlVTMRgwFgYDVQQDEw9tYWlsLnNhbXBsZS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPJhc++WxcBaoDbJpzFbDg42NcOz/ELVFMU4FlPa
yUzUO+xXkdFRMPKo54d4Pf1w575Jhlu9lE+kJ8QN2st6JFySbc9QjPwVwl9D2+I3
SSf2kVTu+2Ur5izCPbVAfU0rPZxxK8ELoOkA1uwwjFz6EFuVvnHwlguonWKDtmYW
u7KTAgMBAAGgOzA5BgkqhkiG9w0BCQ4xLDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYE
FLWaQsUVIQzWr58HtDinH1JfeCheMA0GCSqGSIb3DQEBBAUAA4GBAAbe0jrGEQ3i
tyVfy5Lg4/f69rKvDGs+uhZJ9ZRx7Dl92Qq2osE7XrLB1bANmcoEv/ORLZOjWZEY
NjMvuz60O7R8GKBrvb/YhAwWhIIt2LJqPkpAEWS0kY0AkoQcfZ7h6oC35+eJ7okg
Uu3WuE57RgcNt7/ftr0sG1jUyRwMLvhv
—–END CERTIFICATE REQUEST—–

(DO NOT USE THE ABOVE CERTIFICATES (THEY WILL NOT WORK) USE THE ONES YOU ARE PROVIDED)

Step 1: Copy the CRT text into the clipboard (including the —–BEGIN CERTIFICATE REQUEST—– and the —–END CERTIFICATE REQUEST—–) but nothing above the begin certificate line and nothing below the end certificate line. This is very important. 

Step 2: Open a new file for the CRT

mkdir -p /etc/httpd/conf/ssl.crt/
nano /etc/httpd/conf/ssl.crt/yourdomain.com.crt

Step 3: Paste in the CRT certificate text you were given.
Step 4: Press CTRL+O to write out the file.

Step 5: Copy the KEY text into the clipboard in the same way you did for the CRT.

Step 6: Open a new file for the key file

mkdir /p /etc/httpd/conf/ssl.key/

nano /etc/httpd/conf/ssl.key/yourdomain.com.key

Step 7: Paste the KEY certificate text.
Step 8: Press CTRL+O to write out the file.

It is safe for you to replace yourdomain.com with your own domain name, but make sure that you specify it the same in the apache2 configuration later on. This is the file we will refer to in the webserver configuration to let it use https and ssl and if you refer to the wrong file or a non existent file it won’t work!

Step 9: Edit your apache 2 webserver configuration.

(Normally this is in /etc/apache2/httpd.conf or /etc/httpd/httpd.conf , but it could be in a different place like /etc/httpd/sites-enabled or /etc/apache2/sites-enabled or /etc/apache2/conf.d and my have a different name to httpd.conf.)

<VirtualHost 1.1.1.1:443>
ServerName www.yourdomain.com
DocumentRoot /var/www/html/mydomain.com

SSLEngine ON
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key

ErrorLog logs/ssl.domain.com.error_log
CustomLog logs/ssl.domain.com.access_log combined
</VirtualHost>

It’s important to get all of this correct. So lets go thru what each one of these lines does.

VirtualHost tells apache2 where to listen. If you don’t know what to put here you can use:
<VirtualHost *:443> which will work for most configurations, but it will listen on every single IP address attached to that machine. The 443 signifies that it is the HTTPS. HTTP traffic for instance runs on port 80.

ServerName is the website name your using so if your website is https://www.google.com , for instance then you want to put ServerName www.google.com.

DocumentRoot is the location of your website on the disk, the physical location of all the files, be they html, php, images etc, DocumentRoot is the way the webserver knows where to look when serving that website hostname. For me I use /var/www/html but if you don’t know it’s best to ask your provider or technical contact what your DocumentRoot here should be.

SSLEngine ON does exactly what it says on the tin. It enables apache2’s SSL HTTPS functionality.

SSLCertificateFile tells where apache2 is instructed to look for the CRT file you were given by your webhost. Make sure you specify it in the same location you placed it.

SSLCertificateKeyFile tells where apache2 is instructed to look for the KEY file you were given by your webhost. Make sure you specify it in the same location you placed it.

ErrorLog and CustomLog give the location on the hardisk to place the logs for the access to this website.

Step 10: Enable the SSL module for apache2 by running

a2enmod ssl

Step 11: Restart Apache2 so that the configurations changes are loaded

/etc/init.d/apache2 restart

Step 11B: If Step 11 fails to complete then use

service apache2 restart

That is it , you should be done configuring your apache2 SSL configuration. It’s not that hard is it? Admittedly I’ve done this before a few times myself, and I am sure that after you have done the same it will be second nature.

Best wishes,
Adam