Apache CSR Certificate Signing Request

Ubuntu 16.04 Apache 2.4 Generate Certificate Signing Request

Ubuntu 16.04 Apache 2.4 Generate a CSR [Certificate Signing Request]

An alternative to Let’s Encrypt Free Certificates is to use a purchased certificate. The advantages of a purchased certificate from a provider such as Comodo or Verisign are many.

With Let’s Encrypt, you have to take your server offline for a minute every 90 days as the certs come up for renewal. The reason is if your server is on a CDN [it should be] then the standardized renewal cron request process will fail. Additionally, even if the server was able to renew the request, the Apache service would still need to be restarted. [Not ideal in any e-commerce solution.]

So here we will cover just a very basic certificate installation process on Apache. There are thousands of articles covering this process in depth, so here we seek brevity.

Step 1. Is to generate the CSR [Certificate Signing Request] request on Apache.

From CLI via SSH:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

or

openssl req -new -newkey rsa:2048 -nodes -out example_com.csr -keyout example_com.key -subj “/C=US/ST=State/L=City/O=Company Name/OU=IT/CN=example.com”

Note: Replace yourdomain with the domain name you’re securing. For example, if your domain name is example.com, you would then type example.key and example.csr.

Step 2. Provide Requested Information:

Common Name: The fully-qualified domain name, or URL, you’re securing.
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.example.com.

Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.

Organization Unit: If applicable, enter the DBA (doing business as) name.

City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.

State or Province: Name of the state or province where your organization is located. Do not abbreviate.

Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

Note: If you do not want to enter a password for this SSL, you can leave the Passphrase field blank. Please make sure you understand the level of security that you require should you choose to omit.

Step 3. Open the CSR in a text editor and copy all of the text.

Unless you specified a different path for the output, then the csr file should be located in /home/ubuntu/

simply nano {filename}.csr  e.g. nano example_com.csr

Copy and Paste the full CSR into SSL issuer’s enrollment form.

Step 3B. [Optional] While you are waiting to purchase your certificate, or while you are waiting for it to be issued. A fantastic placeholder is to make use of CloudFlare’s Universal SSL certificate issued by Comodo. While using an Apache Self-Signed certificate on the aMiSTACX server, you enable HTTPS at the server level. Then taking this a step further, and making use of CloudFlare’s Certificate, you are encrypting the traffic to your sever end-to-end. This is good enough to receive an all clear in your browser using HTTPS with no warnings.

Step 4. Installing the Certificate

Copy the cert, key, and any intermediate certificates to /etc/apache2/ssl/

Step 5. Edit the vhost SSL conf file for your specific stack.

e.g. sudo nano /etc/apache2/sites-available/magento-ssl.conf

Make sure SSL engine is ON [It is by default]

Point to the certificate file, key, and any Intermediate chains:

For example:

SSLCertificateKeyFile /etc/apache2/ssl/ssl-cert-example.key
SSLCertificateFile /etc/apache2/ssl/ssl-cert-example.pem

Note: The snakeoil self-signed certificate is enabled by default. Make sure to remark the two lines with “#”.

E.g. #SSLCertificateKeyFile /etc/apache2/ssl/ssl-cert-snakeoil.key
#SSLCertificateFile /etc/apache2/ssl/ssl-cert-snakeoil.pem

Otherwise, you will have a pair of certificates and that may cause issues.

Step 5. Restart Apache

sudo service apache2 restart

Step 6. Test and Validate

Use any third party tool to make sure your certificate chain is correct.

e.g. https://www.sslshopper.com/

Note: Your domain MUST be turned off of any CDN such as CloudFlare; otherwise, the results may not be valid.

 

You should now be good to go! Happy HTTPS!

 

1 Comment

Comments are closed.