Add SSL Certificates to your website

;-) Sort of a Disclaimer: This post does not (none of my posts, for that matter) mean that I am an authority in this domain of technology. I am learning and just sharing here so somebody might find time to point out the errors. But all the steps mentioned here worked just right for me to get an A on SSL-Test of Qualsys SSL Labs. Getting an A+ requires thorough knowledge in ssl_ciphers, which I do not have. But there are more knowledgeable people who wrote several posts on getting A+.

I guess you are using Apache as your webserver and all the instructions are given based on that assumption.

NOTE: Ensure to take backup of all necessary config files before trying this!!!

Step-1 | Collect SSL Certificates into the relevant directory

The vendor of SSL Certificates might have sent you a few certificate files usually with file extensions .crt & .key, perhaps all of them zipped. In this example, the certificates are coming from Network Solutions.

Once you unzip this folder, you may see 5 things.

• A .crt file that looks similar to AddTrustExternalCARoot.crt
• A .crt file that looks similar to USERTrust... or UTNRSACertificationAuthority.crt
• A .crt file that looks similar to NetworkSolutionsOVServerCA2.crt
• A .crt file whose file name contains your target domain name such as www.example.com. In this example, the file name would be WWW.EXAMPLE.COM.crt
• A .key file which is your Certification Key File

Bring all these files into this path: /etc/apache2/ssl/ (Create ssl directory if you don’t already have it: sudo mkdir /etc/apache2/ssl.)

Step-2 | Make ChainTxt File

Let us make a chainfile.txt in the same directory.

So let’s go to that directory:

cd /etc/apache2/ssl

Create a file called chainfile.txt(use any editor of your choice):

sudo vi chainfile.txt`

Into this file, copy the contents of the following files in the SAME EXACT ORDER, and save and close it.

AddTrustExternalCARoot.crt, UTNRSACertificationAuthority.crt & NetworkSolutionsOVServerCA2.crt

Step-3 | Configure the default-ssl.conf

Open this file:

sudo vi /etc/apache2/sites-enabled/default-ssl.conf

Before our intervention, the file might look something like this, excluding all the comments (lines beginning with #):

 <VirtualHost _default_:80>
                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html/
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
   </VirtualHost>

After creating a backup of this file, change the content of this file that looks like below:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html/
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile   /etc/apache2/ssl/WWW.EXAMPLE.COM.crt
                SSLCertificateKeyFile /etc/apache2/ssl/<your.key.file>
                SSLCertificateChainFile /etc/apache2/ssl/chainfile.txt
                SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
                SSLHonorCipherOrder on
                SSLProtocol all -SSLv2 -SSLv3
       </VirtualHost>
</IfModule>

Step-4 | Configure the example.com.conf

This step is exactly what you did in the previous step except that you do the configuration entries in your website’s conf file. For example, if your website is www.example.com, then you will find a conf file in your sites-enabled folder /etc/apache2/sites-enabled/, with a filename that looks like www.example.com.conf. Make the same changes in this file as you did in the previous step.

Step-5 | Enable Apache SSL Module & Restart Apache

Run the following commands:

sudo a2enmod ssl
sudo service apache2 restart

This finishes the process of installing SSL certificates in your site. However, if everything went fine, you need to get at least an A on the SSLLabs website. I hope you get it. If you don’t, please leave a comment here to help me learn my mistakes.

Step-6 | Testing your SSL Certification Installation

Go to https://www.ssllabs.com/

References:

• How to create a SSL Certificate on Apache for Debian8 – DigitalOcean Community Article
• Network Solutions Official Documentation
• How to get all 100s on SSLLabs Test
• Official Help Documentation on Apache itself
• Another blog post on this concept