EN
CN
Deploying an SSL certificate requires many steps, such as generating the private key and certificate signature, obtaining the certificate, and configuring the SSL on the Web server. The following describes the process for deploying the SSL certificate on the Apache Web server.
Mister into private key:
openssl genrsa -out your_domain.key 2048
The above command generates a 2048-bit private key, stored in your_domain.key.
Generate CSR:
openssl req -new -key your_domain.key -out your_domain.csr
Fill in the information as prompted. The information is used to generate the CSR.
To obtain an SSL certificate, you can purchase an SSL certificate from the CA, provide a CSR to the CA, and wait for the audit. After the certificate is obtained, you can obtain the certificate. You can also purchase an SSL certificate directly from an IDC vendor. There are multiple types of certificates. Select a proper type based on the actual requirements.
To configure SSL in Apache, you need to create the SSL virtual host configuration, for example, /etc/apache2/sites-available/your_domain_ssl.conf:
sudo nano /etc/apache2/sites-available/your_domain_ssl.conf
Add content (depending on the actual situation) :
<VirtualHost *:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/your_domain
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/your_domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your_domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/your_domain.com/chain.pem
</VirtualHost>
Point SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to your certificate file.
Enable new configuration:
sudo a2ensite your_domain_ssl.conf
To restart the Apache service:
sudo systemctl restart apache2
You can use an SSL online tool such as SSL Server Test to check whether the SSL certificate configuration is correct or takes effect.
Ensure that the SSL certificate deployment website has a domain name controller, and the SSL certificate authority will verify it. Ensure the security of the certificate and private key to ensure the validity of the SSL certificate. In a production environment, make sure to generate keys with a key length of 2048 bits or more.
If you are configuring SSL on nginx, create a new configuration file or edit an existing configuration file, such as /etc/nginx/sites-availables/ your_domain_ssl.conf:
sudo nano /etc/nginx/sites-available/your_domain_ssl.conf
Added:
server {
listen 443 ssl;
server_name your_domain.com www.your_domain.com;
ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # disable SSLv3
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 7280 hours = 300 days)
add_header Strict-Transport-Security "max-age=63072000" always;
# Add header to use HTTPS
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
root /var/www/your_domain;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
server_name your_domain.com www.your_domain.com;
return 301 https://$server_name$request_uri;
}
Point ssl_certificate and ssl_certificate_key to your certificate file. Create symbolic links:
sudo ln -s /etc/nginx/sites-available/your_domain_ssl.conf /etc/nginx/sites-enabled/
Test Nginx:
sudo nginx -t
To restart Nginx:
sudo systemctl restart nginx
Verify SSL deployment ditto.
