Documente Academic
Documente Profesional
Documente Cultură
Community Menu
By:MitchellAnicas 102 85
HowToInstallanSSLCertificatefromaCommercial
CertificateAuthority
Nov25,2014 Security,Apache,Nginx
Introduction
ThistutorialwillshowyouhowtoacquireandinstallanSSLcertificatefromatrusted,
commercialCertificateAuthority(CA).SSLcertificatesallowwebserverstoencrypttheir
traffic,andalsoofferamechanismtovalidateserveridentitiestotheirvisitors.Themain
benefitofusingapurchasedSSLcertificatefromatrustedCA,overself-signed
certificates,isthatyoursite'svisitorswillnotbepresentedwithascarywarningaboutnot
hingsinfrastructurefor
beingabletoverifyyoursite'sidentity.
SignUp
ThistutorialcovershowtoacquireanSSLcertificatefromthefollowingtrustedcertificate
authorities:
GoDaddy
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 1/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
RapidSSL(viaNamecheap)
YoumayalsouseanyotherCAofyourchoice.
AfteryouhaveacquiredyourSSLcertificate,wewillshowyouhowtoinstallitonNginx
andApacheHTTPwebservers.
Prerequisites
ThereareseveralprerequisitesthatyoushouldensurebeforeattemptingtoobtainanSSL
certificatefromacommercialCA.Thissectionwillcoverwhatyouwillneedinordertobe
issuedanSSLcertificatefrommostCAs.
Money
SSLcertificatesthatareissuedfromcommercialCAshavetobepurchased.Free
alternativesincludeself-signedorStartSSLcertificates.However,self-signedcertificates
arenottrustedbyanysoftware,andfreeStartSSLcertificatescannotbeusedfor
commercialpurposes.
RegisteredDomainName
BeforeacquiringanSSLcertificate,youmustownorcontroltheregistereddomainname
thatyouwishtousethecertificatewith.Ifyoudonotalreadyhavearegistereddomain
name,youmayregisteronewithoneofthemanydomainnameregistrarsoutthere(e.g.
Namecheap,GoDaddy,etc.).
DomainValidationRights
Forthebasicdomainvalidationprocess,youmusthaveaccesstooneoftheemail
addressesonyourdomain'sWHOISrecordortoan"admintype"emailaddressatthe
domainitself.CertificateauthoritiesthatissueSSLcertificateswilltypicallyvalidatedomain
controlbysendingavalidationemailtooneoftheaddressesonthedomain'sWHOIS
record,ortoagenericadminemailaddressatthedomainitself.SomeCAsprovide
alternativedomainvalidationmethods,suchasDNS-orHTTP-basedvalidation,whichare
outsidethescopeofthisguide.
IfyouwishtobeissuedanOrganizationValidation(OV)orExtendedValidation(EV)SSL
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 2/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
certificate,youwillalsoberequiredtoprovidetheCAwithpaperworktoestablishthe
legalidentityofthewebsite'sowner,amongotherthings.
WebServer
Inadditiontothepreviouslymentionedpoints,youwillneedawebservertoinstallthe
SSLcertificateon.Thisistheserverthatisreachableatthedomainnameforwhichthe
SSLcertificatewillbeissuedfor.Typically,thiswillbeanApacheHTTP,Nginx,HAProxy,
orVarnishserver.Ifyouneedhelpsettingupawebserverthatisaccessibleviayour
registereddomainname,followthesesteps:
1. Setupawebserverofyourchoice.Forexample,aLEMP(Nginx)orLAMP(Apache)
server--besuretoconfigurethewebserversoftwaretousethenameofyour
registereddomain
2. Configureyourdomaintousetheappropriatenameservers.Ifyourwebserveris
hostedonDigitalOcean,thisguidecanhelpyougetsetup:HowToPointto
DigitalOcean'sNameserversfromCommonDomainRegistrars
3. AddDNSrecordsforyourwebservertoyournameservers.Ifyouareusing
DigitalOcean'snameservers,followthisguidetolearnhowtoaddtheappropriate
records:HowToSetUpaHostNamewithDigitalOcean
ChooseYourCertificateAuthority
IfyouarenotsureofwhichCertificateAuthorityyouaregoingtouse,thereareafew
importantfactorstoconsider.Atanoverviewlevel,themostimportantthingisthattheCA
youchooseprovidesthefeaturesyouwantatapricethatyouarecomfortablewith.This
sectionwillfocusmoreonthefeaturesthatmostSSLcertificatebuyersshouldbeaware
of,ratherthanprices.
RootCertificateProgramMemberships
ThemostcrucialpointisthattheCAthatyouchooseisamemberoftherootcertificate
programsofthemostcommonlyusedoperatingsystemsandwebbrowsers,i.e.itisa
"trusted"CA,anditsrootcertificateistrustedbycommonbrowsersandothersoftware.If
yourwebsite'sSSLcertificateissignedbyatrusted"CA,itsidentityisconsideredtobe
validbysoftwarethattruststheCA--thisisincontrasttoself-signedSSLcertificates,which
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 3/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
alsoprovideencryptioncapabilitiesbutareaccompaniedbyidentityvalidationwarnings
thatareoff-puttingtomostwebsitevisitors.
MostcommercialCAsthatyouwillencounterwillbemembersofthecommonrootCA
programs,andwillsaytheyarecompatiblewith99%ofbrowsers,butitdoesnothurtto
checkbeforemakingyourcertificatepurchase.Forexample,Appleprovidesitslistof
trustedSSLrootcertificatesforiOS8here.
CertificateTypes
EnsurethatyouchooseaCAthatoffersthecertificatetypethatyourequire.ManyCAs
offervariationsofthesecertificatetypesunderavarietyof,oftenconfusing,namesand
pricingstructures.Hereisashortdescriptionofeachtype:
Wildcard:Usedforadomainandanyofitssubdomains.Forexample,awildcard
MultipleDomain:KnownasaSANorUCcertificate,thesecanbeusedwithmultiple
domainsandsubdomainsthatareaddedtotheSubjectAlternativeNamefield.For
example,asinglemulti-domaincertificatecouldbeusedwith example.com ,
www.example.com ,and example.net
Inadditiontotheaforementionedcertificatetypes,therearedifferentlevelsofvalidations
thatCAsoffer.Wewillcoverthemhere:
DomainValidation(DV):DVcertificatesareissuedaftertheCAvalidatesthatthe
requestorownsorcontrolsthedomaininquestion
OrganizationValidation(OV):OVcertificatescanbeissuedonlyaftertheissuing
CAvalidatesthelegalidentityoftherequestor
ExtendedValidation(EV):EVcertificatescanbeissuedonlyaftertheissuingCA
validatesthelegalidentity,amongotherthings,oftherequestor,accordingtoastrict
setofguidelines.Thepurposeofthistypeofcertificateistoprovideadditional
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 4/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
assuranceofthelegitimacyofyourorganization'sidentitytoyoursite'svisitors.EV
certificatescanbesingleormultipledomain,butnotwildcard
ThisguidewillshowyouhowtoobtainasingledomainorwildcardSSLcertificatefrom
GoDaddyandRapidSSL,butobtainingtheothertypesofcertificatesisverysimilar.
AdditionalFeatures
ManyCAsofferalargevarietyof"bonus"featurestodifferentiatethemselvesfromtherest
oftheSSLcertificate-issuingvendors.Someofthesefeaturescanendupsavingyou
money,soitisimportantthatyouweighyourneedsagainsttheofferingscarefullybefore
makingapurchase.Exampleoffeaturestolookoutforincludefreecertificatereissuesor
GenerateaCSRandPrivateKey
Afteryouhaveallofyourprerequisitessortedout,andyouknowthetypeofcertificate
youwanttoget,it'stimetogenerateacertificatesigningrequest(CSR)andprivatekey.
IfyouareplanningonusingApacheHTTPorNginxasyourwebserver,use openssl to
generateyourprivatekeyandCSRonyourwebserver.Inthistutorial,wewilljustkeepall
oftherelevantfilesinourhomedirectorybutfeelfreetostoretheminanysecurelocation
onyourserver:
cd~
opensslreqnewkeyrsa:2048nodeskeyoutexample.com.keyoutexample.com.csr
Atthispoint,youwillbepromptedforseverallinesofinformationthatwillbeincludedin
yourcertificaterequest.ThemostimportantpartistheCommonNamefieldwhichshould
matchthenamethatyouwanttouseyourcertificatewith--forexample, example.com ,
www.example.com ,or(forawildcardcertificaterequest) *.example.com .Ifyouare
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 5/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
planningongettinganOVorEVcertificate,ensurethatalloftheotherfieldsaccurately
reflectyourorganizationorbusinessdetails.
Forexample:
CountryName(2lettercode)[AU]:US
StateorProvinceName(fullname)[SomeState]:NewYork
LocalityName(eg,city)[]:NewYork
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:MyCompany
OrganizationalUnitName(eg,section)[]:
CommonName(e.g.serverFQDNorYOURname)[]:example.com
EmailAddress[]:sammy@example.com
YouwillneedtocopyandpasteyourCSRwhensubmittingyourcertificaterequesttoyour
CA.ToprintthecontentsofyourCSR,usethiscommand(replacethefilenamewithyour
own):
catexample.com.csr
NowwearereadytobuyacertificatefromaCA.Wewillshowtwoexamples,GoDaddy
andRapidSSLviaNamecheap,butfeelfreetogetacertificatefromanyothervendor.
ExampleCA1:RapidSSLviaNamecheap
NamecheapprovidesawaytobuySSLcertificatesfromavarietyofCAs.Wewillwalk
throughtheprocessofacquiringasingledomaincertificatefromRapidSSL,butyoucan
deviateifyouwantadifferenttypeofcertificate.
SelectandPurchaseCertificate
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 6/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
GotoNamecheap'sSSLcertificatepage:https://www.namecheap.com/security/ssl-
certificates.aspx.
Hereyoucanstartselectingyourvalidationlevel,certificatetype("DomainsSecured"),or
CA("Brand").
Forourexample,wewillclickontheCompareProductsbuttoninthe"DomainValidation"
box.Thenwewillfind"RapidSSL",andclicktheAddtoCartbutton.
Atthispoint,youmustregisterorlogintoNamecheap.Thenfinishthepaymentprocess.
RequestCertificate
Afterpayingforthecertificateofyourchoice,gototheManageSSLCertificateslink,
underthe"HiUsername"section.
Here,youwillseealistofalloftheSSLcertificatesthatyouhavepurchasedthrough
Namecheap.ClickontheActivateNowlinkforthecertificatethatyouwanttouse.
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 7/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Nowselectthesoftwareofyourwebserver.Thiswilldeterminetheformatofthe
certificatethatNamecheapwilldelivertoyou.Commonlyselectedoptionsare"Apache+
MODSSL","nginx",or"Tomcat".
PasteyourCSRintotheboxthenclicktheNextbutton.
Youshouldnowbeatthe"SelectApprover"stepintheprocess,whichwillsenda
validationrequestemailtoanaddressinyourdomain'sWHOISrecordortoan
administratortypeaddressofthedomainthatyouaregettingacertificatefor.Selectthe
addressthatyouwanttosendthevalidationemailto.
Providethe"AdministrativeContactInformation".ClicktheSubmitorderbutton.
ValidateDomain
Atthispoint,anemailwillbesenttothe"approver"address.Opentheemailandapprove
thecertificaterequest.
DownloadCertificates
Afterapprovingthecertificate,thecertificatewillbeemailedtotheTechnicalContact.The
certificateissuedforyourdomainandtheCA'sintermediatecertificatewillbeatthe
bottomoftheemail.
Copyandsavethemtoyourserverinthesamelocationthatyougeneratedyourprivate
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 8/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Thecertificateisnowreadytobeinstalledonyourwebserver.
ExampleCA2:GoDaddy
GoDaddyisapopularCA,andhasallofthebasiccertificatetypes.Wewillwalkthrough
theprocessofacquiringasingledomaincertificate,butyoucandeviateifyouwanta
differenttypeofcertificate.
SelectandPurchaseCertificate
GotoGoDaddy'sSSLcertificatepage:https://www.godaddy.com/ssl/ssl-certificates.aspx.
ScrolldownandclickontheGetStartedbutton.
SelectthetypeofSSLcertificatethatyouwantfromthedropdownmenu:singledomain,
multidomain(UCC),orwildcard.
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 9/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Thenselectyourplantype:domain,organization,orextendedvalidation.
Thenselecttheterm(durationofvalidity).
ThenclicktheAddtoCartbutton.
Reviewyourcurrentorder,thenclicktheProceedtoCheckoutbutton.
Completetheregistrationandpaymentprocess.
RequestCertificate
Afteryoucompleteyourorder,clicktheSSLCertificates*button(orclickonMyAccount>
ManageSSLCertificatesinthetop-rightcorner).
FindtheSSLcertificatethatyoujustpurchasedandclicktheSetUpbutton.Ifyouhave
notusedGoDaddyforSSLcertificatesbefore,youwillbepromptedtosetupthe"SSL
Certificates"product,andassociateyourrecentcertificateorderwiththeproduct(Click
thegreenSetUpbuttonandwaitafewminutesbeforerefreshingyourbrowser).
Afterthe"SSLCertificates"ProductisaddedtoyourGoDaddyaccount,youshouldsee
your"NewCertificate"anda"Launch"button.ClickontheLaunchbuttonnexttoyournew
certificate.
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 10/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
ProvideyourCSRbypastingitintothebox.TheSHA-2algorithmwillbeusedbydefault.
TicktheIagreecheckbox,andclicktheRequestCertificatebutton.
ValidateDomain
Nowyouwillhavetoverifythatyouhavecontrolofthedomain,andprovideGoDaddy
withafewdocuments.GoDaddywillsendadomainownershipverificationemailtothe
addressthatisonyourdomain'sWHOISrecord.Followthedirectionsintheemailsthat
youaresenttoyou,andauthorizetheissuanceofthecertificate.
DownloadCertificate
AfterverifyingtoGoDaddythatyoucontrolthedomain,checkyouremail(theonethatyou
registeredwithGoDaddywith)foramessagethatsaysthatyourSSLcertificatehasbeen
issued.Openit,andfollowthedownloadcertificatelink(orclicktheLaunchbuttonnextto
yourSSLcertificateintheGoDaddycontrolpanel).
NowclicktheDownloadbutton.
SelecttheserversoftwarethatyouareusingfromtheServertypedropdownmenu--ifyou
areusingApacheHTTPorNginx,select"Apache"--thenclicktheDownloadZipFile
button.
Thecertificateisnowreadytobeinstalledonyourwebserver.
InstallCertificateOnWebServer
AfteracquiringyourcertificatefromtheCAofyourchoice,youmustinstallitonyourweb
server.ThisinvolvesaddingafewSSL-relatedlinestoyourwebserversoftware
configuration.
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 11/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
WewillcoverbasicNginxandApacheHTTPconfigurationsonUbuntu14.04inthis
section.
Wewillassumethefollowingthings:
Theprivatekey,SSLcertificate,and,ifapplicable,theCA'sintermediatecertificates
arelocatedinahomedirectoryat /home/sammy
Theprivatekeyiscalled example.com.key
TheSSLcertificateiscalled example.com.crt
TheCAintermediatecertificate(s)areinafilecalled intermediate.crt
Ifyouhaveafirewallenabled,besurethatitallowsport443(HTTPS)
Note:Inarealenvironment,thesefilesshouldbestoredsomewherethatonlytheuser
Nginx
IfyouwanttouseyourcertificatewithNginxonUbuntu14.04,followthissection.
WithNginx,ifyourCAincludedanintermediatecertificate,youmustcreateasingle
"chained"certificatefilethatcontainsyourcertificateandtheCA'sintermediate
certificates.
Changetothedirectorythatcontainsyourprivatekey,certificate,andtheCAintermediate
cd~
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 12/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
catexample.com.crtintermediate.crt>example.com.chained.crt
NowgotoyourNginxserverblockconfigurationdirectory.Assumingthatislocatedat
/etc/nginx/sitesenabled ,usethiscommandtochangetoit:
cd/etc/nginx/sitesenabled
sudovidefault
listen443ssl;
highlightedpartwiththeactualpathofyourfiles):
server_nameexample.com;
ssl_certificate/home/sammy/example.com.chained.crt;
ssl_certificate_key/home/sammy/example.com.key;
ToallowonlythemostsecureSSLprotocolsandciphers,addthefollowinglinestothe
file:
ssl_protocolsTLSv1TLSv1.1TLSv1.2;
ssl_prefer_server_cipherson;
ssl_ciphersAES256+EECDH:AES256+EDH:!aNULL;
IfyouwantHTTPtraffictoredirecttoHTTPS,youcanaddthisadditionalserverblockat
thetopofthefile(replacethehighlightedpartswithyourowninformation):
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 13/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
server{
listen80;
server_nameexample.com;
rewrite^/(.*)https://example.com/$1permanent;
}
Thensaveandquit.
NowrestartNginxtoloadthenewconfigurationandenableTLS/SSLoverHTTPS!
sudoservicenginxrestart
TestitoutbyaccessingyoursiteviaHTTPS,e.g. https://example.com .
Apache
IfwanttouseyourcertificatewithApacheonUbuntu14.04,followthissection.
Makeabackupofyourconfigurationfilebycopyingit.Assumingyourserverisrunningon
thedefaultvirtualhostconfigurationfile, /etc/apache2/sitesavailable/000
default.conf ,usethesecommandstotomakeacopy:
cd/etc/apache2/sitesavailable
cp000default.conf000default.conf.orig
Thenopenthefileforediting:
sudovi000default.conf
<VirtualHost*:443>
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 14/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
ServerNameexample.com
Thenaddthefollowinglinestospecifyyourcertificateandkeypaths(substituteyour
actualpathshere):
SSLEngineon
SSLCertificateFile/home/sammy/example.com.crt
SSLCertificateKeyFile/home/sammy/example.com.key
IfyouareusingApache2.4.8orgreater,specifytheCAintermediatebundlebyadding
thisline(substitutethepath):
SSLCACertificateFile/home/sammy/intermediate.crt
IfyouareusinganolderversionofApache,specifytheCAintermediatebundlewiththis
line(substitutethepath):
SSLCertificateChainFile/home/sammy/intermediate.crt
Atthispoint,yourserverisconfiguredtolistenonHTTPSonly(port443),sorequeststo
HTTP(port80)willnotbeserved.ToredirectHTTPrequeststoHTTPS,addthefollowing
tothetopofthefile(substitutethenameinbothplaces):
<VirtualHost*:80>
ServerNameexample.com
Redirectpermanent/https://example.com/
</VirtualHost>
Saveandexit.
EnabletheApacheSSLmodulebyrunningthiscommand:
sudoa2enmodssl
NowrestartApachetoloadthenewconfigurationandenableTLS/SSLoverHTTPS!
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 15/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
sudoserviceapache2restart
Conclusion
NowyoushouldhaveagoodideaofhowtoaddatrustedSSLcertificatetosecureyour
webserver.BesuretoshoparoundforaCAthatyouarehappywith!
Author:
MitchellAnicas
SpinupanSSDcloudserverinunderaminute.
Simplesetup.Fullrootaccess.
Straightforwardpricing.
DEPLOYSERVER
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 16/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
RelatedTutorials
HowToConfigureOCSPStaplingonApacheandNginx
HowtoAddNgx_pagespeedtoNginxonCentOS7
HowToSetUpMulti-FactorAuthenticationforSSHonUbuntu14.04
HowToSecureYourRedisInstallationonUbuntu14.04
HowToAddNgx_pagespeedtoNginxonUbuntu14.04
85Comments
Leaveacomment...
LogIntoComment
calewis November27,2014
IamnowunabletoaccessthedomainwithoutHTTPS,isthereawaytofixthis?
Greatguidebtw.
Thanks
xerhik November27,2014
WhatWebServerareyouusing?
calewis November28,2014
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 17/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
nginx,Isolveditbyaddinganadditionalserverdirective.
server{
listen80;
location/{
rewrite^(.*)https://mysite.com$1permanent;
}
Here'sthelinktothestackpage:http://serverfault.com/questions/67316/in-nginx-how-can-i-
rewrite-all-http-requests-to-https-while-maintaining-sub-dom
I'drecommendaddingthistotheguideasitit'saPITAifitonlyacceptshttpsanddoesnot
forceare-direct.
manicas December1,2014
That'salreadyintheguide,bytheway.
zeokat November28,2014
Inmyopinionthetutorialshouldoncludecompatbilitywithanon-sslversionoftheweb.
cliffkujala December11,2014
WhenIrunthefollowingsetup
root@example:/etc/ssl/nginx#catwww.example.com.crtintermediate.crt>www.example.co
Ireceivethefollowingresponse
bash:syntaxerrornearunexpectedtoken`newline'
Anyideas?I'mtryingtochainaGoDaddyEVSSL,whichIdownloadedasApacheservertype.
cliffkujala December11,2014
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 18/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
asb December11,2014
Lookslikethatwasactuallyjustatypointhearticle.I'vefixeditabove.Thanks!
rmccarthy December17,2014
[deleted]
rmccarthy December17,2014
Mysiteiscomingupasinternalservererror(https://rynopower.com/)EventhoughtheSSL
appearstobeworking.(Greenlockisshowing)UsingPositiveSSLfromNamecheap.SSL
checking:https://www.sslchecker.com/sslchecker
RunningoffoftheWordpressUbuntu14.04Image.
Createdtheca-bundlewiththefourfilesprovidedbyNamecheap:
catrynopower_com.crtCOMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crtAddTrustExternalCARoot.crt>rynopower.ca-bundle
Allfilesarecurrentlyin/etc/ssl/
CSRandKeythatwasgeneratedareinthesamefoldercurrently.
Relevantlinesfordefault-ssl.conf:
<IfModulemod_ssl.c>
<VirtualHost_default_:443>
ServerAdminwebmaster@localhost
ServerNamerynopower.com:443
SSLEngineon
SSLCertificateFile/etc/ssl/rynopower_com.crt
SSLCertificateKeyFile/etc/ssl/rynopower.key
SSLCertificateChainFile/etc/ssl/rynopower.ca-bundle
Anyideawhymysitewouldn'tworkonhttps?Itstillworksfineonhttp,andthelockcomesup
forhttps,justnocontent
manicas December17,2014
Istherestofyourdefault-ssl.confcorrect?
rmccarthy December17,2014
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 19/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Idon'tseeanythinginparticularlywrong.Butmaybeyoumight.
Hereisthefullfile.
http://pastebin.com/ERz5ppr7
raafat January6,2015
HIthere,thankyouforthisgreatarticle...whenmyssl-providerissuedmysslcertificationigot
withthecertificationtwomorefiles,first:COMODORSAAddTrustCA,second:
COMODORSADomainValidationSecureServerCA
butinyourarticleyoudid'tmentionanythingaboutthosemorecertifications,socanyougive
mesomeexplanationaboutthosemorecertifications?wherewouldiusethem?
Bestregards
manicas January6,2015
AreyouusingNginx?Ifso,youwillwanttocombinethefilesintothe"chained"certificate
fileinaparticularorder:
1. example.com.crt
2. COMODORSADomainValidationSecureServerCA.crt
3. COMODORSAAddTrustCA.crt
4. AddTrustExternalCARoot.crt
Oryoucanrunthiscommandtodothesamething(substitutethenameofyourcertificate):
catexample.com.crtCOMODORSADomainValidationSecureServerCA.crtCOMODORSAAddTrustCA.c
raafat January6,2015
[deleted]
raafat January6,2015
Whataboutapache?
gregoryseanelia April21,2015
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 20/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Didyoufigurethisoutforapache?
Anyhelpwouldbeappreciated.
manicas April21,2015
jonathan January6,2015
"freeStartSSLcertificatesarenottrustedbysomebrowsers".
Hmm,doyouhaveanyevidenceofthat?I'mgettinganA+ratingfromtheQualisystestwitha
freeStartSSLcertificate,andI'veneverheardofanycurrentbrowserrejectedastartSSL
certificate.
MightalsobeworthmentioningCloudflare'sfreeUniversalSSLoffering,which"hides"afree
server-signedkeybehinda"valid"keyfor"endtoend"SSL,orevenofferstomakeANY
websiteSSL,withoutaserver-sidecertificateneeded.
https://blog.cloudflare.com/introducing-universal-ssl/
aaronhong June27,2015
Therearesomeevidence.HaveyoueverheardofCACert?
TheyofferfreeSSLcertificatesundertheirownroot-notallmajorbrowserssupportit
though(notintheirtruststore/storage).
testmyxss420 January7,2015
Thanksforhelp
testmyxss420 January7,2015
gdd
stiuvert0007 January23,2015
ThankyouforyourguideImanagedtoworkbutIchangedthedirectoryofthesslfilesand
nowycannotmakeitwork.
Ihave2domainstilabmx.com(default)anddianamejia.tkonLEMPwithubuntu14.04.
WhenIentertotilabmx.comtheservershowsmedianamejia.tk(beforesettingupSSL
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 21/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
everythingwasworkingfine)
Myconffileis:
server{
listen443ssldefaultserver;
listen[::]:443defaultserveripv6only=on;
root/var/www/tilabmx.com/html;
indexindex.phpindex.htmlindex.htm;
#Makesiteaccessiblefromhttp://localhost/
server_nametilabmx.comwww.tilabmx.com;
rewrite^/(.*)https://tilabmx.com/$1permanent;
ssl_certificate/home/stiuvert0007/tilabmx.com.chained.crt;
ssl_certificate_key/home/stiuvert0007/tilabmx.com.key;
ssl_protocolsTLSv1TLSv1.1TLSv1.2;
ssl_prefer_server_cipherson;
ssl_ciphersAES256+EECDH:AES256+EDH:!aNULL;
anyidea?
Thankyouinadvance!
manicas January23,2015
stiuvert0007 January26,2015
Thankyouverymuchforyouranswer!Whataretheappropiatepermissions?
WhenIrun"sudocat/var/log/nginx/error.log"nothingopens,likeifthereisnofile
manicas January26,2015
Regardingthepermissions,theSSLcertsandkeysneedtobereadablebytheuserthatis
startingtheNginxmasterprocess.ItsoundslikeNginxisn'treportinganyerrors,sothatis
probablynottheissue.
Youprobablydelete rewrite^/(.*)https://tilabmx.com/$1permanent;
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 22/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Thenaddthistothetopofyourconfigfile(ifyouwanthttptoredirecttohttps):
server{
listen80;
server_nametilabmx.com;
rewrite^/(.*)https://tilabmx.com/$1permanent;
}
stiuvert0007 January27,2015
Againthankyoumanicas!Andsorryforallthequestions.Ireallyappreciateyourhelp.
Finallyit'sworking!Myconffileisasfollows:
server{
listen80default_server;
listen[::]:80default_serveripv6only=on;
root/var/www/tilabmx.com/html;
indexindex.phpindex.htmlindex.htm;
server_nametilabmx.comwww.tilabmx.com;
rewrite^/(.*)https://tilabmx.com/$1permanent;
}
afterthatIadded
server{
listen443;
server_nametilabmx.comwww.tilabmx.com;
root/var/www/tilabmx.com/html;
indexindex.phpindex.htmlindex.htm;
sslon;
ssl_certificate/home/stiuvert0007/tilabmx.com.chained.crt;
ssl_certificate_key/home/stiuvert0007/tilabmx.com.key;
ssl_session_timeout5m;
ssl_protocolsSSLv3TLSv1TLSv1.1TLSv1.2;
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 23/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
#ssl_ciphers"HIGH:!aNULL:!MD5orHIGH:!aNULL:!MD5:!3DES";**<<<Thisisthedefa
ssl_prefer_server_cipherson;
ssl_ciphersAES256+EECDH:AES256+EDH:!aNULL;
location/{
try_files$uri$uri/=404;
}
}
Idon'tknowwhyifIputeverythinginthesameserverblockitdoesn'twork.
emraydn12 January31,2015
arjun February11,2015
+1forthis.
manicas February23,2015
Thanks!Updated.
edawebdesign February22,2015
Verycomprehensiveguide,thanks.
Onecommandthathelpedmedebugwas:
sudonginxt
Thattestsyourconfigtomakesureitisvalidandwillreportanyerrors.
beslergokhan March3,2015
IamattheendofitbutcannotrunSSLCACertificateFile/home/abc/intermediate.crtand
SSLCertificateChainFile/home/abc/intermediate.crt.bothreturnscommandnotfounderroron
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 24/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Ubuntu14.04withapache2.4.7.
manicas March3,2015
Thosearen'tcommandsthatyoushouldrun.AddthosetoApacheconfigurationfile.
kmsitlhou March12,2015
Hello,amnotabletoredirecthttptohttps.Amusingapache2.Couldyoupleaseverify.
kiran926439 March20,2015
HiI'mtryingtosetupaSSLcertandgettingthiserror:
SSLCTXusePrivateKeyfile("/home///example.com.key")failed(SSL:error:0B080074:x509
certificateroutines:X509checkprivate_key:keyvaluesmismatch)
10k September2,2015
Iamhavingthesameissuewereyouabletosolvethis?
kennethtrueman March21,2015
Notsurewheretobegintobehonest.IamusingaWordPressdropletwithApacheand
Ubuntu14.04.IhaveaComodoSSLcertificatewitha.crtfileand.bundlefile.Ifollowedthe
instructions,makingadjustmentstothenaming.Itriedtheinstructionshereregardingthe
defaultconffileandItriedtheinstructionsfromComodoat
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/for
Apache&mod_ssl.
Ihavekeysandcrtandbundlefilesinboth/home/myusername/andinthe/etc/ssl/directory
Mymodified000-default.conffeaturesthefollowing:
Listen443http
<VirtualHost*:80>
ServerNamewww.digitera.com
Redirectpermanent/https://www.digitera.com/
</VirtualHost>
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 25/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
<VirtualHost*:443>
ServerNamewww.digitera.com
SSLEngineon
SSLCertificateFile/etc/ssl/digitera_com.crt
SSLCertificateKeyFile/etc/ssl/digitera.com.key
SSLCertificateChainFile/etc/ssl/digitera_com.cabundle
ServerAdminwebmaster@localhost
DocumentRoot/var/www/html
ErrorLog${APACHE_LOG_DIR}/error.log
CustomLog${APACHE_LOG_DIR}/access.logcombined
</VirtualHost>
IaddedtheListencommandafterseeingitonaUbuntuforum.
IgetthefollowingerrorinFirefoxwhenItrytoconnectviahttps://www.digitera.com
Anerroroccurredduringaconnectiontowww.digitera.com.SSLreceivedarecordthat
Inthecommentssection,Mitchellmentionedthedefault-ssl.conffile,butthatisnotpartofthe
coretutorial.
WhichinstructionsshouldIbefollowing?TheinstructionsfromComodo,theoneshere?
ShouldIbemodyifyingjustthe000-default.conffileorthedefault-ssl.confoneaswell?
ShouldIbeleavingthe.bundlefilenamealoneorshouldIrenameittomatchtheconvention
thatisindicatedinthebasetutorial?
Help!!!
Ken
manicas March23,2015
WhichversionofApacheareyouusing?Ifit'sa2.4.x,tryreplacing
SSLCertificateChainFile with:
SSLCACertificateFile/etc/ssl/digitera_com.cabundle
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 26/27
10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
LoadMoreComments
ThisworkislicensedunderaCreative
CommonsAttribution-NonCommercial-
ShareAlike4.0InternationalLicense.
Copyright2015DigitalOceanInc.
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 27/27