Command line SSL installation
In order to install an SSL certificate you need a couple of things.
- Private Key - this needs to be generated on the server that will host your site. If you move your website to a new webserver (different physical computer) you will need to re-generate this. DO NOT SHOW THIS TO ANYONE! If this is seen by anyone outside of your office you need to re-generate the private key and re-issue your SSL certificate.
- CSR Certificate Signing Request - This is a request for an SSL certificate and is built in part from the private key from item #1. This is required in order to associate the SSL certificate from your SSL certificate reseller to the physical system that is hosting your site. If you try to install the resulting certificate on a web server that does not match the private that was used to generate the CSR you will get errors.
- Certificate from an SSL reseller
For safety all keys, csr's and certificates should be in a location accessible via root user only. In this case I will use the following location /etc/apache2/ssls Note: the following should work on most Linux systems
- Generate a private key using the following command. openssl genrsa -out private.key 2048
- Generate your CSR using the following command openssl req -new -key private.key -out domain.csr
- Open domain.csr and paste the contents to your SSL reseller's admin screen and apply the CSR to your SSL. Paste the contents of domain.csr.
- Once the SSL is issued (some resellers like Trustwave often require company 'evidence' e.g. Water or Electric bill with the company name on it), save the SSL certificate back to the web server in the same folder as our other files.
- Add entries in Apache (or other web server) to apply SSL to your web server. SSLCertificateFile /etc/pki/tls/certs/your-domain-name.crt SSLCertificateKeyFile /etc/pki/tls/private/your-domain-name.key SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt
- Restart Apache sudo service apache restart
Sources: http://blogs.digitss.com/apache/openssl/generating-2048-bit-csr-with-openssl/ http://tecadmin.net/simple-steps-to-generate-csr-on-centos/# http://blog.salientdigital.com/2011/03/19/how-to-install-an-ssl-certificate-on-centos-for-apache/