Introduction to SSL
A Secure Sockets Layer – or SSL – certificate is a web security protocol and essential for protecting your site visitors’ sensitive data against fraud and identity theft. SSLs guard data by providing encryption (scrambling of data to prevent tampering during transmission) and validation (verification of the business behind the website). SSL certificates come in different levels of security, depending on the level of protection and security features you need. Often, these features are obvious – Site Seals, HTTPS, and the “green bar” are all visual indicators of a protected site – other times, the security is behind-the-scenes. No matter what level you choose, SSL protection reassures visitors that your site is safe, leading to greater customer trust and increased reliability for your business or brand.
An SSL Certificate is a text file with encrypted data that you install on your server so that you can secure/encrypt sensitive communications between your site and your customers.
Your visitors will feel safer on your site when they see the lock while access your website – knowing it’s protected by a security certificate. We can setup SSL easily and after setup we have to redirect the website URL to https from http.
To Install SSL we need to follow some steps given below:
- Purchase a certificate
- Install the certificate
- Update your site to use HTTPS
Step1. Purchase a certificate
A certificate is simply a paragraph of letters and numbers that only your site knows, like a really long password. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is – and it encrypts everything flowing to and from it.
Technically this is something you can create yourself (called a ‘self-signed cert’) and you can easily create yours self-signed certificate, but all popular browsers check with “Certificate Authorities” (CA’s) which also have a copy of that long password and can vouch for you. In order to be recognized by these authorities, you must purchase a certificate through them. If your hosting provider provide the SSL Certificate then get from them or you have to purchase that from third-parties like goDaddy , WIPL and many others. For purchasing SSL certificate the certificate provide can ask to you for following details:
Domain name : www.yourdomain.com
First Name : name_of_organization or website admin
Last Name :
Organization Name : name_of_organization
Organization Unit :
Phone No :
Pin Code :
Admin Email id:
Or they can ask to send CSR and Private Key, We can generate CSR and private key on our server by following below steps:
Generate a CSR and Private Key
If you are planning on using Apache HTTP or Nginx as your web server, use
openssl to generate your private key and CSR on your web server. In this tutorial, we will just keep all of the relevant files in our home directory but feel free to store them in any secure location on your server:
To generate a private key, called
example.com.key, and a CSR, called
example.com.csr, run this command (replace the
example.com with the name of your domain):
openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
At this point, you will be prompted for several lines of information that will be included in your certificate request. The most important part is the Common Name field which should match the name that you want to use your certificate with–for example,
www.example.com, or (for a wildcard certificate request)
*.example.com. If you are planning on getting an OV or EV certificate, ensure that all of the other fields accurately reflect your organization or business details.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) :New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) :
Common Name (e.g. server FQDN or YOUR name) :example.com
Email Address :email@example.com
This will generate a
.csr file. The
.key file is your private key, and should be kept secure. The
.csr file is what you will send to the CA to request your SSL certificate.
You will need to copy and paste your CSR when submitting your certificate request to your CA. To print the contents of your CSR, use this command (replace the filename with your own):
Now we are ready to buy a certificate from a CA. We will show two examples, GoDaddy and RapidSSL via Namecheap, but feel free to get a certificate from any other vendor.
If you have purchased certificate from your hosting provider and you have WHM or cPanel access then you can activate your certificate from there.
Step2. Install the certificate:
After acquiring your certificate from the CA of your choice, you must install it on your web server. This involves adding a few SSL-related lines to your web server software configuration.
We will cover basic Nginx and Apache HTTP configurations on Ubuntu 14.04 in this section.
We will assume the following things:
- The private key, SSL certificate, and, if applicable, the CA’s intermediate certificates are located in a home directory at
- The private key is called
- The SSL certificate is called
- The CA intermediate certificate(s) are in a file called
- If you have a firewall enabled, be sure that it allows port 443 (HTTPS)
Note: In a real environment, these files should be stored somewhere that only the user that runs the web server master process (usually
root) can access. The private key should be kept secure.
If you want to use your certificate with Nginx on Ubuntu 14.04, follow this section.
With Nginx, if your CA included an intermediate certificate, you must create a single “chained” certificate file that contains your certificate and the CA’s intermediate certificates.
Change to the directory that contains your private key, certificate, and the CA intermediate certificates (in the
intermediate.crt file). We will assume that they are in your home directory for the example:
Assuming your certificate file is called
example.com.crt, use this command to create a combined file called
example.com.chained.crt (replace the highlighted part with your own domain):
cat example.com.crt intermediate.crt > example.com.chained.crt
Now go to your Nginx server block configuration directory. Assuming that is located at
/etc/nginx/sites-enabled, use this command to change to it:
Assuming want to add SSL to your
default server block file, open the file for editing:
sudo vi default
Find and modify the
listen directive, and modify it so it looks like this:
listen 443 ssl;
Then find the
server_name directive, and make sure that its value matches the common name of your certificate. Also, add the
ssl_certificate_key directives to specify the paths of your certificate and private key files (replace the highlighted part with the actual path of your files):
To allow only the most secure SSL protocols and ciphers, add the following lines to the file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
If you want HTTP traffic to redirect to HTTPS, you can add this additional server block at the top of the file (replace the highlighted parts with your own information):
rewrite ^/(.*) https://example.com/$1 permanent;
Then save and quit.
Now restart Nginx to load the new configuration and enable TLS/SSL over HTTPS!
sudo service nginx restart
Test it out by accessing your site via HTTPS, e.g.
If want to use your certificate with Apache on Ubuntu 14.04, follow this section.
Make a backup of your configuration file by copying it. Assuming your server is running on the default virtual host configuration file,
/etc/apache2/sites-available/000-default.conf, use these commands to to make a copy:
cp 000-default.conf 000-default.conf.orig
Then open the file for editing:
sudo vi 000-default.conf
<VirtualHost *:80> entry and modify it so your web server will listen on port
Then add the
ServerName directive, if it doesn’t already exist (substitute your domain name here):
Then add the following lines to specify your certificate and key paths (substitute your actual paths here):
If you are using Apache 2.4.8 or greater, specify the CA intermediate bundle by adding this line (substitute the path):
If you are using an older version of Apache, specify the CA intermediate bundle with this line (substitute the path):
Step3. Update your site to use HTTPS
At this point, your server is configured to listen on HTTPS only (port 443), so requests to HTTP (port 80) will not be served. To redirect HTTP requests to HTTPS, add the following to the top of the file (substitute the name in both places):
Redirect permanent / https://example.com/
Save and exit.
Enable the Apache SSL module by running this command:
sudo a2enmod ssl
Now restart Apache to load the new configuration and enable TLS/SSL over HTTPS!
sudo service apache2 restart
Test it out by accessing your site via HTTPS, e.g.
https://example.com. You will also want to try connecting via HTTP, e.g.
http://example.com to ensure that the redirect is working properly!
If you have a suggestion or issue with the above commands, please leave a comment below: