// Tutorial //

How To Set Up Apache with a Free Signed SSL Certificate on a VPS

Published on July 17, 2013
Default avatar
By Nik van der Ploeg
Developer and author at DigitalOcean.
How To Set Up Apache with a Free Signed SSL Certificate on a VPS

Note: You may want to consider using Let’s Encrypt instead of the StartSSL.com process below. Let’s Encrypt is a new certificate authority that provides a free and easy way of creating SSL/TLS certificates that are trusted in most web browsers. Check out the tutorial to get started: How To Secure Apache with Let’s Encrypt on Ubuntu 14.04

Prerequisites

Before we get started, here are the web tools you need for this tutorial:

<ol>
    <li><a href="https://www.google.com/intl/en/chrome/browser">Google Chrome</a> browser</li>
    <li>Apache installed on your VPS (cloud server)</li>
    <li>A domain name you own</li>
    <li>Access to an email address at that domain, either:
        <ol>
            <li>postmaster@duable.co</li>
            <li>hostmaster@duable.co</li>
            <li>webmaster@duable.co</li>
        </ol>
    </li>
</ol>

StartSSL.com offers completely free verified (your users won't have to see those scary red screens saying "this site isn't trusted" anymore) SSL certificates that you can use on your website. This is a great deal as most companies charge $50-$60 for similar services. The free version is a bit tricky to set up, but it's well worth it.

To get started, browse to StartSSL.com and using the toolbar on the left, navigate to StartSSL Products and then to StartSSL™ Free. Choose the link for Control Panel from the top of the page.

Make sure you are using Google Chrome

<ol>
    <li>Choose the <strong>Express Signup.</strong> option</li>
    <li>Enter your personal information, and click continue.</li>
    <li>You'll get an email with a verification code inside it shortly. Copy and paste that email into the form on StartSSL's page.</li>
    <li>They will review your request for a certificate and then send you an email with the new info. This process might take as long as 6 hours though, so be patient.</li>
    <li>Once the email comes, use the link provided and the new authentication code (at the bottom of the email) to continue to the next step.</li>
    <li>They will ask you to Generate a private key and you will be provided with the choice of "High" or "Medium" grade. Go ahead and choose "High".</li>
    <li>Once your key is ready, click Install.</li>
    <li>Chrome will show a popdown that says that the certificate has been succesfully installed to Chrome.</li>
</ol>


<p>This means your browser is now authenticated with your new certificate
and you can log into the StartSSL authentication areas using your new
certificate. Now, we need to get a properly formatted certificate set up for
use on your VPS. Click on the <a
href="https://www.startssl.com/?app=12">Control panel</a> link again, and
choose the Authenticate option. Chrome will show a popup asking if you want
to authenticate and will show the certificate you just installed. Go ahead
and authenticate with that certificate to enter the control panel.</p>

<p>You will need to validate your domain name to prove that you own the
domain you are setting up a certificate for. Click over to the Validations
Wizard in the <a href="https://www.startssl.com/?app=12">Control panel</a>
and set Type to Domain Name Validation. You'll be prompted to choose
from an email at your domain, something like postmaster@yourdomain.com.</p>
StartSSL

Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.

Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate.

Start SSL

Hit continue and then enter in a secure password, leaving the other settings as is.

You will be shown a textbox that contains your private key. Copy and paste the contents into a text editor and save the data into a file called ssl.key.

Private Key

When you click continue, you will be asked which domain you want to create the certificate for:

Choose Domain

Choose your domain and proceed to the next step.

You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www here, but if you'd like to use a different subdomain with SSL, then enter that here instead:

Add Subdomain

StartSSL will provide you with your new certificate in a text box, much as it did for the private key:

Save Certificate

Again, copy and paste into a text editor, this time saving it as ssl.crt.

You will also need the StartCom Root CA and StartSSL's Class 1 Intermediate Server CA in order to authenticate your website though, so for the final step, go over to the Toolbox pane and choose StartCom CA Certificates:

Startcome CA Certs

At this screen, right click and Save As two files:

<ul>
    <li>StartCom Root CA (PEM Encoded) (save to ca.pem)</li>
    <li>Class 1 Intermediate Server CA (save to sub.class1.server.ca.pem)</li>
</ul>

For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site's encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:

openssl rsa -in ssl.key -out private.key

OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL's website.

At this point you should have five files. If you're missing any, double-check the previous steps and re-download them:

<ul>
    <li>ca.pem - StartSSL's Root certificate</li>
    <li>private.key - The unencrypted version of your private key (be very careful no one else has access to this file!)</li>
    <li>sub.class1.server.ca.pem - The intermediate certificate for StartSSL</li>
    <li>ssl.key - The encrypted version of your private key (does not need to be copied to server)</li>
    <li>ssl.crt - Your new certificate</li>
</ul>

You can discard the ssl.key file. If you haven't already copied the others onto your server you upload them there now:

scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} YOURSERVER:~ 
<h2>Activating the certificate in Apache</h2>

Having a certificate isn't any good if you can't actually use it. This section explains how to configure Apache to use your new SSL certificate. These instructions are for Apache running on recent versions of Ubuntu VPS. For other Linux-based distros or web servers, you'll have to adjust accordingly.

First, create the folders where we'll store the keys. Enable Apache's SSL module, and restart Apache.

sudo a2enmod ssl
sudo service apache2 restart
sudo mkdir -p /etc/apache2/ssl

Copy the files you set up in the previous section into the /etc/apache2/ssl folder on your VPS.

sudo mkdir -p /etc/apache2/ssl
cp ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl

Execute:

ls /etc/apache2/ssl

And it should return:

ca.pem
ssl.crt
private.key
sub.class1.server.ca.pem

Now, open your apache2 configuration file. Unless you've already modified the default configuration, input:

nano /etc/apache2/sites-enabled/000-default

It should look something like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Copy the entire script above (from <VirtualHost *:80> to </VirtualHost>), paste it below the existing one, and change the top line from:

<VirtualHost *:80>

to

<VirtualHost *:443>

And add the following lines after the <VirtualHost *:443> line:

SSLEngine on                                                                
SSLProtocol all -SSLv2                                                      
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                

SSLCertificateFile /etc/apache2/ssl/ssl.crt                           
SSLCertificateKeyFile /etc/apache2/ssl/private.key                        
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem 

The end result should look like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

<VirtualHost *:443>
    SSLEngine on                                                                
    SSLProtocol all -SSLv2                                                      
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                

    SSLCertificateFile /etc/apache2/ssl/ssl.crt                           
    SSLCertificateKeyFile /etc/apache2/ssl/private.key                        
    SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem 
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Save your files and restart Apache with:

sudo service apache2 restart

You can check Apache's log files to see if there are any show stopping errors with this command:

cat /var/log/apache2/error.log

If everything looks good, try accessing your site in your web browser using an HTTPS URL (e.g. https://www.YOURSITE.com). When your site loads, you should see a little green padlock icon next to the URL. Click on it and you should see the following. The connections tab should show that the site's identity has been verified by StartCom.

Congratulations! You are all set!

<p>Reference Links:</p>

Here are some of the other posts I consulted when putting this together. If you run into any problems they might be a source of inspiration on how to fix them:

<ul>
    <li><a href="http://www.debian-administration.org/articles/349">Apache SSL Configuration</a></li>
    <li><a href="http://jasoncodes.com/posts/startssl-free-ssl">StartSSL Apache Guides</a></li>
</ul>
Submitted by: Nik van der Ploeg

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?
10 Comments

StartSSL website updated – SSL file names changed The StartSSL website has had a major face-lift since this tutorial was written. You should be able to follow along, there seem to be less steps on the new website. The principle is the same – go to the “Validations Wizard” and validate your domain name, then go the “Certificates Wizard” and enter your domain name. Click the “Generated by PKI system” radio button at the bottom of the page. You will need to copy and paste to create the ssl.key file if I remember correctly.

The files are issued in a zipped file for various server types, e.g. Apache, Nginx – with the different server type files contained in zipped files within the main zip file. The file names have changed since the tutorial and here are the equivalents:

ssl.crt = 2_yourdomainname.crt
private.key = private.key (file name not changed, generated as per tutorial)
sub.class1.server.ca.pem = 1_root_bundle.crt

So you will have this in your Apache configuration file:

SSLCertificateFile /etc/apache2/ssl/2_yourdomainname.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key                        
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
2_yourdomainname.crt and 1_root_bundle.crt are found in the zipped file.

Apparently ca.pem is not needed.

SSL Certificate expired – renewing SSL certificate Use your existing StartSSL account and follow the steps for validating your domain name again and getting a new certificate as above after the old one expires. You will get an email notification from StartSSL about two weeks before a SSL certificate expires. Free certificates are only valid for one year after which a new one must be generated.

In default-ssl, you can change DocumentRoot to “/var/www/ormondkwikstop.com/public_html” and add:

<pre> ServerName ormondkwikstop.com ServerAlias www.ormondkwikstop.com </pre>

Then replace the self-signed certs that iredadmin generated with:

<pre> SSLCertificateFile /etc/apache2/ssl/ssl.crt SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem </pre>

As for the password, see: https://www.startssl.com/?app=25#34

This didn’t work right out of the box for me - I wasn’t able to restart apache after I altered ‘sites-enabled/000-default’

Apache needs the server name to be specified!

Adding the line

ServerName [your-domain.com]

to the TOP of the file did the trick for me.

has anyone done this recently with the new startssl.com site? My ssl cert is going to expire and the steps involved are not as they were a year ago when I did this the first time. I’m running apache and am obviously missing some steps…help!! :)

This tutorial is outdated by two years and change.

StartSSL has changed the process of acquiring an SSL certificate to the point where that section of the tutorial is rendered almost useless. At least to me.

This tutorial worked perfectly before but now we need a new “HOW TO” tutorial using the new StartSSL website because alot of things has changed.

This tutorial is out of date regarding the startssl UI. However, it is still fundamentally good.

Use startssl to create and retrieve:

ssl.crt
ssl.key
sca.server1.crt 

Copy the files to /etc/apache2/ssl

Decrypt to ssl.key to private.key with openssl rsa -in ssl.key -out private.key. You will need the passphrase that you used when creating the files at startssl.

nano /etc/apache2/sites-enabled/site-specific.conf
 SSLEngine on
 SSLProtocol all -SSLv3 -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM  
 SSLCertificateFile /etc/apache2/ssl/ssl.crt
 SSLCertificateKeyFile /etc/apache2/ssl/private.key
 SSLCertificateChainFile /etc/apache2/ssl/sca.server1.crt 

service apache2 restart

that should be it

StartSSL Login Certificate expired - can’t log in If your login certificate for logging into your StartSSL account has expired, click the “Lost authentication certificate?” link on the login page at: https://www.startssl.com/Account

You will be sent a code at your account email address which you must fill in and a new certificate will automatically be installed in your browser. Worked for me using the Chromium browser in Linux, but doesn’t work with Firefox.

Thanks for writing up this guide. It worked like a charm for me.

I would like to add that you can test the SSL certificate and how your server handles secure requests on this testing tool: https://www.ssllabs.com/ssltest/analyze.html

I learned from it that It is a good idea to disable weak ciphers and disable SSL 2.0 and SSL 3.0; Here you can find explanation on how to do this: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html

The gist of required configuration:

Next, open your httpd.conf or ssl.conf file and search for the SSLCipherSuite directive. If you can’t find it anywhere, you can just add it, otherwise, replace it with the following:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Followed this tutorial but when i want to acces my site with https:// I dont get a response, http:// is still working