SSL is used to be a luxurious security component for the big companies. Not anymore, thanks to the low cost or even free SSL certificate issued by the trusted commercial Certificate Authority (CA) such as Let’s Encrypt. With the recent recommendation by Google, more and more websites, big or small, are going in full HTTPS mode, shaping the Internet to a better place. If you are one of those WordPress site owners who want to join the HTTPS force, this tutorial will help you get off the ground.
Generate a CSR and Private Key
Since we are using Apache to host our WordPress powered website, we can use the built-in OpenSSL command line to generate the CSR and Private Key for your domain.
openssl req -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr
You will be prompted a series questions that will be included in the certificate request file. Take extra attention to the Common Name field which should match the exact name of your domain you will be using the certification with. Note that if you are getting an OV or EV certificate, make sure all the fields are filled accurately.
The command generates two digital plain text files, a .key and a .csr file at the current location. The .csr file is what you will need to request the SSL certificate.
To see what’s in your CSR file, using the following command:
You may also verify the CSR content with the following command or this only app to make sure all information included in the CSR are all accurate before moving to the next step.
openssl req -in mycsr.csr -noout -text
Apply for the Certificate
With CSR ready, now let’s find a place to apply for the certificate. There are many CAs that you can apply for the digital certificate for your website. I use RapidSSL via Namecheap and like it very much how the way it works but you definitely choose your own to go with. Head over to SSL Certificates page under Security to browse and pick the type of SSL certificate you would like to apply. You can get DV level of SSL certificate for as low as $9.00 per year. That is a ridiculously low cost comparing to a few years back.
Install Certificate on Apache Web Server
Once you successfully applied a digital certificate, you will get two files downloaded from the CA, the certificate file, and the chain bundle file. You will need these two files as well as the Private Key file generated earlier.
Assuming I have these three files saved in my home folder at /home/me folder.
- The Private Key file: domain.com.key
- The SSL certificate file: domain.com.crt
- The chain bundle file: domain.com.ca-bundle
cd /etc/apache2/sites-available sudo nano domain.com.conf
Then, enter the following section of content for the site to listen on port 443:
<VirtualHost *:443> ServerName domain.com DocumentRoot /var/www/domain.com SSLEngine on SSLCertificateFile /home/me/ssl/domain.com.crt SSLCertificateKeyFile /home/me/ssl/domain.com.key SSLCertificateChainFile /home/me/ssl/domain.com.ca-bundle </VirtualHost>
Restart Apache server and all good to go.
sudo service apache2 restart
If the service restart failed due to the SSLEngine not enabled, run the following:
sudo a2enmod ssl
Validate SSL installation
Here are 4 online tools that you can use to check and validate the SSL certificate and installation.
- Digicert – https://www.digicert.com/help/
- SSL Labs – https://www.ssllabs.com/ssltest/analyze.html
- SSL Shopper – https://www.sslshopper.com/ssl-checker.html
- Comodo SSL Analyzer – https://sslanalyzer.comodoca.com/