Add SSL Certificate to Your Website

After setting up my first WordPress site, I’m able to post updates and decorate the themes. However, every time when someone visits my site, there will be a sign beside our domain indicating that the connection isn’t encrypted and it’s not safe.

To address that issue, we have to enable the https connection and apply a certificate for your domain, so it can be trusted when others come to our site. Here are my steps:

• Buy an SSL certificate from a provider.
• Activate the certificate.
• Deploy the certificate on your VPS.
• Force https connection for your website.

A certificate is a kind of ID for your website, which is issued by Certificate Authority (CA). There are three types of SSL certificates: DV, OV, EV.

• DV: For bloggers, and small personal sites. It only authenticates your domain. Normal safety. Low price.
• OV: For small organizations, and startups. It also authenticates your organizations, companies. Medium safety. Medium price.
• EV: For bigger enterprises. Very strict authentication. High safety. High price.

Buy an SSL Certificate

I bought it at the same time when I bought this domain at a discount price. The price can be varied from hundreds of euros to around ten euros. Of course, expensive ones have more safety but for me, the DV type certificate is enough (just for enabling https connection).

After purchased a certificate from a provider, it is ready to be activated. You need to prepare a Certificate Signing Request (CSR) before activation.

Preparing CSR

A CSR (Certificate Signing Request) is a small, encoded text file containing information about the organization and the domain you wish to secure. It is required for the activation of a digital SSL certificate and, as a rule, is generated on the server where the certificate is to be installed. A CSR is submitted to the Certificate Authority and used to generate the certificate.

https://www.namecheap.com/support/knowledgebase/article.aspx/337/67/what-is-a-certificate-signing-request-csr

On Debian 8 VPS, you can start a CSR by typing:

openssl req -new -newkey rsa:2048 -nodes -keyout .ssh/server_private.key -out .ssh/server_ssl.csr

When generating a CSR file, you need the following information:

• Country Name: Two-letter country code (e.g. US)
• State of Province: Full name of the state (e.g. Washington)
• Locality name: City name (e.g. Seattle)
• Organization Name: Full legal name of your company (e.g. Company LLC)
• Organizational Unit: Additional company information (e.g. Sales, can be omitted)
• Common name (CN): Fully qualified domain name you need to secure (e.g. example.com, the name exactly you applied, for some certificates use asteroid mark like *.example.com)
• Email Address: Server administrator’s email address (e.g. [email protected])
• A challenge password: (Enter, input nothing)
• An optional company name: (Enter, input nothing)

After generating the CSR file, there are two files in your .ssh folder. The .key file is the private key of the certificate and the .csr file contains the information of the request. When activating the certificate, you need to copy the text information in that file:

cat .ssh/server_ssl.csr

You should see the output like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG
A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU
QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/
HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi
FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw
NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV
H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw
VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE
DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV
MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH
v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6
6mhI+ulqmkDk3Quc02ityvuGEbN8UuUGxc+kg0aIqMWWNKUGpTq/aRWpC7kuCUFZ
fmvPwnMhzgKBPzOXwyauVxAV0Mm/1uwPu9GNVQDgewy4Rjbm5bNwIjce3W1tVMWT
FR+x0BtV+D2A62fJWB2Yv9oERJbZQnvLqw==
-----END CERTIFICATE REQUEST-----

Activate SSL Certificate

In this step, you should go to where you bought the certificate and activate it. For example, my certificate is from Namecheap. So, I need to log into the account panel, then go to ‘Product List’, the certificate will be shown there as well as the ‘activate’ button. (The tutorial can be found in their official site)

To start the activation process, we click that button:

1. Enter the copied certificate request. The domain will be shown on the screen automatically. If the domain isn’t right, don’t jump to the next step. Then click next.
2. Double-check the information you requested (Domain, and the server type). Then click next.
3. Select the domain control validation method (Email, HTTP-based, and DNS-based).
   • Email: A verification email will be sent to the administrator’s email of the specific email. (must be example.com suffix and admin user)
   • HTTP-based: You will need to upload a certain text file into a particular directory of your website (/.well-known/pki-validation/) to have the certificate issued.
   • DNS-based: You need to create a special CNAME record in the DNS records for your domain.
4. I used the HTTP-based method since I don’t have a customized email yet. In the next step, you need to provide an email address to receive the certificate (this can be any email address).
   1. After submitting the request, we need to upload the specific file to our VPS since we use the HTTP-based method.

Back to the ‘Product List’ — ‘details’ of the certificate, there is a ‘see details’ button where we can download the txt file that we need to upload to the VPS.

Then we need to create the required folder and move the file there as requested. Note that the root folder should be where your domain is hosted (e.g. var/www/) and do not change the file name or its content.

mkdir -p .well-known/pki-validation
mv ~/RTJ977NXE7H06HXEL8TKJ6ODHDJMHTM.txt /var/www/.well-known/pki-validation/

At this point, all you need to do is wait for the notification email that approves your certificate.

Deploy SSL Certificate

After receiving emails with an attached certificate zip file, you can upload it to your VPS to deploy it.

# unzip the attachment
unzip certificate.zip

There are two files in the zip file: servername.ca-bundle, and servername.crt. You need these two files including the private key to complete this process.

All we need to do upload the keys to a specific destination and enable ssl module.

# move certificate and its bundle
mv servername.ca-bundle /etc/ssl/
mv servername.crt /etc/ssl/

# move private key
mv .ssh/server_private.key /etc/ssl/private/

# enable ssl module
sudo a2enmod ssl

Next, we need to add a configuration to the Apache server to enable the https 443 port connection using the key we provided.

Force https connection

Since we have the certificate and it works! We don’t need the old-fashion http connection anymore. However, there are several ways to achieve that such as disable http’s 80 port and redirect the connection to https 443 port. Here I found the redirect method works perfectly for my site.

Firstly, we need to create a site configuration file for https connection:

# create file
vim /etc/apache2/sites-available/default-ssl.conf

Then write the configuration into the file:

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/

    SSLEngine on
    SSLCertificateFile /etc/ssl/servername.crt
    SSLCertificateKeyFile /etc/ssl/private/server_private.key
    SSLCertificateChainFile /etc/ssl/servername.ca-bundle
</VirtualHost>

After the https configuration is done, we can enable the configuration by command:

sudo a2ensite 000-default-ssl.conf

Next, we need to write the redirect command in the default http connection configuration file: (default configuration file would be located at /etc/apache2/sites-enabled/000-default.conf)

# open the default configuration 
vim /etc/apache2/sites-enabled/000-default.conf

# add the following line
<VirtualHost *:80>
...
Redirect permanent / https://example.com/
...
</VirtualHost>

This command will create a permanent redirect from / (root folder) to https://example.com/ (your desired domain, with https connection). Finally, we let the Apache server reload the configurations:

sudo service apache2 reload

Now, you should have your https connection work! You can test your site’s https connection using this tool. Every time when visitors enter your site domain, they will be redirect to https connection and there will be a lock sign beside your domain!

Extended Works

Due to the WordPress folder is placed as a subfolder of the Apache root directory. When someone wants to visit the WordPress site, the actual domain he needs to type is: example.com/wordpress. The domain itself will show you an ugly root folder list in your web browser and I don’t want to change the root folder itself.

Hence, I used a subdomain to address this issue while keeping the root directory. In DNS setup, a URL redirect record has been created:

#Type           #Host    #Value
URL Redirect     blog    https://example.com/wordpress

This will create another redirect operation on the DNS side and when you visit blog.example.com, you will be redirected to the real WordPress site address using https connection. Now, the site is easier to memorize and type.