Creating a HTTPS connection with an SSL certificate (For Apache servers)
Learn to create a SSL certificate and install it on your server to enable HTTPS using ZeroSSL
Before we get our hands on the certificate, it's important to understand what is it, why we need it and how it works.
What is an SSL certificate and why do we need it?
SSL certificate is a digital certificate that can be used to authenticate a website/domain and provides an encrypted connection (HTTPS), it uses the SSL/TSL protocol to do so. It is a data file that is hosted on the website's server origin. While using the standard HTTP protocol all the data exchanged between the browser and server is done in plain text, which if intercepted by a hacker, can access all the sensitive information. HTTPS protocol is a secure version of the standard HTTP protocol as it encrypts the data that is being exchanged between the server and the browser. SSL certificates are also required to gain certain permissions from the browser, such as media device permission.
How to get a free SSL certificate?
There are many SSL certificate providers out there, like Let's Encrypt, ZeroSSL and many more. In this post, we will look into ZeroSSL. You will have to create an account on ZeroSSL to get started.
After creating an account, follow the steps below
Click on New Certificate
Entering your domain, choosing validity and CSR details
Under the validity option choose 90 days (this certificate will expire after 90 days) and will require a renewal.
Under the CSR and contact option, you can either choose to auto-generate the CSR information and if you already have a .csr file, you could paste that in too. I will be auto-generating it.
#code to create a csr file and a key file openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Now continue with the free plan.
Verifying your domain
Continue with HTTP File UploadDownload the auth file from the link provided and upload it to the pki-validation directory. Once done, click on the other link to verify if the file exists in the right place.
NOTE: The .well-known directory can be in different locations depending on which server you are using, for apache servers it is located in
/var/www/html
Installing the certificate
Select the default format and download the zip file.The contents of the zip file should be as follows.
Now we need to extract the files and move them to the correct location.
Move certificate.crt and ca_bundle.crt ( CA stands for certificate authority, it is responsible for handing out certificates to websites, it contains root and intermediate certificates that complete the files that complete the SSL chain ) to/etc/ssl/certs/
and the private.key (this key is sent to the server for decrypting the encrypted messages that will be sent) to/etc/ssl/private
. (For Apache servers).Configuring the default-ssl.conf
In this last step, all we have to do is just tell the server which certificate belongs to the domain/website open up/etc/apache2/sites-available/default-ssl.conf
in a text editor of your choice and paste the following lines under<VirtualHost_default_:443>
and below the line#SSL Engine switch:
SSLEngine on SSLCertificateFile /etc/ssl/certs/certificate.crt SSLCertificateKeyFile /etc/ssl/private/private.key SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
This is what your file should like in the end.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
.....
That's it, you have successfully added an SSL certificate to your server. You should now have a HTTPS connection.
You can create the certificate 3 times with the free plan.
Bonus
SSL and TSL
If you have searched how to get HTTPS connection before, there is a good chance that you might have come across TSL (transport secure layer) protocol. What is it? It is the successor of SSL protocol. Both of these protocols do the same thing, that is, authenticate the identity of your web server. A TSL certificate is often preferred over an SSL certificate and is considered to be more secure.
How does HTTPS work?
It is done with the help of a public key and a private key this is an example of asymmetric encryption, these keys are used to decrypt messages on each end. Below are the steps taken to establish a HTTPS connection
First, the client establishes a connection with the server using the TCP handshake protocol and sends the private key. Once the TCP connection is done, the server will have the private key (which will be used to decrypt encrypted messages from the client side).
When the client first sends a request to the server, the server sends the certificate and also a public key (which will be used to decrypt encrypted messages from the server side) to the client.
Upon receiving the key from the server the client generates a session key and encrypts it with the public key and sends the encrypted session key
Upon receiving the encrypted session key from the client the server decrypts the encrypted session key
Now the data transmission phase begins, where the data is encrypted and sent back and forth and is decrypted using the session key.
You might have a question, why not encrypt and decrypt using the public and private keys? Why is there a need for a separate session key? Asymmetric encryption is computationally expensive as opposed to symmetric encryption.
That's it. Thank you for making it so far, hope you enjoyed this post. Cheers!!