Securing your website is extremely important, and one of the first things you have to do to make your site safer is to install an SSL/TLS certificate. SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), protect the data sent between your website and its visitors.
Contents
By using our guide you will learn how to install an SSL/TLS certificate on two popular web servers: Apache and Nginx. We will cover the benefits of SSL/TLS certificates, how to generate and install them, testing for vulnerabilities, automating renewals, and troubleshooting.
SSL/TLS Benefits
Before we dive into the technical steps, let’s understand why it’s so important to install an SSL/TLS certificate on your website.
- Encryption: after you install an SSL/TLS certificate, the data exchanged between your website and users will be encrypted, making it unreadable to hackers.
- Authentication: it ensures that users are connected to the legitimate website and not an impostor. Keep in mind that impostors can install an SSL/TLS certificate too, so users should always double-check that they are visiting the correct domain.
- Data integrity: SSL/TLS prevents data from being altered during transfer, so even if someone manages to intercept it, the data won’t be altered.
- SEO boost: search engines like Google favor secure sites, so if you install an SSL/TLS certificate you will potentially improve your search rankings.
- User trust: a secure connection builds trust, indicated by the padlock icon in browsers, which encourages users to interact with your site. Nowadays it is mandatory to install an SSL/TLS certificate on your website if you want your users to trust it, otherwise, your site will be marked as unsafe by your browser.
How to get an SSL/TLS certificate
To install an SSL/TLS certificate, you’ll need to get one first, so start by following these steps.
Choose your certificate type
Certificates can be free or paid. For basic websites, a free certificate from Let’s Encrypt is often sufficient. For e-commerce or enterprise sites, consider paid certificates offering higher levels of validation and security features. You can get a paid certificate from certificate authorities (CA) like Digicert, Globalsign, Sectigo, etc.
On this occasion, we will see what are the steps to install a paid certificate. If you want to install a free one please check below under the Let’s Encrypt section.
Generate a CSR (Certificate Signing Request)
The next step to install an SSL/TLS certificate is to create a Certificate Signing Request (CSR), which contains your site’s information and is needed to obtain an SSL certificate. Here’s how to create a CSR:
Open your terminal or connect to your server using SSH.
Create a few directories to store your certificate files:
mkdir -p /etc/ssl/{crt,key,csr}
Run the following command, replacing “domain.com” with your real domain name:
openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/key/domain.com.key -out /etc/ssl/csr/domain.com.csr
Answer the prompts with your site’s details (country, state, domain name, etc.).
Two files will be created: the CSR file located in /etc/ssl/csr/domain.com.csr, and the KEY file located in /etc/ssl/key/domain.com.key
Keep the .key file secure; it is your private key.
Submit the CSR file to a CA, also called certificate issuer. There are many of them, for example Digicert, Globalsign, Sectigo, etc. They will verify your information and issue the SSL certificate. They will request a verification of your domain, so make sure to follow their instructions.
Receive and download the certificate
Once approved, the CA will provide your certificate files, which will be used to install an SSL/TLS certificate on your site. These files typically include:
- Your site’s certificate (usually named domain.com.crt).
- Intermediate certificates (these are bundles that establish trust, they may be named ca-bundle.crt or something similar).
- A single file that contains both the certificate and the intermediate certificate, usually called fullchain.crt
How to install an SSL/TLS certificate on Apache
With your SSL certificate files ready, it’s time to install an SSL/TLS certificate on your Apache webserver.
Before doing anything, make sure to enable the Apache SSL module.
If you’re running Ubuntu, the SSL module usually comes enabled by default, but just in case make sure that it is enabled. You can enable it with this command:
a2enmod ssl
Then simply restart Apache:
systemctl restart apache2
If you’re running Almalinux or a RHEL-based distro, install it this way:
dnf install mod_ssl
Now it’s time to upload the certificate files to the server. You can do this using an FTP account or tools like rsync. Place your certificate files (domain.com.crt and ca-bundle.crt) in the following directory: /etc/ssl/crt
Edit your site’s Apache configuration file. On modern distros, this is usually located under /etc/apache2/sites-available/
Open it using a text editor like nano:
nano /etc/apache2/sites-available/yourdomain.com.conf
Add or update the following lines:
<VirtualHost :443> ServerAdmin [email protected] ServerName yourdomain.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/ssl/crt/domain.com.crt SSLCertificateKeyFile /etc/ssl/key/domain.com.key SSLCertificateChainFile /etc/ssl/crt/ca-bundle.crt <Directory /var/www/html> Options -Indexes +FollowSymLinks AllowOverride All </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Make sure to replace “yourdomain.com” with the correct domain, and set the correct path for your DocumentRoot (where your website content is located).
Save and close the file, and test your Apache config:
apachectl configtest
If your config is ok then restart Apache:
systemctl restart apache2
To check your certificate, visit your site using “https://yourdomain.com” to make sure it loads securely. The browser should show a padlock or similar icon, which indicates a secure connection.
Install an SSL/TLS certificate on Nginx
Next, let’s set up SSL/TLS on an Nginx server. First off, ensure that Nginx is compiled with SSL support. Most modern installations include it by default. To verify this, run:
nginx -V
Look for “–with-http_ssl_module” in the output.
Now upload the certificate files to your server. This step is similar to the one we wrote for Apache, so you can do this using an FTP account or tools like rsync. Place your fullchain.crt file in the following directory: /etc/ssl/crt
And rename it to “domain.com.crt”.
Edit the Nginx configuration file for your site, usually found in “/etc/nginx/conf.d”
Open it with a text editor like nano, vim or your favorite one:
nano /etc/nginx/conf.d/yourdomain.com.conf
Add or update the following lines in the file’s “server” block:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com;
ssl_certificate /etc/ssl/crt/domain.com.crt;
ssl_certificate_key /etc/ssl/key/domain.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
}
Save and close the file.
Check the Nginx configuration for errors:
nginx -t
If there are no errors, restart Nginx:
systemctl restart nginx
Now that you know how to install an SSL/TLS certificate on Nginx, it’s time to test your SSL. Visit your site using “https://yourdomain.com” to ensure it loads securely.
Testing an SSL/TLS certificate for vulnerabilities
This isn’t over, once you install an SSL/TLS certificate you have to test it for vulnerabilities. The fastest and simplest way to do this is by following these steps:
- Access our webserver security test.
- Input your domain in the box.
- Tick the two checks named “Clear cache” and “Follow redirects”.
- Click the scan button.
- Now simply wait 20-30 seconds for the scan to finish and scroll down to SSL/TLS Analysis. There you can check the date of the SSL/TLS certificate expiration, the issuer, the supported versions of the SSL/TLS protocol, and the cipher suite used. If you get a “Failed” in red in any of them then you may need to update your current certificate or the webserver settings. The ones with a “Passed” in green are good to go.
Automating certificate renewal with Let’s Encrypt
Let’s Encrypt offers free SSL certificates with a validity of 90 days. Let’s see how to install an SSL/TLS certificate completely free, and how to automate the renewal.
Install Certbot
Certbot is a tool used to obtain and renew Let’s Encrypt certificates automatically. Before being able to install an SSL/TLS certificate for free, we need to install Certbot. Let’s see how to do this in common distros like Almalinux and Ubuntu.
To install Certbot on Almalinux, start by installing the EPEL repository:
dnf install epel-release
If you’re running Apache, then install Certbot this way:
dnf install certbot python3-certbot-apache
However, if you’re running Nginx, run this:
dnf install certbot python3-certbot-nginx
If you’re running Ubuntu, update your package lists before installing Certbot:
apt-get update
Proceed to install the Certbot tool for Apache:
apt-get install certbot python3-certbot-apache
Or for Nginx:
apt-get install certbot python3-certbot-nginx
Install an SSL/TLS certificate for free using Certbot
And now is where the magic happens, thanks to Certbot it’s super easy to install an SSL/TLS certificate completely free.
To get a certificate for Apache, run:
certbot --apache
For Nginx, use:
certbot --nginx
Certbot will guide you through a series of prompts to configure and obtain the certificate.
Automate the renewal
Certbot automatically installs a cron job to renew certificates. To verify, list your cron jobs:
crontab -l
Look for a line similar to this one:
0 12 * * * /usr/bin/certbot renew --quiet
This runs the renewal process once per day, which should be more than enough.
If you want to test the renewal process, then you can simulate a renewal to ensure it works, simply run this command:
certbot renew --dry-run
Troubleshooting common SSL/TLS issues
Despite our careful setup, you might encounter issues. Here are some common SSL/TLS problems and their solutions:
- Browser shows a “Not secure” warning: to solve this, make sure that your SSL certificate is correctly installed and not expired. Check if the certificate matches your domain and includes all necessary intermediate certificates.
- Mixed content warning: mixed content occurs when secure (https) and non-secure (http) resources are loaded together. Update all links in your website to use https.
- Certificate mismatch: in this case, you have to verify that the domain name in your SSL certificate matches the domain in your web server configuration. Reissue the certificate if needed.
- Outdated protocols or ciphers: make sure to disable any old versions of the SSL/TLS protocol, and also remove weak cipher suites in your server configuration. On its wiki, Mozilla provides a list of modern and intermediate ciphers.
- General configuration errors: in this case, we suggest checking your web server’s error logs to diagnose issues. Use configuration testing commands (“apachectl configtest” for Apache or “nginx -t” for Nginx) to catch errors in your settings.
Conclusion
It’s not an easy task to install an SSL/TLS certificate, fortunately, our guide has covered everything you need, from generating the CSR, to picking a CA and installing the certificate on a webserver.
If you install an SSL/TLS certificate then you will have secured your website and your users’ data. It doesn’t matter if you install a free certificate or a paid one, just make sure that a valid one is running on your site, and use our scanner to check for any vulnerabilities.
