Those who are following us since many years know that we publish the updated server guides enough for a newbie to build and run a professional-grade quality. Renew and getting a new (paid) SSL certificate has little difference except – you may use the old CSR, Private Key and the intermediate certificate. Reusing the old CSR, Private Key and the intermediate certificate will not extremely weaken the security for a too ordinary website with financial no on-site transaction. In their case, the matter of renewing is a copy-pasting couple of files and editing the file names in virtual server config files and restarting the server. That is good for preventing the website from any downtime. However, we suggest using fresh CSR, Private Key and the intermediate certificate in all cases whenever you have some time in hand. If you are new with Apache and SSL cert installation, then How To Install Apache2 on Ubuntu With Let’s Encrypt, HTTP/2, HSTS is the best guide to start journey. It is practical to first test a website with Let’s Encrypt. According to our old guides, our settings file for SSL is located at :
1 2 | /etc/apache2/sites-available/ /etc/letsencrypt/options-ssl-apache.conf |
In the /etc/apache2/sites-available/, run ls -al command to list the files. Take it granted that the main virtual server configuration file in our case is named 000-default-le-ssl.conf. The content of the file is this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | SSLCryptoDevice dynamic SSLStaplingCache shmcb:/etc/apache2/stapling_cache(256000) SSLSessionCache shmcb:/etc/apache2/ssl_gcache_data_shmcb(1024000) SSLSessionCacheTimeout 300 Mutex file:/etc/apache2/ ssl-cache SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLPassPhraseDialog builtin ServerName thecustomizewindows.com ProtocolsHonorOrder On Protocols h2 http/1.1 # H2EarlyHints on ServerAdmin admin@thecustomizewindows.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem" SSLOCSPEnable on SSLUseStapling on SSLOCSPResponseMaxAge 900 SSLOCSPResponseTimeSkew 900 SSLStaplingReturnResponderErrors off SSLStaplingErrorCacheTimeout 900 SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header always set Public-Key-Pins 'pin-sha2="RmAfIcalkv6XmrFlvJ1rzpIcTC1Tk2uQPE1TlxPPPuo="; pin-sha256="SDG5orEv8iX6MNenIAxa8nQFNpROB/6+llsZdXHZNqs="; pin-sha256="i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY="; pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; max-age=30;' Header set X-XSS-Protection "1; mode=block" Header set Expect-CT "enforce; max-age=3600" Header set Referrer-Policy "strict-origin-when-cross-origin" FileETag None # Header add Link "</wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js>; rel=preload; as=script; x-http2-push-only" ## all other ssl config file path Include /etc/letsencrypt/options-ssl-apache.conf ## all other ssl config file path ends Options FollowSymLinks AllowOverride None Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ModPagespeedFetchHttps enable ModPagespeedRespectXForwardedProto on ## begin third party cert SSLCertificateFile /etc/ssl/private/public2018.crt SSLCertificateKeyFile /etc/ssl/private/private.key SSLCertificateChainFile /etc/ssl/private/intermediate2018.crt ## end third party cert |
The /etc/letsencrypt/options-ssl-apache.conf contains these :
---
1 2 3 4 5 6 7 8 9 10 | SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common |
The above files show that we need to work only on the below snippet-block of the first config file :
1 2 3 4 5 | ## begin third party cert SSLCertificateFile /etc/ssl/private/public2018.crt SSLCertificateKeyFile /etc/ssl/private/private.key SSLCertificateChainFile /etc/ssl/private/intermediate2018.crt ## end third party cert |
All you have to do is to go to the /etc/ssl/private/ directory and do a ls :
1 2 | cd /etc/ssl/private ls |
You’ll get the list of your previous files :
1 2 3 4 5 6 | 2018.csr inter.pem root.crt dhparams_4096.pem private.key root-intermediate.crt inter.crt public2018.crt root-intermediate.pem intermediate2018.crt root.pem test-intermediate.pem intermediate2019.crt public2019.crt ssl-cert-snakeoil.key intermediate.crt public.crt |
Obtaining certificate starts with generating CSR (Certificate Signing Request) file, which requires to create private key as initial step. For generation of password-less (non-encrypted key) type the following command :
1 | openssl genrsa -out private2020.key 2048 |
To generate a CSR, run the following command :
1 | openssl req -new -key private2020.key -out yourdomain2020.com.csr |
It will ask you questions. Ultimately you’ll get a CSR file. Run cat on the file :
1 | cat yourdomain2020.com.csr |
copy it and fill web form of CA to obtain SSL certificate. As for GeoTrust, you’ll receive emails with your domain’s certificate plus the intermediate certificate. Intermediate certificate’s file name will be of the CA. The companies supply other two certificates – one is root certificate and another is combination of root with intermediate. These two files are of no use for the web servers like Apache. Using them will show various errors on SSL testing tools.
Copy the content of certificate sent by GeoTrust, RapidSSL, Comodo to you via email, open text editor on SSH and paste the content. Save the file :
1 2 | nano public2020.crt # paste and save |
Copy the content of intermediate certificate pointed by GeoTrust, RapidSSL, Comodo to download via email, open text editor on SSH and paste the content. Save the file :
1 2 3 4 5 | ## begin third party cert SSLCertificateFile /etc/ssl/private/public2020.crt SSLCertificateKeyFile /etc/ssl/private/private2020.key SSLCertificateChainFile /etc/ssl/private/intermediate2020.crt ## end third party cert |
Now, test your thing!
Test with Digicert’s tool and SSLlabs’s tool :
1 2 | https://www.digicert.com/help/ https://www.ssllabs.com/ssltest |
While the above websites are popular, there are more specific and strict tools to optimize your server :
1 2 3 4 5 6 7 | ## checks compliance https://www.immuniweb.com/ssl/ ## test SSL handshake size https://www.wormly.com/test_ssl ## robust tests https://observatory.mozilla.org/ https://tls.imirhil.fr/ |
Upgrade your Cipher Suite
In late 2018, most browsers deprecated TLS 1.0. TLS 1.1 was deprecated before starting of the pandemic. TLS 1.2 is currently the widely-used version of the SSL/TLS protocol while TLS 1.3 is already supported by many of the web browsers.
Mozilla recommends using the cipher suite with “intermediate” security for a general-purpose server, such the blog websites. This cipher suite supports TLS 1.2 and 1.3. You can generate your cipher-suite here :
1 | https://ssl-config.mozilla.org/ |
The cipher-suite we are using in September 2020 is :
1 | ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |
