This article will walk you through the steps you need to perform to install an SSL-certificate on your server.
You will need a secret key and a certificate. The certificate itself is not trusted by browsers. It must be associated with root certificates from a Certification Authority using one or several intermediate certificates (certificate chain).
A secret key is generated during the order process and is automatically saved in the Client area. A Certification Authority sends the certificate and certificates chain to the Administrative email. Additional data are saved in the Client area – SSL-certificates – Information.
How to install an SSL-certificate with ISPmanager
If you use ISPmanager to manage your server, you can install an SSL-certificate directly from the web-interface of the control panel.
Complete the following two steps:
1. Navigate to the SSL-certificates module, add a new certificate, and enter its key, required parameters, and chains.
Clicking “Add” will start the Wizard:
Step 1. Select a certificate Select «existing».
Step 2. Create a certificate. Enter the certificate data, key, and chain.
2. Navigate to the “WWW-domains” to install the SSL to the domain. Select the domain and click “Edit”. If you don’t have a domain, you should first create it in the control panel. On the form that will open, select the «Secure connection (SSL)» checkbox, and in the «SSL-certificate» field select the newly created certificate.
Clicking OK on the creation/edit form will install the SSL-certificate in the selected domain name.
How to install an SSL certificate manually
Installation of the SSL certificate via the command line (cli) means that you need to specify the certificate, its key, and the chain in the configuration file of the web-server. Directives may vary depending on a web-server that you run. In order to define which web-server handles an SSL-certificate, execute the command
ss -napt | grep 443
The command will output the web-server that accepts connections to the domain via httpS
Nginx
In order to install an SSL certificate to a domain running on Nginx, you will need to edit the configuration file of the domain name. Sometimes, the configuration of domain names is defined in the Nginx configuration file (/etc/nginx/nginx.conf). Very often every domain has its own configuration file, for example, /etc/nginx/vhosts/username/domain.com
Open the file to see the domain’s configuration:
server { server_name domain.com www.domain.com; … }
If the SSL is not activated for the domain, edit the listen directive and add ssl on
listen IP-address:443; ssl on;
ssl_certificate_key and ssl_certificate directives define the paths to the key and certificates files. The certificate chain is specified on the certificate file.
We’ll now try to make a chain for the Comodo Positive SSL certificate. The Certification Authority will send the files domain.crt, PositiveSSLCA2 and AddTrustExternalCARoot. The certificate chain will consist of the contents of the PositiveSSLCA2 + AddTrustExternalCARoot files. Therefore, domain.crt should contain the domain’s certificate + PositiveSSLCA2 + AddTrustExternalCARoot certificates.
For better security, we use ciphers and protocols with the ssl_ciphers and ssl_protocols directives
The following is the example of the domain configuration file running Nginx
server { server_name domain.com www.domain.com; ssl on; ssl_certificate "/var/www/httpd-cert/test/domain.com.crt"; ssl_certificate_key "/var/www/httpd-cert/test/domain.com.key"; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; listen IP-адрес:443; add_header Strict-Transport-Security "max-age=31536000;"; charset off; index index.php; disable_symlinks if_not_owner from=$root_path; set $root_path /var/www/test/data/www/isptst.example.com; root $root_path; location / { location ~ [^/].ph(pd*|tml)$ { try_files /does_not_exists @php; } } location @php { … } }
Before restarting the web-server, execute nginx -t , This command will find the syntax errors in the configuration files, if any.
Restart Nginx
systemctl restart nginx
Apache
In order to install an SSL certificate on a domain running Apache, you will need to edit the configuration file of the domain name. Sometimes, the configuration of domain names is defined in the Apache configuration file /etc/apache2/apache2.conf (Debian), /etc/httpd/conf/httpd.conf (CentOS). Very often every domain has its own configuration file, for example, /etc/httpd/conf/vhosts/username/domain.com
Open the domain’s configuration file, and add the following directives into the <VirtualHost IP-address:443> section of the domain:
<VirtualHost IP-address:443> SSLEngine on SSLCertificateKeyFile /etc/ssl/ssl.key/server.key SSLCertificateFile /etc/ssl/ssl.crt/domain.crt SSLCACertificateFile /etc/ssl/ssl.crt/domain.ca-bundle SSLHonorCipherOrder on SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ….. </VirtualHost>
please note: the certificate chain is specified into a separate file, which is defined by the SSLCACertificateFile directive.
Before restarting the web-server, execute apachectl -t , This command will find the syntax errors in the configuration files, if any.
Restart Apache
apachectl graceful