Add SSL certs to Apache + enforce https

1. Generate private key + request for CA with

sudo openssl req -new -newkey rsa:2048 -nodes -keyout private_key.key -out CA_request.csr

You’ll be asked to fill in some details so that the CA can have records.

2. Get certificate from a CA by submitting your .csr

According to what your CA is, the steps to follow are different. In my case, using a Wildcard SSL with Digicert, I send the request through a dashboard and get in return three files: DigiCertCA, Trusted Root, and the Wildcard SSL for my subdomain. I haven’t used the Trusted Root file, but I know it can be used to verify the chain.

3. Add Rewrite and SSL modules to Apache:

a2enmod ssl
a2enmod rewrite

4. Configure Apache with the following information, in /etc/apache2/sites-enabled/*your_default_config* :

<VirtualHost *:80>
        ServerAdmin *email@yourdomain.com*        
        ServerName *yourdomain.com*
        DocumentRoot */path/to/directory/site*        
        ErrorLog ${APACHE_LOG_DIR}/error.log        
        CustomLog ${APACHE_LOG_DIR}/access.log combined                        
        <Directory */path/to/directory* >
               Options Indexes FollowSymLinks MultiViews                
               AllowOverride All                
               Order allow,deny                
               allow from all                
               RewriteEngine on                
               RewriteCond %{HTTPS} off                
               RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
        </Directory>
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin *email@yourdomain.com*        
        ServerName *yourdomain.com*
        DocumentRoot */path/to/directory/site*        
        ErrorLog ${APACHE_LOG_DIR}/error.log        
        CustomLog ${APACHE_LOG_DIR}/access.log combined                        
        <Directory */path/to/directory* >
               Options Indexes FollowSymLinks MultiViews                
               AllowOverride None                  
               Order Allow,deny            
               Allow From All
        </Directory>
        LogLevel warn
        SSLEngine on
        SSLCertificateFile *path/to/certificate*
        SSLCertificateKeyFile *path/to/private/key*
        SSLCertificateChainFile *path/to/CA/file*
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars        
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLRequireSSL On                
                SSLVerifyClient optional                
                SSLVerifyDepth 1 
                SSLOptions +StdEnvVars +StrictRequire               
        </Directory>
        BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
        

In files match, add any extension that your server might use.

You can verify the configuration with:

apachectl configtest