Since Google announced that it would boost the rank of websites with https, even websites that do not deal with sensitive data have a motivation to install a SSL certificate. In this tutorial I’ll go through the whole process of creation and installation of an SSL certificate to a self-hosted Wordpress website running on CentOS.

Purchasing the SSL Certificate

The first step is the purchase. You have to decide whether you want a wildcard certificate or not. The difference is that the wildcard certificate will certify all subdomains you may have, whilst the standard certificate will only cover the domain you provide. A wild card certificate would allow me to have https://db.rafaelmt.github.io for example, while the standard one would not.

There are plenty of SSL certificate issuers around, many of them with very low cost for 1 year of the standard certificates. I went with GoDaddy, but the process should be similar for other providers. The purchase process is very straightforward. Don’t worry if you don’t get asked which domain you want to get certified at this point, you will provide this info later.

Generating the Request

Once you finished the checkout, you’ll be asked to provide a .csr file. This file is generated along with the private key of your certificate and it contains information about your domain, such as its name, location of your server etc.

To generate the .csr file, execute the following command in your server:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

It will ask you to fill up the information about the certificate. When done, it will generate two files: the server.key, which is the private key of your certificate, and the server.csr, which is the file containing the request. The private key should not be shared with anyone! If you lose this file, you will have to re-generate the certificate.

Verify Domain Ownership

Your certificate issuer will ask you to verify the ownership of your domain. The method may vary, but the most common one is requesting you to create a file with a given file name in the root of your domain.

Some certificate issuers will also request you to provide some documentation to verify your identity.

Download and Install Certificate

Once the domain ownership is verified, the issuer will allow you to download your certificate. You will probably get two .crt files, one containing the certificate (let’s call it server.crt), and another one containing the certificate chain. The certificate file is the one that has only one certificate block (-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----).

Copy the server.crt file to your server and place both server.crt and server.key in a place where Apache server can access. The typical location for the files are /etc/ssl/certs/server.crt /etc/ssl/private/server.key

Configure HTTPD

Add the following virtual host configuration to your /etc/httpd/conf/httpd.conf, changing the ServerName line to add your domain name: [gist 1dd778987d936944bacf] Make sure the following lines are present in your configuration:

LoadModule ssl_module modules/mod_ssl.so
Listen 443 https

You also need to install the mod_ssl:

sudo yum install mod_ssl

Validate your configuration file by running the following command:

sudo service httpd configtest

Restart Apache and Test!

Now let’s restart the apache server and test the https:

sudo service httpd restart

Fire up a browser and try to reach your server. Make sure you have opened the port 443 in iptables.

Redirect HTTP to HTTPS

Once you’re sure everything is working fine, you have to make sure users that access your website through http get redirected to https. To do so, add the following configuration to /etc/httpd/conf/httpd.conf: [gist 67c8e639bef4cebd2e4d]